Remove continue statements after applying FORWARD and NAT rules so
a single policy can specify both `from` and `nat` fields. Previously
only the first matched rule was applied and subsequent ones were
skipped. Also guard the unhandled-pattern warning to only log when
both fields are empty, preventing false warnings.
Add validation checks for empty network parameters (sourceIP, targetIP, destCIDR, targetCIDR) in PREROUTING, POSTROUTING, and FORWARD chain rule insertion functions. Skip rule creation with a warning log when required network addresses are undefined to prevent invalid iptables rules.
Move chain detection logic from firewall to iptables manager for better encapsulation. The manager now auto-detects both the iptables binary and chain (DOCKER-USER or FORWARD) based on the presence of the Docker-managed chain, but always defaults to DOCKER-USER for consistency. This simplifies firewall code and ensures proper Docker integration regardless of iptables version.
- Make AddRouteInContainer idempotent by checking existing routes and handling "File exists" errors
- Add loop in firewall reconciler to add routes for containers to reach other networks
- Update iptables checks to include port for better rule distinction
Modify InsertPostroutingMasquerade and InsertPostroutingMasqueradeInContainer functions to use destCIDR, proto, and destPort instead of sourceCIDR, proto, and sourcePort. This ensures the masquerade rule correctly targets destination traffic for proper NAT configuration.
Refactored PREROUTING DNAT, POSTROUTING MASQUERADE, and FORWARD ACCEPT rule insertion to first check for existing rules before inserting. This prevents duplicate rules when run multiple times and improves reliability of firewall configuration.
Add lineExistsInContainer helper to check for existing rules before insertion,
making InsertPreroutingRuleInContainer and InsertPostroutingMasqueradeInContainer
idempotent. Change cleanup errors from fatal to warnings for better fault tolerance.
This adds an IsConnected method to verify if a container is already connected to a network with the expected IP, preventing redundant operations. In reconcileIPs, it skips reconnections if the state is correct. In applyNATRule, MASQUERADE is now applied in the same namespace as DNAT (container or host) for consistent and accurate rule application.
- Add POSTROUTING MASQUERADE rule alongside DNAT rules to ensure return
traffic from container targets can route back through the same interface,
matching legacy shell script behavior
- Enhance FileWatcher to trigger periodic state reconciliation every tick
regardless of config file changes, ensuring desired state is maintained
after container restarts or iptables flushes
Standardize iptables paths across firewall scripts and Go code to ensure compatibility with systems where iptables is located in /usr/sbin. This affects both legacy and non-legacy iptables binaries.
- Ignore "endpoint already exists" error in ConnectContainer on re-reconciliation
- Improve iptables comment generation to avoid trailing dashes
- Enhance DNAT rule logic: try multiple selectors and fall back to host rules
- Add missing "-t nat" flag in InsertPreroutingRuleOnInterface
Replace ContainerInspect with ContainerList and name filters for exact and prefix matching. This improves efficiency and correctness by leveraging Docker's filtering capabilities, matching the old shell script's grep behavior more accurately. Add regexp import to properly escape container names in filters.
Implement FindContainerName method on DockerAPI that attempts exact match
first, then falls back to prefix-based matching (e.g., extracting prefix
before dash like "service-" in "service-abc") to replicate the old shell
script's `grep $D"-"` behavior. Update firewall orchestrator to use this
resolution before connecting containers to networks, improving robustness
when container names vary from configured selectors.
Downgrade the IP forwarding failure from an error to a warning,
as this is expected in containers with a read-only filesystem.
IP forwarding should be set at the host level, not inside a container.
Update comments to reflect this expectation and improve log clarity.
The previous logic stripped dashes from both the lookup name and container/selector names, performing an exact match after removal. This failed for cases like "wireguardproxy-client" matching "wireguardproxyclient" or "app-1"/"app-2" matching "app-x", because the dash removal produced different strings.
Change to extract the prefix before the first dash in the lookup name, then match it against the beginning of container/selector names. This preserves the intended relationship while allowing matching of dashed variants with prefix-based patterns.
Instead of prefix matching on the part before the first dash, now strip
all dashes from both the lookup name and the stored container/selector
names and compare exactly. This improves matching accuracy for names
containing multiple dashes or dashes in varying positions.
