@@ -94,7 +94,7 @@ require (

 	github.com/spf13/pflag v1.0.6

 	github.com/tonistiigi/go-archvariant v1.0.0

 	github.com/vbatts/tar-split v0.11.6

-	github.com/vishvananda/netlink v1.3.1-0.20240922070040-084abd93d350

+	github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a

 	github.com/vishvananda/netns v0.0.5

 	go.etcd.io/bbolt v1.3.11

 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0

@@ -550,8 +550,8 @@ github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqri

 github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=

 github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=

 github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=

-github.com/vishvananda/netlink v1.3.1-0.20240922070040-084abd93d350 h1:w5OI+kArIBVksl8UGn6ARQshtPCQvDsbuA9NQie3GIg=

-github.com/vishvananda/netlink v1.3.1-0.20240922070040-084abd93d350/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=

+github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a h1:P8YrhmisX/O76LxBpE0Bj9jk3WEzO/tYVv+HHRQsrQQ=

+github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=

 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=

 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=

 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=

@@ -18,6 +18,7 @@ import (

 //

 // If `addr` is an IPv4 address and the broadcast address is not given, it

 // will be automatically computed based on the IP mask if /30 or larger.

+// If `net.IPv4zero` is given as the broadcast address, broadcast is disabled.

 func AddrAdd(link Link, addr *Addr) error {

 	return pkgHandle.AddrAdd(link, addr)

 }

@@ -28,6 +29,7 @@ func AddrAdd(link Link, addr *Addr) error {

 //

 // If `addr` is an IPv4 address and the broadcast address is not given, it

 // will be automatically computed based on the IP mask if /30 or larger.

+// If `net.IPv4zero` is given as the broadcast address, broadcast is disabled.

 func (h *Handle) AddrAdd(link Link, addr *Addr) error {

 	req := h.newNetlinkRequest(unix.RTM_NEWADDR, unix.NLM_F_CREATE|unix.NLM_F_EXCL|unix.NLM_F_ACK)

 	return h.addrHandle(link, addr, req)

@@ -39,6 +41,7 @@ func (h *Handle) AddrAdd(link Link, addr *Addr) error {

 //

 // If `addr` is an IPv4 address and the broadcast address is not given, it

 // will be automatically computed based on the IP mask if /30 or larger.

+// If `net.IPv4zero` is given as the broadcast address, broadcast is disabled.

 func AddrReplace(link Link, addr *Addr) error {

 	return pkgHandle.AddrReplace(link, addr)

 }

@@ -49,6 +52,7 @@ func AddrReplace(link Link, addr *Addr) error {

 //

 // If `addr` is an IPv4 address and the broadcast address is not given, it

 // will be automatically computed based on the IP mask if /30 or larger.

+// If `net.IPv4zero` is given as the broadcast address, broadcast is disabled.

 func (h *Handle) AddrReplace(link Link, addr *Addr) error {

 	req := h.newNetlinkRequest(unix.RTM_NEWADDR, unix.NLM_F_CREATE|unix.NLM_F_REPLACE|unix.NLM_F_ACK)

 	return h.addrHandle(link, addr, req)

@@ -57,18 +61,13 @@ func (h *Handle) AddrReplace(link Link, addr *Addr) error {

 // AddrDel will delete an IP address from a link device.

 //

 // Equivalent to: `ip addr del $addr dev $link`

-//

-// If `addr` is an IPv4 address and the broadcast address is not given, it

-// will be automatically computed based on the IP mask if /30 or larger.

 func AddrDel(link Link, addr *Addr) error {

 	return pkgHandle.AddrDel(link, addr)

 }

 // AddrDel will delete an IP address from a link device.

-// Equivalent to: `ip addr del $addr dev $link`

 //

-// If `addr` is an IPv4 address and the broadcast address is not given, it

-// will be automatically computed based on the IP mask if /30 or larger.

+// Equivalent to: `ip addr del $addr dev $link`

 func (h *Handle) AddrDel(link Link, addr *Addr) error {

 	req := h.newNetlinkRequest(unix.RTM_DELADDR, unix.NLM_F_ACK)

 	return h.addrHandle(link, addr, req)

@@ -142,6 +141,10 @@ func (h *Handle) addrHandle(link Link, addr *Addr, req *nl.NetlinkRequest) error

 			addr.Broadcast = calcBroadcast

 		}

+		if net.IPv4zero.Equal(addr.Broadcast) {

+			addr.Broadcast = nil

+		}

+

 		if addr.Broadcast != nil {

 			req.AddData(nl.NewRtAttr(unix.IFA_BROADCAST, addr.Broadcast))

 		}

@@ -5,8 +5,8 @@ import (

 	"encoding/binary"

 	"errors"

 	"fmt"

+	"io/fs"

 	"net"

-	"strings"

 	"time"

 	"github.com/vishvananda/netlink/nl"

@@ -159,13 +159,19 @@ func (h *Handle) ConntrackDeleteFilter(table ConntrackTableType, family InetFami

 // ConntrackDeleteFilters deletes entries on the specified table matching any of the specified filters using the netlink handle passed

 // conntrack -D [table] parameters         Delete conntrack or expectation

 func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFamily, filters ...CustomConntrackFilter) (uint, error) {

+	var finalErr error

 	res, err := h.dumpConntrackTable(table, family)

 	if err != nil {

-		return 0, err

+		if !errors.Is(err, ErrDumpInterrupted) {

+			return 0, err

+		}

+		// This allows us to at least do a best effort to try to clean the

+		// entries matching the filter.

+		finalErr = err

 	}

+	var totalFilterErrors int

 	var matched uint

-	var errMsgs []string

 	for _, dataRaw := range res {

 		flow := parseRawData(dataRaw)

 		for _, filter := range filters {

@@ -173,19 +179,20 @@ func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFam

 				req2 := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK)

 				// skip the first 4 byte that are the netfilter header, the newConntrackRequest is adding it already

 				req2.AddRawData(dataRaw[4:])

-				if _, err = req2.Execute(unix.NETLINK_NETFILTER, 0); err == nil {

+				if _, err = req2.Execute(unix.NETLINK_NETFILTER, 0); err == nil || errors.Is(err, fs.ErrNotExist) {

 					matched++

 					// flow is already deleted, no need to match on other filters and continue to the next flow.

 					break

+				} else {

+					totalFilterErrors++

 				}

-				errMsgs = append(errMsgs, fmt.Sprintf("failed to delete conntrack flow '%s': %s", flow.String(), err.Error()))

 			}

 		}

 	}

-	if len(errMsgs) > 0 {

-		return matched, fmt.Errorf(strings.Join(errMsgs, "; "))

+	if totalFilterErrors > 0 {

+		finalErr = errors.Join(finalErr, fmt.Errorf("failed to delete %d conntrack flows with %d filters", totalFilterErrors, len(filters)))

 	}

-	return matched, nil

+	return matched, finalErr

 }

 func (h *Handle) newConntrackRequest(table ConntrackTableType, family InetFamily, operation, flags int) *nl.NetlinkRequest {

@@ -231,6 +231,35 @@ func NewCsumAction() *CsumAction {

 	}

 }

+type VlanAct int8

+

+type VlanAction struct {

+	ActionAttrs

+	Action VlanAct

+	VlanID uint16

+}

+

+const (

+	TCA_VLAN_ACT_POP  VlanAct = 1

+	TCA_VLAN_ACT_PUSH VlanAct = 2

+)

+

+func (action *VlanAction) Type() string {

+	return "vlan"

+}

+

+func (action *VlanAction) Attrs() *ActionAttrs {

+	return &action.ActionAttrs

+}

+

+func NewVlanAction() *VlanAction {

+	return &VlanAction{

+		ActionAttrs: ActionAttrs{

+			Action: TC_ACT_PIPE,

+		},

+	}

+}

+

 type MirredAct uint8

 func (a MirredAct) String() string {

@@ -65,6 +65,9 @@ type Flower struct {

 	EncSrcIPMask  net.IPMask

 	EncDestPort   uint16

 	EncKeyId      uint32

+	SrcMac        net.HardwareAddr

+	DestMac       net.HardwareAddr

+	VlanId        uint16

 	SkipHw        bool

 	SkipSw        bool

 	IPProto       *nl.IPProto

@@ -135,6 +138,15 @@ func (filter *Flower) encode(parent *nl.RtAttr) error {

 	if filter.EncKeyId != 0 {

 		parent.AddRtAttr(nl.TCA_FLOWER_KEY_ENC_KEY_ID, htonl(filter.EncKeyId))

 	}

+	if filter.SrcMac != nil {

+		parent.AddRtAttr(nl.TCA_FLOWER_KEY_ETH_SRC, filter.SrcMac)

+	}

+	if filter.DestMac != nil {

+		parent.AddRtAttr(nl.TCA_FLOWER_KEY_ETH_DST, filter.DestMac)

+	}

+	if filter.VlanId != 0 {

+		parent.AddRtAttr(nl.TCA_FLOWER_KEY_VLAN_ID, nl.Uint16Attr(filter.VlanId))

+	}

 	if filter.IPProto != nil {

 		ipproto := *filter.IPProto

 		parent.AddRtAttr(nl.TCA_FLOWER_KEY_IP_PROTO, ipproto.Serialize())

@@ -201,6 +213,13 @@ func (filter *Flower) decode(data []syscall.NetlinkRouteAttr) error {

 			filter.EncDestPort = ntohs(datum.Value)

 		case nl.TCA_FLOWER_KEY_ENC_KEY_ID:

 			filter.EncKeyId = ntohl(datum.Value)

+		case nl.TCA_FLOWER_KEY_ETH_SRC:

+			filter.SrcMac = datum.Value

+		case nl.TCA_FLOWER_KEY_ETH_DST:

+			filter.DestMac = datum.Value

+		case nl.TCA_FLOWER_KEY_VLAN_ID:

+			filter.VlanId = native.Uint16(datum.Value[0:2])

+			filter.EthType = unix.ETH_P_8021Q

 		case nl.TCA_FLOWER_KEY_IP_PROTO:

 			val := new(nl.IPProto)

 			*val = nl.IPProto(datum.Value[0])

@@ -622,6 +641,22 @@ func EncodeActions(attr *nl.RtAttr, actions []Action) error {

 			}

 			toTcGen(action.Attrs(), &mirred.TcGen)

 			aopts.AddRtAttr(nl.TCA_MIRRED_PARMS, mirred.Serialize())

+		case *VlanAction:

+			table := attr.AddRtAttr(tabIndex, nil)

+			tabIndex++

+			table.AddRtAttr(nl.TCA_ACT_KIND, nl.ZeroTerminated("vlan"))

+			aopts := table.AddRtAttr(nl.TCA_ACT_OPTIONS, nil)

+			vlan := nl.TcVlan{

+				Action: int32(action.Action),

+			}

+			toTcGen(action.Attrs(), &vlan.TcGen)

+			aopts.AddRtAttr(nl.TCA_VLAN_PARMS, vlan.Serialize())

+			if action.Action == TCA_VLAN_ACT_PUSH && action.VlanID == 0 {

+				return fmt.Errorf("vlan id is required for push action")

+			}

+			if action.VlanID != 0 {

+				aopts.AddRtAttr(nl.TCA_VLAN_PUSH_VLAN_ID, nl.Uint16Attr(action.VlanID))

+			}

 		case *TunnelKeyAction:

 			table := attr.AddRtAttr(tabIndex, nil)

 			tabIndex++

@@ -792,6 +827,8 @@ func parseActions(tables []syscall.NetlinkRouteAttr) ([]Action, error) {

 					action = &CsumAction{}

 				case "gact":

 					action = &GenericAction{}

+				case "vlan":

+					action = &VlanAction{}

 				case "tunnel_key":

 					action = &TunnelKeyAction{}

 				case "skbedit":

@@ -822,7 +859,17 @@ func parseActions(tables []syscall.NetlinkRouteAttr) ([]Action, error) {

 							tcTs := nl.DeserializeTcf(adatum.Value)

 							actionTimestamp = toTimeStamp(tcTs)

 						}

-

+					case "vlan":

+						switch adatum.Attr.Type {

+						case nl.TCA_VLAN_PARMS:

+							vlan := *nl.DeserializeTcVlan(adatum.Value)

+							action.(*VlanAction).ActionAttrs = ActionAttrs{}

+							toAttrs(&vlan.TcGen, action.Attrs())

+							action.(*VlanAction).Action = VlanAct(vlan.Action)

+						case nl.TCA_VLAN_PUSH_VLAN_ID:

+							vlanId := native.Uint16(adatum.Value[0:2])

+							action.(*VlanAction).VlanID = vlanId

+						}

 					case "tunnel_key":

 						switch adatum.Attr.Type {

 						case nl.TCA_TUNNEL_KEY_PARMS:

@@ -56,6 +56,8 @@ type LinkAttrs struct {

 	Vfs            []VfInfo // virtual functions available on link

 	Group          uint32

 	PermHWAddr     net.HardwareAddr

+	ParentDev      string

+	ParentDevBus   string

 	Slave          LinkSlave

 }

@@ -377,6 +379,13 @@ const (

 	NETKIT_POLICY_BLACKHOLE NetkitPolicy = 2

 )

+type NetkitScrub int

+

+const (

+	NETKIT_SCRUB_NONE    NetkitScrub = 0

+	NETKIT_SCRUB_DEFAULT NetkitScrub = 1

+)

+

 func (n *Netkit) IsPrimary() bool {

 	return n.isPrimary

 }

@@ -391,6 +400,9 @@ type Netkit struct {

 	Mode          NetkitMode

 	Policy        NetkitPolicy

 	PeerPolicy    NetkitPolicy

+	Scrub         NetkitScrub

+	PeerScrub     NetkitScrub

+	supportsScrub bool

 	isPrimary     bool

 	peerLinkAttrs LinkAttrs

 }

@@ -403,6 +415,10 @@ func (n *Netkit) Type() string {

 	return "netkit"

 }

+func (n *Netkit) SupportsScrub() bool {

+	return n.supportsScrub

+}

+

 // Veth devices must specify PeerName on create

 type Veth struct {

 	LinkAttrs

@@ -761,19 +777,19 @@ const (

 )

 var bondXmitHashPolicyToString = map[BondXmitHashPolicy]string{

-	BOND_XMIT_HASH_POLICY_LAYER2:   "layer2",

-	BOND_XMIT_HASH_POLICY_LAYER3_4: "layer3+4",

-	BOND_XMIT_HASH_POLICY_LAYER2_3: "layer2+3",

-	BOND_XMIT_HASH_POLICY_ENCAP2_3: "encap2+3",

-	BOND_XMIT_HASH_POLICY_ENCAP3_4: "encap3+4",

+	BOND_XMIT_HASH_POLICY_LAYER2:      "layer2",

+	BOND_XMIT_HASH_POLICY_LAYER3_4:    "layer3+4",

+	BOND_XMIT_HASH_POLICY_LAYER2_3:    "layer2+3",

+	BOND_XMIT_HASH_POLICY_ENCAP2_3:    "encap2+3",

+	BOND_XMIT_HASH_POLICY_ENCAP3_4:    "encap3+4",

 	BOND_XMIT_HASH_POLICY_VLAN_SRCMAC: "vlan+srcmac",

 }

 var StringToBondXmitHashPolicyMap = map[string]BondXmitHashPolicy{

-	"layer2":   BOND_XMIT_HASH_POLICY_LAYER2,

-	"layer3+4": BOND_XMIT_HASH_POLICY_LAYER3_4,

-	"layer2+3": BOND_XMIT_HASH_POLICY_LAYER2_3,

-	"encap2+3": BOND_XMIT_HASH_POLICY_ENCAP2_3,

-	"encap3+4": BOND_XMIT_HASH_POLICY_ENCAP3_4,

+	"layer2":      BOND_XMIT_HASH_POLICY_LAYER2,

+	"layer3+4":    BOND_XMIT_HASH_POLICY_LAYER3_4,

+	"layer2+3":    BOND_XMIT_HASH_POLICY_LAYER2_3,

+	"encap2+3":    BOND_XMIT_HASH_POLICY_ENCAP2_3,

+	"encap3+4":    BOND_XMIT_HASH_POLICY_ENCAP3_4,

 	"vlan+srcmac": BOND_XMIT_HASH_POLICY_VLAN_SRCMAC,

 }

@@ -2263,6 +2263,10 @@ func LinkDeserialize(hdr *unix.NlMsghdr, m []byte) (Link, error) {

 					break

 				}

 			}

+		case unix.IFLA_PARENT_DEV_NAME:

+			base.ParentDev = string(attr.Value[:len(attr.Value)-1])

+		case unix.IFLA_PARENT_DEV_BUS_NAME:

+			base.ParentDevBus = string(attr.Value[:len(attr.Value)-1])

 		}

 	}

@@ -2676,6 +2680,8 @@ func addNetkitAttrs(nk *Netkit, linkInfo *nl.RtAttr, flag int) error {

 	data.AddRtAttr(nl.IFLA_NETKIT_MODE, nl.Uint32Attr(uint32(nk.Mode)))

 	data.AddRtAttr(nl.IFLA_NETKIT_POLICY, nl.Uint32Attr(uint32(nk.Policy)))

 	data.AddRtAttr(nl.IFLA_NETKIT_PEER_POLICY, nl.Uint32Attr(uint32(nk.PeerPolicy)))

+	data.AddRtAttr(nl.IFLA_NETKIT_SCRUB, nl.Uint32Attr(uint32(nk.Scrub)))

+	data.AddRtAttr(nl.IFLA_NETKIT_PEER_SCRUB, nl.Uint32Attr(uint32(nk.PeerScrub)))

 	if (flag & unix.NLM_F_EXCL) == 0 {

 		// Modifying peer link attributes will not take effect

@@ -2736,6 +2742,12 @@ func parseNetkitData(link Link, data []syscall.NetlinkRouteAttr) {

 			netkit.Policy = NetkitPolicy(native.Uint32(datum.Value[0:4]))

 		case nl.IFLA_NETKIT_PEER_POLICY:

 			netkit.PeerPolicy = NetkitPolicy(native.Uint32(datum.Value[0:4]))

+		case nl.IFLA_NETKIT_SCRUB:

+			netkit.supportsScrub = true

+			netkit.Scrub = NetkitScrub(native.Uint32(datum.Value[0:4]))

+		case nl.IFLA_NETKIT_PEER_SCRUB:

+			netkit.supportsScrub = true

+			netkit.PeerScrub = NetkitScrub(native.Uint32(datum.Value[0:4]))

 		}

 	}

 }

@@ -3033,7 +3045,6 @@ func parseMacvlanData(link Link, data []syscall.NetlinkRouteAttr) {

 	}

 }

-// copied from pkg/net_linux.go

 func linkFlags(rawFlags uint32) net.Flags {

 	var f net.Flags

 	if rawFlags&unix.IFF_UP != 0 {

@@ -3051,6 +3062,9 @@ func linkFlags(rawFlags uint32) net.Flags {

 	if rawFlags&unix.IFF_MULTICAST != 0 {

 		f |= net.FlagMulticast

 	}

+	if rawFlags&unix.IFF_RUNNING != 0 {

+		f |= net.FlagRunning

+	}

 	return f

 }

@@ -38,6 +38,8 @@ const (

 	IFLA_NETKIT_POLICY

 	IFLA_NETKIT_PEER_POLICY

 	IFLA_NETKIT_MODE

+	IFLA_NETKIT_SCRUB

+	IFLA_NETKIT_PEER_SCRUB

 	IFLA_NETKIT_MAX = IFLA_NETKIT_MODE

 )

@@ -17,7 +17,7 @@ func ParseAttributes(data []byte) <-chan Attribute {

 	go func() {

 		i := 0

-		for i+4 < len(data) {

+		for i+4 <= len(data) {

 			length := int(native.Uint16(data[i : i+2]))

 			attrType := native.Uint16(data[i+2 : i+4])

@@ -115,6 +115,7 @@ const (

 	SizeofTcConnmark     = SizeofTcGen + 0x04

 	SizeofTcCsum         = SizeofTcGen + 0x04

 	SizeofTcMirred       = SizeofTcGen + 0x08

+	SizeofTcVlan         = SizeofTcGen + 0x04

 	SizeofTcTunnelKey    = SizeofTcGen + 0x04

 	SizeofTcSkbEdit      = SizeofTcGen

 	SizeofTcPolice       = 2*SizeofTcRateSpec + 0x20

@@ -817,6 +818,41 @@ func (x *TcMirred) Serialize() []byte {

 }

 const (

+	TCA_VLAN_UNSPEC = iota

+	TCA_VLAN_TM

+	TCA_VLAN_PARMS

+	TCA_VLAN_PUSH_VLAN_ID

+	TCA_VLAN_PUSH_VLAN_PROTOCOL

+	TCA_VLAN_PAD

+	TCA_VLAN_PUSH_VLAN_PRIORITY

+	TCA_VLAN_PUSH_ETH_DST

+	TCA_VLAN_PUSH_ETH_SRC

+	TCA_VLAN_MAX

+)

+

+//struct tc_vlan {

+//	tc_gen;

+//	int v_action;

+//};

+

+type TcVlan struct {

+	TcGen

+	Action int32

+}

+

+func (msg *TcVlan) Len() int {

+	return SizeofTcVlan

+}

+

+func DeserializeTcVlan(b []byte) *TcVlan {

+	return (*TcVlan)(unsafe.Pointer(&b[0:SizeofTcVlan][0]))

+}

+

+func (x *TcVlan) Serialize() []byte {

+	return (*(*[SizeofTcVlan]byte)(unsafe.Pointer(x)))[:]

+}

+

+const (

 	TCA_TUNNEL_KEY_UNSPEC = iota

 	TCA_TUNNEL_KEY_TM

 	TCA_TUNNEL_KEY_PARMS

@@ -1239,8 +1275,8 @@ const (

 )

 // /* TCA_PEDIT_KEY_EX_HDR_TYPE_NETWROK is a special case for legacy users. It

-//  * means no specific header type - offset is relative to the network layer

-//  */

+//   - means no specific header type - offset is relative to the network layer

+//     */

 type PeditHeaderType uint16

 const (

@@ -1156,7 +1156,7 @@ github.com/tonistiigi/vt100

 github.com/vbatts/tar-split/archive/tar

 github.com/vbatts/tar-split/tar/asm

 github.com/vbatts/tar-split/tar/storage

-# github.com/vishvananda/netlink v1.3.1-0.20240922070040-084abd93d350

+# github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a

 ## explicit; go 1.12

 github.com/vishvananda/netlink

 github.com/vishvananda/netlink/nl