fix: warn instead of error when IP forwarding fails in containers

Downgrade the IP forwarding failure from an error to a warning,
as this is expected in containers with a read-only filesystem.
IP forwarding should be set at the host level, not inside a container.
Update comments to reflect this expectation and improve log clarity.

network-go/firewall/firewall.go

@@ -38,10 +38,11 @@ func (o *Orchestrator) ReconcileAll(ctx context.Context, cfg *config.NetworksCon
 	// Update resolver with latest config
 	o.resolver.SetConfig(cfg)
 
-	// Step 0: Enable IP forwarding
-	log.Println("FIREWALL: enabling IP forwarding")
+	// Step 0: Enable IP forwarding (may fail in containers with read-only fs)
 	if err := o.iptablesMgr.EnsureIPForward(); err != nil {
-		log.Printf("FIREWALL: ERROR enabling ip_forward: %v", err)
+		log.Printf("FIREWALL: WARNING could not enable ip_forward: %v", err)
+	} else {
+		log.Println("FIREWALL: IP forwarding enabled")
 	}
 
 	// Step 1: Ensure all defined networks exist

network-go/iptables/iptables.go

@@ -91,7 +91,9 @@ func (m *Manager) runInContainer(pid int, table string, args ...string) error {
 	return nil
 }
 
-// EnsureIPForward enables IP forwarding on the host
+// EnsureIPForward enables IP forwarding on the host.
+// Logs a warning if it fails (e.g. read-only filesystem in a container),
+// since this should be configured at the host level.
 func (m *Manager) EnsureIPForward() error {
 	cmd := exec.Command("sh", "-c", "echo 1 > /proc/sys/net/ipv4/ip_forward")
 	output, err := cmd.CombinedOutput()