- Make AddRouteInContainer idempotent by checking existing routes and handling "File exists" errors
- Add loop in firewall reconciler to add routes for containers to reach other networks
- Update iptables checks to include port for better rule distinction
Modify InsertPostroutingMasquerade and InsertPostroutingMasqueradeInContainer functions to use destCIDR, proto, and destPort instead of sourceCIDR, proto, and sourcePort. This ensures the masquerade rule correctly targets destination traffic for proper NAT configuration.
Refactored PREROUTING DNAT, POSTROUTING MASQUERADE, and FORWARD ACCEPT rule insertion to first check for existing rules before inserting. This prevents duplicate rules when run multiple times and improves reliability of firewall configuration.
Add lineExistsInContainer helper to check for existing rules before insertion,
making InsertPreroutingRuleInContainer and InsertPostroutingMasqueradeInContainer
idempotent. Change cleanup errors from fatal to warnings for better fault tolerance.
This adds an IsConnected method to verify if a container is already connected to a network with the expected IP, preventing redundant operations. In reconcileIPs, it skips reconnections if the state is correct. In applyNATRule, MASQUERADE is now applied in the same namespace as DNAT (container or host) for consistent and accurate rule application.
Standardize iptables paths across firewall scripts and Go code to ensure compatibility with systems where iptables is located in /usr/sbin. This affects both legacy and non-legacy iptables binaries.
- Ignore "endpoint already exists" error in ConnectContainer on re-reconciliation
- Improve iptables comment generation to avoid trailing dashes
- Enhance DNAT rule logic: try multiple selectors and fall back to host rules
- Add missing "-t nat" flag in InsertPreroutingRuleOnInterface
Downgrade the IP forwarding failure from an error to a warning,
as this is expected in containers with a read-only filesystem.
IP forwarding should be set at the host level, not inside a container.
Update comments to reflect this expectation and improve log clarity.
