feat: Add POSTROUTING MASQUERADE and periodic state reconciliation

- Add POSTROUTING MASQUERADE rule alongside DNAT rules to ensure return
  traffic from container targets can route back through the same interface,
  matching legacy shell script behavior
- Enhance FileWatcher to trigger periodic state reconciliation every tick
  regardless of config file changes, ensuring desired state is maintained
  after container restarts or iptables flushes

network-go/firewall/firewall.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"strconv"
+	"strings"
 	"time"
 
 	"firewall_containers/network-go/config"
@@ -253,6 +254,29 @@ func (o *Orchestrator) applyNATRule(ctx context.Context, cfg *config.NetworksCon
 					policy.Iface, targetIP, proto, port)
 			}
 		}
+
+		// Always add MASQUERADE on POSTROUTING so return traffic from the
+		// DNAT target can route back through the same interface.
+		// This mirrors the old shell script behavior where POSTROUTING
+		// was always set alongside PREROUTING DNAT rules.
+		// Required regardless of whether DNAT was in container namespace or host.
+		if targetIP != "" {
+			masqComment := comment + "-masq"
+			targetSubnet := ""
+			// Use the target's /24 subnet as the source CIDR for masquerade
+			if strings.Contains(targetIP, ".") {
+				targetSubnet = targetIP[:strings.LastIndex(targetIP, ".")] + ".0/24"
+			}
+			if targetSubnet != "" {
+				logger.Info("FIREWALL: inserting POSTROUTING MASQUERADE for %s", targetSubnet)
+				if err := o.iptablesMgr.InsertPostroutingMasquerade(targetSubnet, proto, port, masqComment); err != nil {
+					logger.Error("FIREWALL: failed to insert POSTROUTING MASQUERADE: %v", err)
+				} else {
+					logger.Info("FIREWALL: POSTROUTING MASQUERADE inserted: subnet=%s proto=%s port=%s",
+						targetSubnet, proto, port)
+				}
+			}
+		}
 	}
 }