Add configuration option to select iptables implementation

When running gocast in a container, the default iptables implementation
may not match that used on the underlying host kernel. The current
container uses the legacy iptables implementation and calls the
`iptables` binary. This fails with exit code 3 when running on a host
using the newer nftables implementation. The container already has
`iptables-nft` binary included, so just needs a way to call this instead
of the default `iptables` binary.

This change implements a new `iptables_binary` config option, defaulting
to `iptables`, and calls this when adding or removing NAT rules.

Fixes #32

This change was written using AI LLM.

Authored-By: Claude Code (Sonnet 4.5)

controller/monitor.go

@@ -98,6 +98,11 @@ func NewMonitor(config *c.Config) *MonitorMgr {
 	if config.Agent.CleanupTimer == 0 {
 		config.Agent.CleanupTimer = defaultCleanupTimer
 	}
+	// Set iptables binary (defaults to "iptables" if not specified)
+	if config.Agent.IptablesBinary == "" {
+		config.Agent.IptablesBinary = "iptables"
+	}
+	SetIptablesBinary(config.Agent.IptablesBinary)
 	mon.config = config
 	// add apps defined in config
 	for _, a := range config.Apps {
@@ -356,6 +361,15 @@ func (m *MonitorMgr) Reload(configPath string) error {
 	if newConfig.Agent.CleanupTimer == 0 {
 		newConfig.Agent.CleanupTimer = defaultCleanupTimer
 	}
+	if newConfig.Agent.IptablesBinary == "" {
+		newConfig.Agent.IptablesBinary = "iptables"
+	}
+
+	// Update iptables binary if changed
+	if m.config.Agent.IptablesBinary != newConfig.Agent.IptablesBinary {
+		glog.Infof("Iptables binary changed from %s to %s", m.config.Agent.IptablesBinary, newConfig.Agent.IptablesBinary)
+		SetIptablesBinary(newConfig.Agent.IptablesBinary)
+	}
 
 	// Check if BGP configuration has changed
 	bgpChanged := m.bgpConfigChanged(m.config.Bgp, newConfig.Bgp)