feat: Add POSTROUTING MASQUERADE and periodic state reconciliation

- Add POSTROUTING MASQUERADE rule alongside DNAT rules to ensure return traffic from container targets can route back through the same interface, matching legacy shell script behavior - Enhance FileWatcher to trigger periodic state reconciliation every tick regardless of config file changes, ensuring desired state is maintained after container restarts or iptables flushes
2026-06-15 22:40:43 +02:00
parent 27607d1a2e
commit bf94206849
3 changed files with 66 additions and 29 deletions
@@ -52,12 +52,11 @@ func TestWatcherNoChange(t *testing.T) {
 		t.Fatalf("failed to write test file: %v", err)
 	}

-	changeDetected := make(chan bool, 1)
+	// With periodic reconciliation, onChange will be called every period.
+	// Count how many times it's called within the wait period.
+	callCount := 0
 	onChange := func() {
-		select {
-		case changeDetected <- true:
-		default:
-		}
+		callCount++
 	}

 	fw := NewFileWatcher(path, 100*time.Millisecond, onChange)
@@ -65,14 +64,11 @@ func TestWatcherNoChange(t *testing.T) {
 	defer fw.Stop()

 	// Wait without modifying the file
-	time.Sleep(300 * time.Millisecond)
+	time.Sleep(350 * time.Millisecond)

-	// Should not detect a change
-	select {
-	case <-changeDetected:
-		t.Error("unexpected change detection without file modification")
-	default:
-		// Expected: no change detected
+	// onChange should have been called ~3 times (0s, 0.1s, 0.2s, 0.3s) for periodic reconciliation
+	if callCount < 1 {
+		t.Errorf("expected at least 1 periodic reconciliation call, got %d", callCount)
 	}
 }