From c6ae1748cffb0c2d67b4157383f2d4fb6329d64b Mon Sep 17 00:00:00 2001 From: gyurix Date: Mon, 15 Jun 2026 12:21:12 +0200 Subject: [PATCH] fix: warn instead of error when IP forwarding fails in containers Downgrade the IP forwarding failure from an error to a warning, as this is expected in containers with a read-only filesystem. IP forwarding should be set at the host level, not inside a container. Update comments to reflect this expectation and improve log clarity. --- network-go/firewall/firewall.go | 7 ++++--- network-go/iptables/iptables.go | 4 +++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/network-go/firewall/firewall.go b/network-go/firewall/firewall.go index 2155529..a29831e 100644 --- a/network-go/firewall/firewall.go +++ b/network-go/firewall/firewall.go @@ -38,10 +38,11 @@ func (o *Orchestrator) ReconcileAll(ctx context.Context, cfg *config.NetworksCon // Update resolver with latest config o.resolver.SetConfig(cfg) - // Step 0: Enable IP forwarding - log.Println("FIREWALL: enabling IP forwarding") + // Step 0: Enable IP forwarding (may fail in containers with read-only fs) if err := o.iptablesMgr.EnsureIPForward(); err != nil { - log.Printf("FIREWALL: ERROR enabling ip_forward: %v", err) + log.Printf("FIREWALL: WARNING could not enable ip_forward: %v", err) + } else { + log.Println("FIREWALL: IP forwarding enabled") } // Step 1: Ensure all defined networks exist diff --git a/network-go/iptables/iptables.go b/network-go/iptables/iptables.go index e69692f..ad8fa77 100644 --- a/network-go/iptables/iptables.go +++ b/network-go/iptables/iptables.go @@ -91,7 +91,9 @@ func (m *Manager) runInContainer(pid int, table string, args ...string) error { return nil } -// EnsureIPForward enables IP forwarding on the host +// EnsureIPForward enables IP forwarding on the host. +// Logs a warning if it fails (e.g. read-only filesystem in a container), +// since this should be configured at the host level. func (m *Manager) EnsureIPForward() error { cmd := exec.Command("sh", "-c", "echo 1 > /proc/sys/net/ipv4/ip_forward") output, err := cmd.CombinedOutput()