capture and returns errors in ConntrackDeleteFilters

Signed-off-by: Daman Arora <aroradaman@gmail.com>
vishvananda · Sep 5, 2024 · 0bbe568 · 0bbe568
1 parent e194da5
commit 0bbe568
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/conntrack_linux.go b/conntrack_linux.go
@@ -158,21 +158,28 @@ func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFam
 	}
 
 	var matched uint
+	var errs []error
 	for _, dataRaw := range res {
 		flow := parseRawData(dataRaw)
 		for _, filter := range filters {
 			if match := filter.MatchConntrackFlow(flow); match {
 				req2 := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK)
 				// skip the first 4 byte that are the netfilter header, the newConntrackRequest is adding it already
 				req2.AddRawData(dataRaw[4:])
-				req2.Execute(unix.NETLINK_NETFILTER, 0)
-				matched++
-				// flow is already deleted, no need to match on other filters and continue to the next flow.
-				break
+				_, err = req2.Execute(unix.NETLINK_NETFILTER, 0)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("failed to delete conntrack flow '%s': %w", flow.String(), err))
+				} else {
+					matched++
+					// flow is already deleted, no need to match on other filters and continue to the next flow.
+					break
+				}
 			}
 		}
 	}
-
+	if len(errs) > 0 {
+		return matched, errors.Join(errs...)
+	}
 	return matched, nil
 }