safebox/firewall_containers
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refactor iptables chain detection to centralize and default to DOCKER-USER
continuous-integration/drone/push Build is passing
Details

Browse Source 
Move chain detection logic from firewall to iptables manager for better encapsulation. The manager now auto-detects both the iptables binary and chain (DOCKER-USER or FORWARD) based on the presence of the Docker-managed chain, but always defaults to DOCKER-USER for consistency. This simplifies firewall code and ensures proper Docker integration regardless of iptables version.
This commit is contained in:
gyurix
2026-06-16 12:46:25 +02:00
parent 77f80dea1b
commit d5757e623a
4 changed files with 39 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
network-go/firewall/firewall_test.go
+3 -3
View File
@@ -108,9 +108,9 @@ func TestReconcilePoliciesForwardRule(t *testing.T) {
t.Error("InsertForwardAccept was not called")
}
// Should use FORWARD chain (not iptables-legacy)
if iptables.InsertForwardAcceptChain != "FORWARD" {
t.Errorf("expected FORWARD chain, got %s", iptables.InsertForwardAcceptChain)
// Should use DOCKER-USER chain (default, even with non-legacy iptables)
if iptables.InsertForwardAcceptChain != "DOCKER-USER" {
t.Errorf("expected DOCKER-USER chain, got %s", iptables.InsertForwardAcceptChain)
}
}