From 77dba0c4fa58534b71338abd9bd4ea8f0c177363 Mon Sep 17 00:00:00 2001
From: hayzam <hayzam@difuse.io>
Date: Sun, 17 May 2026 23:37:01 +0000
Subject: [PATCH] netlink: filter sequence-mismatch errors in the error
 callback so they don't crash the engine

---
 io/nfqueue.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/io/nfqueue.go b/io/nfqueue.go
index 07301c4..52a2fc9 100644
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@@ -238,6 +238,9 @@ func (nio *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) err
 						return 0
 					}
 				}
+				if strings.Contains(e.Error(), "mismatched sequence") {
+					return 0
+				}
 				return okBoolToInt(cb(nil, e))
 			})
 		if err != nil {
@@ -346,6 +349,7 @@ func (nio *nfqueuePacketIO) setupIpt(local, rst, remove bool) error {
 	if remove {
 		err = iptsBatchDeleteIfExists([]*iptables.IPTables{nio.ipt4, nio.ipt6}, rules)
 	} else {
+		_ = iptsBatchDeleteIfExists([]*iptables.IPTables{nio.ipt4, nio.ipt6}, rules)
 		err = iptsBatchAppendUnique([]*iptables.IPTables{nio.ipt4, nio.ipt6}, rules)
 	}
 	return err