From c085ae05ea3642dab7e0741b6df725ffe2873513 Mon Sep 17 00:00:00 2001
From: Alexandr Stelnykovych <alexandr.stelnykovycn@ivpn.net>
Date: Fri, 3 Oct 2025 12:04:45 +0300
Subject: [PATCH 1/2] fix: correct ExecStopPost command syntax in
 portmaster.service

https://github.com/safing/portmaster/issues/1949
---
 packaging/linux/portmaster.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packaging/linux/portmaster.service b/packaging/linux/portmaster.service
index cd25c262..758f05e5 100644
--- a/packaging/linux/portmaster.service
+++ b/packaging/linux/portmaster.service
@@ -37,7 +37,7 @@ StateDirectory=portmaster
 # TODO(ppacher): add --disable-software-updates once it's merged and the release process changed.
 WorkingDirectory=/var/lib/portmaster
 ExecStart=/usr/lib/portmaster/portmaster-core --log-dir=/var/lib/portmaster/log -- $PORTMASTER_ARGS
-ExecStopPost=-/usr/lib/portmaster/portmaster-core -recover-iptables
+ExecStopPost=-/usr/lib/portmaster/portmaster-core --recover-iptables
 
 [Install]
 WantedBy=multi-user.target

From af6a1623cc55f4f16da1df2c23b30fad237539cc Mon Sep 17 00:00:00 2001
From: Alexandr Stelnykovych <alexandr.stelnykovycn@ivpn.net>
Date: Fri, 3 Oct 2025 12:43:04 +0300
Subject: [PATCH 2/2] fix: improve error handling in recoverIPTables by
 filtering chain not exist errors

https://github.com/safing/portmaster/issues/1949
---
 cmds/portmaster-core/recover_linux.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cmds/portmaster-core/recover_linux.go b/cmds/portmaster-core/recover_linux.go
index 61fecda7..10a16c10 100644
--- a/cmds/portmaster-core/recover_linux.go
+++ b/cmds/portmaster-core/recover_linux.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/hashicorp/go-multierror"
@@ -45,6 +46,8 @@ func recoverIPTables(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	chainNotExistPattern := regexp.MustCompile(`(?i)chain\s+\S+\s+does not exist`) // "Chain ... does not exist"
+
 	var filteredErrors *multierror.Error
 	for _, err := range mr.Errors {
 		// if we have a permission denied error, all errors will be the same
@@ -52,7 +55,9 @@ func recoverIPTables(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("failed to cleanup iptables: %w", os.ErrPermission)
 		}
 
-		if !strings.Contains(err.Error(), "No such file or directory") {
+		if !strings.Contains(err.Error(), "No such file or directory") &&
+			!chainNotExistPattern.MatchString(err.Error()) {
+
 			filteredErrors = multierror.Append(filteredErrors, err)
 		}
 	}