[client] Make raw table initialization non-fatal in firewall managers

[lixmal]

Describe your changes

• Make iptables/nftables raw table (notrack chain) initialization non-fatal during firewall Init()
• Systems without iptable_raw or raw priority support now log a warning instead of failing the entire firewall manager
• Add rawSupported guard to iptables so SetupEBPFProxyNoTrack and cleanup are skipped when raw is unavailable

The raw table is only used for eBPF proxy notrack rules, not core firewall functionality. The engine already handles SetupEBPFProxyNoTrack errors as non-fatal warnings, so blocking init on it was unnecessarily strict.

Issue ticket number and link

Fixes #5551

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (internal error handling change, no user-facing behavior difference)

Summary by CodeRabbit

• Bug Fixes

  • Firewall initialization no longer fails if notrack chain setup is unavailable; a warning is logged and core firewall functionality continues.

• Behavior Change

  • The system now detects raw-table notrack support; features that require raw notrack are skipped and return an error when unsupported, preventing unsafe operations.
  • Cleanup and setup flows now respect the detected support state to avoid spurious errors.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 08e340b7-c62c-4677-a14a-a9fe78113b01

📥 Commits

Reviewing files that changed from the base of the PR and between 891903e and dedaf82.

📒 Files selected for processing (1)

• client/firewall/iptables/manager_linux.go

---

📝 Walkthrough

Walkthrough

Makes raw-table NOTRACK chain setup non-fatal during firewall Init for both iptables and nftables on Linux. Adds a rawSupported flag to the iptables Manager to track raw table availability and gate notrack setup/cleanup; Init now logs warnings instead of returning errors when notrack chain creation fails. (≤50 words)

Changes

Cohort / File(s)	Summary
iptables Manager (state & init) client/firewall/iptables/manager_linux.go	Added rawSupported bool to Manager. Init no longer fails if initNoTrackChain fails (it logs a warning). initNoTrackChain marks rawSupported = true on success; cleanupNoTrackChain and overall cleanup guard behavior on rawSupported and clear it after cleanup. SetupEBPFProxyNoTrack now errors early if rawSupported is false.
nftables Manager (init error handling) client/firewall/nftables/manager_linux.go	Init no longer returns error when initNoTrackChains fails; it logs a warning and continues, allowing Init to succeed without notrack chains.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• [cllient] Don't track ebpf traffic in conntrack #5166: Introduced unconditional notrack chain initialization and related logic that this change now makes non-fatal / guarded.

Suggested reviewers

• pappz

Poem

🐇 I peeked where raw tables used to be,
No crash — just a whisper, let it be.
Chains can wait, the net still hums,
I nibble logs and beat my drums. 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: making raw table initialization non-fatal in firewall managers, which is the core objective of this PR.
Description check	✅ Passed	The PR description includes all required sections: detailed change description, linked issue reference, completed checklist, and documentation justification.
Linked Issues check	✅ Passed	The code changes directly address issue #5551 by implementing graceful degradation: iptables/nftables now log warnings instead of failing when raw table is unavailable, and iptables guards SetupEBPFProxyNoTrack with rawSupported flag.
Out of Scope Changes check	✅ Passed	All changes are scoped to the firewall manager initialization logic for handling missing raw table support, directly addressing the linked issue with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-raw-table-init-fatal

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@client/firewall/iptables/manager_linux.go`:
- Around line 387-390: The cleanupNoTrackChain function's early return on
m.rawSupported prevents init-time recovery called from initNoTrackChain, causing
NewChain to fail if leftover chains exist; remove the "if !m.rawSupported {
return nil }" guard so cleanupNoTrackChain always attempts to remove chains (it
can rely on ChainExists to no-op when nothing to clean), and ensure rawSupported
is still set to false on the appropriate exit paths in initNoTrackChain (keep
setting m.rawSupported = false on failure branches) so state remains correct
after cleanup attempts.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 791484ea-d860-495b-9bcc-9e977e226173

📥 Commits

Reviewing files that changed from the base of the PR and between a1858a9 and f9242be.

📒 Files selected for processing (2)

• client/firewall/iptables/manager_linux.go
• client/firewall/nftables/manager_linux.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

client/firewall/iptables/manager_linux.go (1)

387-393: ⚠️ Potential issue | 🟠 Major

Treat missing raw table in cleanupNoTrackChain() as non-fatal when raw support was not initialized.

When raw table is unavailable on the system, ChainExists() returns an error (not false). If initialization never enabled raw support (rawSupported=false), this cleanup error should not be fatal. Currently, the error blocks state deletion in Close(), even though the cleanup was never necessary.

💡 Proposed fix

 func (m *Manager) cleanupNoTrackChain() error {
 	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
 	if err != nil {
+		// Raw table may be unavailable; skip cleanup if raw support was never enabled
+		if !m.rawSupported {
+			return nil
+		}
 		return fmt.Errorf("check chain exists: %w", err)
 	}
 	if !exists {
 		return nil
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@client/firewall/iptables/manager_linux.go` around lines 387 - 393, In
cleanupNoTrackChain(), handle the case where the raw table is absent and raw
support was never initialized by checking m.rawSupported (or the equivalent
flag) before treating ChainExists errors as fatal: if m.rawSupported is false,
ignore the ChainExists error and return nil; otherwise keep the current behavior
(return fmt.Errorf(...)). Locate the call to m.ipv4Client.ChainExists(tableRaw,
chainNameRaw) in cleanupNoTrackChain and gate the error handling on
m.rawSupported (or, alternatively, detect the specific “table missing” error
from ipv4Client and convert it to a non-fatal nil when raw support was not
enabled).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@client/firewall/iptables/manager_linux.go`:
- Around line 387-393: In cleanupNoTrackChain(), handle the case where the raw
table is absent and raw support was never initialized by checking m.rawSupported
(or the equivalent flag) before treating ChainExists errors as fatal: if
m.rawSupported is false, ignore the ChainExists error and return nil; otherwise
keep the current behavior (return fmt.Errorf(...)). Locate the call to
m.ipv4Client.ChainExists(tableRaw, chainNameRaw) in cleanupNoTrackChain and gate
the error handling on m.rawSupported (or, alternatively, detect the specific
“table missing” error from ipv4Client and convert it to a non-fatal nil when raw
support was not enabled).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a94c4d5b-7ae8-4752-bbe6-8eefaa718050

📥 Commits

Reviewing files that changed from the base of the PR and between f9242be and 891903e.

📒 Files selected for processing (1)

• client/firewall/iptables/manager_linux.go

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud