Refactor iptables chain detection to centralize and default to DOCKER-USER
continuous-integration/drone/push Build is passing
continuous-integration/drone/push Build is passing
Move chain detection logic from firewall to iptables manager for better encapsulation. The manager now auto-detects both the iptables binary and chain (DOCKER-USER or FORWARD) based on the presence of the Docker-managed chain, but always defaults to DOCKER-USER for consistency. This simplifies firewall code and ensures proper Docker integration regardless of iptables version.
This commit is contained in:
gyurix
@@ -204,11 +204,8 @@ func (o *Orchestrator) applyForwardRule(ctx context.Context, cfg *config.Network
|
||||
logger.Info("FIREWALL: forward rule: from=%q (IP=%s) to=%q (IP=%s) proto=%s port=%s",
|
||||
policy.From, sourceIP, policy.To, targetIP, proto, port)
|
||||
|
||||
// Determine the chain: use DOCKER-USER (iptables-legacy) or FORWARD
|
||||
chain := "FORWARD"
|
||||
if o.iptablesMgr.Binary() == "/usr/sbin/iptables-legacy" {
|
||||
chain = "DOCKER-USER"
|
||||
}
|
||||
// Use the auto-detected chain (DOCKER-USER or FORWARD)
|
||||
chain := o.iptablesMgr.Chain()
|
||||
logger.Debug("FIREWALL: using iptables chain=%s (binary=%s)", chain, o.iptablesMgr.Binary())
|
||||
|
||||
// Ensure established/related rule exists at the top
|
||||
|
||||
@@ -108,9 +108,9 @@ func TestReconcilePoliciesForwardRule(t *testing.T) {
|
||||
t.Error("InsertForwardAccept was not called")
|
||||
}
|
||||
|
||||
// Should use FORWARD chain (not iptables-legacy)
|
||||
if iptables.InsertForwardAcceptChain != "FORWARD" {
|
||||
t.Errorf("expected FORWARD chain, got %s", iptables.InsertForwardAcceptChain)
|
||||
// Should use DOCKER-USER chain (default, even with non-legacy iptables)
|
||||
if iptables.InsertForwardAcceptChain != "DOCKER-USER" {
|
||||
t.Errorf("expected DOCKER-USER chain, got %s", iptables.InsertForwardAcceptChain)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user