safebox/firewall_containers
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: update iptables binary paths to use /usr/sbin instead of /sbin
continuous-integration/drone/push Build is passing
Details

Browse Source 
Standardize iptables paths across firewall scripts and Go code to ensure compatibility with systems where iptables is located in /usr/sbin. This affects both legacy and non-legacy iptables binaries.
This commit is contained in:
gyurix
2026-06-15 16:34:24 +02:00
parent 2d6e22b9e6
commit 3172023254
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
firewall/firewall-add
+1 -1
View File
@@ -407,7 +407,7 @@ for source_ip_index in $(seq 1 $COUNT_SOURCE_IP); do
if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] || [[ "$HOST" == "true" ]]; then if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] || [[ "$HOST" == "true" ]]; then
if [ "$HOST" == "true" ]; then if [ "$HOST" == "true" ]; then
IPTABLES="/sbin/iptables -t nat" IPTABLES="/usr/sbin/iptables -t nat"
debug "iptables: "$IPTABLES debug "iptables: "$IPTABLES
else else
IPTABLES="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- /sbin/iptables-legacy -t nat" IPTABLES="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- /sbin/iptables-legacy -t nat"
network-go/implementation.md
+1 -1
View File
@@ -173,7 +173,7 @@ pid, _ := dockerClient.GetContainerPID(ctx, containerName)
// 2. Execute iptables inside container namespace via nsenter // 2. Execute iptables inside container namespace via nsenter
exec.Command("nsenter", "-t", fmt.Sprintf("%d", pid), "-n", "--", exec.Command("nsenter", "-t", fmt.Sprintf("%d", pid), "-n", "--",
"/sbin/iptables-legacy", "-t", "nat", "-I", "PREROUTING", ...) "/usr/sbin/iptables-legacy", "-t", "nat", "-I", "PREROUTING", ...)
``` ```
- `-t <pid>` — target the container's PID - `-t <pid>` — target the container's PID
network-go/iptables/iptables.go
+4 -4
View File
@@ -69,9 +69,9 @@ func (m *Manager) run(args ...string) error {
// runInContainer executes an iptables command inside a container's network namespace via nsenter // runInContainer executes an iptables command inside a container's network namespace via nsenter
func (m *Manager) runInContainer(pid int, table string, args ...string) error { func (m *Manager) runInContainer(pid int, table string, args ...string) error {
iptPath := "/sbin/iptables-legacy" iptPath := "/usr/sbin/iptables-legacy"
if !strings.Contains(m.binary, "legacy") { if !strings.Contains(m.binary, "legacy") {
iptPath = "/sbin/iptables" iptPath = "/usr/sbin/iptables"
} }
fullArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath} fullArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath}
@@ -177,9 +177,9 @@ func (m *Manager) deleteMatchingLines(chain, table string, grepPatterns ...strin
// deleteMatchingLinesInContainer deletes matching lines inside a container namespace // deleteMatchingLinesInContainer deletes matching lines inside a container namespace
func (m *Manager) deleteMatchingLinesInContainer(pid int, table, chain string, grepPatterns ...string) error { func (m *Manager) deleteMatchingLinesInContainer(pid int, table, chain string, grepPatterns ...string) error {
iptPath := "/sbin/iptables-legacy" iptPath := "/usr/sbin/iptables-legacy"
if !strings.Contains(m.binary, "legacy") { if !strings.Contains(m.binary, "legacy") {
iptPath = "/sbin/iptables" iptPath = "/usr/sbin/iptables"
} }
nsenterArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath, "-w", "--line-number", "-n", "-t", table, "-L", chain} nsenterArgs := []string{"-t", fmt.Sprintf("%d", pid), "-n", "--", iptPath, "-w", "--line-number", "-n", "-t", table, "-L", chain}