feat(docker, firewall): Add stateful network connection check and optimize NAT rules
continuous-integration/drone/push Build is passing
continuous-integration/drone/push Build is passing
This adds an IsConnected method to verify if a container is already connected to a network with the expected IP, preventing redundant operations. In reconcileIPs, it skips reconnections if the state is correct. In applyNATRule, MASQUERADE is now applied in the same namespace as DNAT (container or host) for consistent and accurate rule application.
This commit is contained in:
gyurix
@@ -48,6 +48,9 @@ type MockDockerClient struct {
|
||||
InspectContainerErr error
|
||||
RemoveNetworkErr error
|
||||
DisconnectContainerErr error
|
||||
|
||||
IsConnectedCalled bool
|
||||
IsConnectedResult bool
|
||||
}
|
||||
|
||||
func (m *MockDockerClient) Close() error { return nil }
|
||||
@@ -106,6 +109,11 @@ func (m *MockDockerClient) FindContainerName(ctx context.Context, name, selector
|
||||
return name, m.FindContainerNameErr
|
||||
}
|
||||
|
||||
func (m *MockDockerClient) IsConnected(ctx context.Context, containerName, networkName, expectedIP string) bool {
|
||||
m.IsConnectedCalled = true
|
||||
return m.IsConnectedResult
|
||||
}
|
||||
|
||||
// MockIPTablesManager implements iptables.IPTablesAPI for testing
|
||||
type MockIPTablesManager struct {
|
||||
BinaryResult string
|
||||
|
||||
Reference in New Issue
Block a user