From 0ce2d7406adf71e9d7a96e717337a77e1c3b9f9a Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Mon, 4 May 2026 11:50:17 +0200
Subject: [PATCH] Roll back v4 NAT rule when v6 mirror fails in nftables
 AddNatRule

---
 client/firewall/nftables/manager_linux.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client/firewall/nftables/manager_linux.go b/client/firewall/nftables/manager_linux.go
index fa81056dc..1cb95c9fb 100644
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -363,6 +363,9 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	if m.hasIPv6() && pair.Dynamic {
 		v6Pair := firewall.ToV6NatPair(pair)
 		if err := m.router6.AddNatRule(v6Pair); err != nil {
+			if rbErr := m.router.RemoveNatRule(pair); rbErr != nil {
+				return fmt.Errorf("add v6 NAT rule: %w (rollback v4: %v)", err, rbErr)
+			}
 			return fmt.Errorf("add v6 NAT rule: %w", err)
 		}
 	}