From bcf006581dd9f519fa3fc999ce3ae4e4fa8593ab Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Mon, 4 May 2026 12:03:05 +0200
Subject: [PATCH] Roll back nftables init via deferred cleanup on any failure

---
 client/firewall/nftables/manager_linux.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/client/firewall/nftables/manager_linux.go b/client/firewall/nftables/manager_linux.go
index 1cb95c9fb..02a0c1949 100644
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -175,25 +175,29 @@ func (m *Manager) reconcileExternalChains() error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-func (m *Manager) initFirewall() error {
+func (m *Manager) initFirewall() (err error) {
 	workTable, err := m.createWorkTable()
 	if err != nil {
 		return fmt.Errorf("create work table: %w", err)
 	}
 
+	defer func() {
+		if err != nil {
+			m.rollbackInit()
+		}
+	}()
+
 	if err := m.router.init(workTable); err != nil {
 		return fmt.Errorf("router init: %w", err)
 	}
 
 	if err := m.aclManager.init(workTable); err != nil {
-		m.rollbackInit()
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 
 	if m.hasIPv6() {
 		if err := m.initIPv6(); err != nil {
 			// Peer has a v6 address: v6 firewall MUST work or we risk fail-open.
-			m.rollbackInit()
 			return fmt.Errorf("init IPv6 firewall (required because peer has IPv6 address): %w", err)
 		}
 	}