feat: add idempotent route checks and container network routes

- Make AddRouteInContainer idempotent by checking existing routes and handling "File exists" errors
- Add loop in firewall reconciler to add routes for containers to reach other networks
- Update iptables checks to include port for better rule distinction

network-go/firewall/firewall.go

@@ -126,6 +126,25 @@ func (o *Orchestrator) reconcileIPs(ctx context.Context, cfg *config.NetworksCon
 			logger.Info("FIREWALL: container %s connected to network %s with IP %s",
 				containerName, networkName, ipStr)
 		}
+
+		// Add routes inside the container so it can reach all other networks
+		// This mirrors the old shell script's ip_route() function
+		for _, otherNetCfg := range cfg.Networks {
+			if otherNetCfg.NetworkName == networkName {
+				continue // skip the network we're already on
+			}
+			route := otherNetCfg.Subnet
+			gw := otherNetCfg.Gateway
+			if route == "" || gw == "" {
+				continue
+			}
+			logger.Debug("FIREWALL: adding route in container %s: %s via %s", containerName, route, gw)
+			if err := o.dockerClient.AddRouteInContainer(ctx, containerName, route, gw); err != nil {
+				logger.Warn("FIREWALL: failed to add route %s via %s in container %s: %v", route, gw, containerName, err)
+			} else {
+				logger.Debug("FIREWALL: route %s via %s added in container %s", route, gw, containerName)
+			}
+		}
 	}
 }