From 7e5a1841b15814467886908ab0bcd43b1a4cc47a Mon Sep 17 00:00:00 2001
From: Alexey <247128645+axkurcom@users.noreply.github.com>
Date: Tue, 23 Jun 2026 23:30:13 +0300
Subject: [PATCH] Skip netfilter cleanup without CAP_NET_ADMIN by #845

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
---
 src/synlimit_control.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/synlimit_control.rs b/src/synlimit_control.rs
index e151d41..8ca8d7c 100644
--- a/src/synlimit_control.rs
+++ b/src/synlimit_control.rs
@@ -124,6 +124,10 @@ pub(crate) async fn reconcile_synlimit_rules(cfg: &ProxyConfig) {
 }
 
 pub(crate) async fn clear_synlimit_rules_all_backends() -> Result<(), String> {
+    if !has_cap_net_admin() {
+        return Ok(());
+    }
+
     let mut errors = Vec::new();
     if let Err(error) = clear_nft_synlimit_rules_all_families().await {
         errors.push(error);