From 48331871b4466df97206843e86ab0e85121ee802 Mon Sep 17 00:00:00 2001 From: gyurix Date: Wed, 17 Jun 2026 10:18:24 +0200 Subject: [PATCH] fix(firewall): allow both forward and NAT rules in same policy Remove continue statements after applying FORWARD and NAT rules so a single policy can specify both `from` and `nat` fields. Previously only the first matched rule was applied and subsequent ones were skipped. Also guard the unhandled-pattern warning to only log when both fields are empty, preventing false warnings. --- network-go/firewall/firewall.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/network-go/firewall/firewall.go b/network-go/firewall/firewall.go index b4d4cc5..ac26099 100644 --- a/network-go/firewall/firewall.go +++ b/network-go/firewall/firewall.go @@ -177,21 +177,22 @@ func (o *Orchestrator) reconcilePolicies(ctx context.Context, cfg *config.Networ } logger.Debug("FIREWALL: policy[%d] comment=%q", i, comment) - // CASE 1: Rule with "from" field — this is a FORWARD ACCEPT rule + // Apply FORWARD ACCEPT rule if "from" is specified + // (no 'continue' — same policy may also have NAT rules) if policy.From != "" { o.applyForwardRule(ctx, cfg, policy, proto, port, comment) - continue } - // CASE 2: Rule with "nat" field — this is a DNAT/MASQUERADE rule + // Apply DNAT/MASQUERADE rule if "nat" is specified if policy.Nat != "" { o.applyNATRule(ctx, cfg, policy, proto, port, comment) - continue } - // Unhandled pattern - logger.Warn("FIREWALL: policy[%d] unhandled pattern — service=%s container=%s selector=%s from=%s to=%s port=%d proto=%s nat=%s", - i, policy.ServiceName, policy.ContainerName, policy.Selector, policy.From, policy.To, policy.Port, policy.Proto, policy.Nat) + // Unhandled pattern (no from, no nat) + if policy.From == "" && policy.Nat == "" { + logger.Warn("FIREWALL: policy[%d] unhandled pattern — service=%s container=%s selector=%s from=%s to=%s port=%d proto=%s nat=%s", + i, policy.ServiceName, policy.ContainerName, policy.Selector, policy.From, policy.To, policy.Port, policy.Proto, policy.Nat) + } } }