Add configuration option to select iptables implementation
When running gocast in a container, the default iptables implementation may not match that used on the underlying host kernel. The current container uses the legacy iptables implementation and calls the `iptables` binary. This fails with exit code 3 when running on a host using the newer nftables implementation. The container already has `iptables-nft` binary included, so just needs a way to call this instead of the default `iptables` binary. This change implements a new `iptables_binary` config option, defaulting to `iptables`, and calls this when adding or removing NAT rules. Fixes #32 This change was written using AI LLM. Authored-By: Claude Code (Sonnet 4.5)
This commit is contained in:
Ben Roberts
11
README.md
11
README.md
@@ -74,11 +74,20 @@ kill -HUP $(pidof gocast)
|
||||
**What gets reloaded:**
|
||||
- BGP configuration (peers, AS numbers, MD5 passwords, communities)
|
||||
- Application definitions (add/remove/update apps)
|
||||
- Agent settings (Consul, timers, intervals)
|
||||
- Agent settings (Consul, timers, intervals, iptables binary)
|
||||
|
||||
**Important:** Reloading BGP configuration causes existing BGP sessions to be restarted, resulting in brief routing interruption. Routes are automatically re-announced after reload.
|
||||
Consul-discovered apps are not removed during reload.
|
||||
|
||||
## Iptables Configuration
|
||||
|
||||
On modern Linux systems using nftables, you need to configure gocast to use `iptables-nft` instead of the legacy `iptables` binary (default):
|
||||
|
||||
```yaml
|
||||
agent:
|
||||
iptables_binary: iptables-nft
|
||||
```
|
||||
|
||||
## Docker support
|
||||
The docker image at mayuresh82/gocast can be used to run GoCast inside a container. In order for GoCast to manipulate the host network stack correctly, the container needs to run with NET_ADMIN capablity and host mode networking. For example:
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user