fix(firewall): allow both forward and NAT rules in same policy
continuous-integration/drone/push Build is passing
continuous-integration/drone/push Build is passing
Remove continue statements after applying FORWARD and NAT rules so a single policy can specify both `from` and `nat` fields. Previously only the first matched rule was applied and subsequent ones were skipped. Also guard the unhandled-pattern warning to only log when both fields are empty, preventing false warnings.
This commit is contained in:
gyurix
@@ -177,22 +177,23 @@ func (o *Orchestrator) reconcilePolicies(ctx context.Context, cfg *config.Networ
|
||||
}
|
||||
logger.Debug("FIREWALL: policy[%d] comment=%q", i, comment)
|
||||
|
||||
// CASE 1: Rule with "from" field — this is a FORWARD ACCEPT rule
|
||||
// Apply FORWARD ACCEPT rule if "from" is specified
|
||||
// (no 'continue' — same policy may also have NAT rules)
|
||||
if policy.From != "" {
|
||||
o.applyForwardRule(ctx, cfg, policy, proto, port, comment)
|
||||
continue
|
||||
}
|
||||
|
||||
// CASE 2: Rule with "nat" field — this is a DNAT/MASQUERADE rule
|
||||
// Apply DNAT/MASQUERADE rule if "nat" is specified
|
||||
if policy.Nat != "" {
|
||||
o.applyNATRule(ctx, cfg, policy, proto, port, comment)
|
||||
continue
|
||||
}
|
||||
|
||||
// Unhandled pattern
|
||||
// Unhandled pattern (no from, no nat)
|
||||
if policy.From == "" && policy.Nat == "" {
|
||||
logger.Warn("FIREWALL: policy[%d] unhandled pattern — service=%s container=%s selector=%s from=%s to=%s port=%d proto=%s nat=%s",
|
||||
i, policy.ServiceName, policy.ContainerName, policy.Selector, policy.From, policy.To, policy.Port, policy.Proto, policy.Nat)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (o *Orchestrator) applyForwardRule(ctx context.Context, cfg *config.NetworksConfig, policy config.PolicyConfig, proto, port, comment string) {
|
||||
|
||||
Reference in New Issue
Block a user