Add configuration option to select iptables implementation

When running gocast in a container, the default iptables implementation
may not match that used on the underlying host kernel. The current
container uses the legacy iptables implementation and calls the
`iptables` binary. This fails with exit code 3 when running on a host
using the newer nftables implementation. The container already has
`iptables-nft` binary included, so just needs a way to call this instead
of the default `iptables` binary.

This change implements a new `iptables_binary` config option, defaulting
to `iptables`, and calls this when adding or removing NAT rules.

Fixes #32

This change was written using AI LLM.

Authored-By: Claude Code (Sonnet 4.5)

README.md

@@ -5,6 +5,9 @@ The most common use case for this is anycast (vip) based load balancing for infr
 
 For some practical examples and more details, check out this blog post : https://mayuresh82.github.io/2020/11/28/automatic_service_discovery_anycast/
 
+# Looking for code reviewers
+If you are interested in being a reviewer and/or co-maintainer, please reach out to @mayuresh82 !
+
 ## Installation
 Use the docker container at mayuresh82/gocast or compile from source:
 
@@ -60,6 +63,31 @@ Alternatively, if `gocast_nat=protocol:port` is specified, then GoCast will crea
 
 Example: `gocast_nat=tcp:53` and `gocast_nat=udp:53`
 
+## Configuration Reload
+
+GoCast supports dynamic configuration reloading without service restart. Send a `SIGHUP` signal to reload the configuration:
+
+```bash
+kill -HUP $(pidof gocast)
+```
+
+**What gets reloaded:**
+- BGP configuration (peers, AS numbers, MD5 passwords, communities)
+- Application definitions (add/remove/update apps)
+- Agent settings (Consul, timers, intervals, iptables binary)
+
+**Important:** Reloading BGP configuration causes existing BGP sessions to be restarted, resulting in brief routing interruption. Routes are automatically re-announced after reload.
+Consul-discovered apps are not removed during reload.
+
+## Iptables Configuration
+
+On modern Linux systems using nftables, you need to configure gocast to use `iptables-nft` instead of the legacy `iptables` binary (default):
+
+```yaml
+agent:
+  iptables_binary: iptables-nft
+```
+
 ## Docker support
 The docker image at mayuresh82/gocast can be used to run GoCast inside a container. In order for GoCast to manipulate the host network stack correctly, the container needs to run with NET_ADMIN capablity and host mode networking. For example:
 ```

config.yaml

@@ -11,12 +11,32 @@ agent:
   consul_query_interval: 5m
   # token to authenticate client if consul requires it
   consul_token: 00000000-0000-0000-0000-000000000000
+  # iptables binary to use for NAT rules (default: iptables)
+  # Use "iptables-nft" on modern systems with nftables
+  # iptables_binary: iptables-nft
 
 bgp:
   local_as: 12345
   remote_as: 6789
   # override the peer IP to use instead of auto discovering
   peer_ip: 10.10.10.1
+
+  # Alternatively, define multiple BGP peers for redundancy
+  #peers:
+  #  - peer_ip: 10.10.10.1
+  #    peer_as: 6789
+  #    communities:
+  #      - 100:100
+  #      - 200:200
+  #    md5_env_var: GOCAST_BGP_PEER1_PASSWORD  # optional. Set via: export GOCAST_BGP_PEER1_PASSWORD="secret"
+  #  - peer_ip: 10.10.10.2
+  #    peer_as: 6789
+  #    communities:
+  #      - 100:101
+  #      - 200:201
+  #    multi_hop: true  # optional
+  #    md5_password: "secret123" # optional
+  
   communities:
     - asn:nnnn
     - asn:nnnn
@@ -29,4 +49,5 @@ apps:
     vip_config:
       # additional per VIP BGP communities
       bgp_communities: [ aaaa:bbbb ]
-    monitor: port:tcp:5000
+    monitors: 
+      - port:tcp:5000

config/config.go

@@ -16,13 +16,26 @@ type AgentConfig struct {
 	ConsulAddr          string        `yaml:"consul_addr"`
 	ConsulQueryInterval time.Duration `yaml:"consul_query_interval"`
 	ConsulToken         string        `yaml:"consul_token"`
+	IptablesBinary      string        `yaml:"iptables_binary"`
+}
+
+type PeerConfig struct {
+	PeerIP      string   `yaml:"peer_ip"`
+	PeerAS      int      `yaml:"peer_as"`
+	MultiHop    *bool    `yaml:"multi_hop,omitempty"`
+	Communities []string `yaml:"communities,omitempty"`
+	MD5Password string   `yaml:"md5_password,omitempty"`
+	MD5EnvVar   string   `yaml:"md5_env_var,omitempty"`
 }
 
 type BgpConfig struct {
 	LocalAS     int          `yaml:"local_as"`
-	PeerAS      int    `yaml:"peer_as"`
 	LocalIP     string       `yaml:"local_ip"`
-	PeerIP      string `yaml:"peer_ip"`
+	// Legacy single-peer config (deprecated but supported for backward compatibility)
+	PeerAS      int          `yaml:"peer_as,omitempty"`
+	PeerIP      string       `yaml:"peer_ip,omitempty"`
+	// New multi-peer config
+	Peers       []PeerConfig `yaml:"peers,omitempty"`
 	Communities []string
 	Origin      string
 }

controller/bgp.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"os"
 	"strconv"
 	"strings"
 
@@ -20,82 +21,134 @@ type Route struct {
 }
 
 type Controller struct {
-	peerAS          int
+	localAS     int
-	localIP, peerIP net.IP
+	localIP     net.IP
+	peers       []c.PeerConfig
 	communities []string
 	origin      uint32
-	multiHop        bool
 	s           *gobgp.BgpServer
 }
 
 func NewController(config c.BgpConfig) (*Controller, error) {
-	c := &Controller{}
+	ctrl := &Controller{}
 	var gw net.IP
 	var err error
-	if config.PeerIP == "" {
+
-		gw, err := gateway()
+	// Normalize config: convert legacy single-peer to new multi-peer format
-		if err != nil {
+	peers := config.Peers
-			return nil, fmt.Errorf("Unable to get gw ip: %v", err)
+	if len(peers) == 0 {
-		}
+		// Backward compatibility: convert legacy config
-		c.peerIP = gw
+		if config.PeerIP != "" {
+			// Explicit peer IP configured
+			peers = []c.PeerConfig{{
+				PeerIP: config.PeerIP,
+				PeerAS: config.PeerAS,
+			}}
 		} else {
-		c.peerIP = net.ParseIP(config.PeerIP)
+			// No peer IP configured - use default gateway
+			gw, err = gateway()
+			if err != nil {
+				return nil, fmt.Errorf("Unable to get gateway ip: %v", err)
 			}
+			peers = []c.PeerConfig{{
+				PeerIP: gw.String(),
+				PeerAS: config.PeerAS,
+			}}
+		}
+	}
+
+	// Determine local IP
 	if config.LocalIP == "" {
-		gw, err = via(c.peerIP)
+		// Use first peer to determine local IP
+		firstPeerIP := net.ParseIP(peers[0].PeerIP)
+		if firstPeerIP == nil {
+			gw, err = gateway()
 			if err != nil {
 				return nil, fmt.Errorf("Unable to get gw ip: %v", err)
 			}
-		c.localIP, err = localAddress(gw)
+			firstPeerIP = gw
+		}
+		gw, err = via(firstPeerIP)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to get gw ip: %v", err)
+		}
+		ctrl.localIP, err = localAddress(gw)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		c.localIP = net.ParseIP(config.LocalIP)
+		ctrl.localIP = net.ParseIP(config.LocalIP)
 	}
-	c.communities = config.Communities
+
+	ctrl.localAS = config.LocalAS
+	ctrl.peers = peers
+	ctrl.communities = config.Communities
+
 	switch config.Origin {
 	case "igp":
-		c.origin = 0
+		ctrl.origin = 0
 	case "egp":
-		c.origin = 1
+		ctrl.origin = 1
 	case "unknown":
-		c.origin = 2
+		ctrl.origin = 2
 	}
+
 	s := gobgp.NewBgpServer()
 	go s.Serve()
 	if err := s.StartBgp(context.Background(), &api.StartBgpRequest{
 		Global: &api.Global{
 			As:         uint32(config.LocalAS),
-			RouterId:   c.localIP.String(),
+			RouterId:   ctrl.localIP.String(),
 			ListenPort: -1, // gobgp won't listen on tcp:179
 		},
 	}); err != nil {
 		return nil, fmt.Errorf("Unable to start bgp: %v", err)
 	}
-	c.s = s
+	ctrl.s = s
-	c.peerAS = config.PeerAS
+
-	// set mh by default for all ebgp peers
+	return ctrl, nil
-	if c.peerAS != config.LocalAS {
-		c.multiHop = true
-	}
-	return c, nil
 }
 
-func (c *Controller) AddPeer(peer string) error {
+func (c *Controller) addPeer(peer *c.PeerConfig) error {
 	n := &api.Peer{
 		Conf: &api.PeerConf{
-			NeighborAddress: peer,
+			NeighborAddress: peer.PeerIP,
-			PeerAs:          uint32(c.peerAS),
+			PeerAs:          uint32(peer.PeerAS),
 		},
 	}
-	if c.multiHop {
+
+	// Enable multihop only if explicitly configured
+	if peer.MultiHop != nil && *peer.MultiHop {
 		n.EbgpMultihop = &api.EbgpMultihop{Enabled: true, MultihopTtl: uint32(255)}
 	}
+
+	// Configure MD5 authentication if specified
+	md5Password := c.getMD5Password(peer)
+	if md5Password != "" {
+		n.Conf.AuthPassword = md5Password
+	}
+
 	return c.s.AddPeer(context.Background(), &api.AddPeerRequest{Peer: n})
 }
 
-func (c *Controller) getApiPath(route *Route) *api.Path {
+// getMD5Password retrieves the MD5 password from config or environment variable
+func (c *Controller) getMD5Password(peer *c.PeerConfig) string {
+	// Priority 1: Check for environment variable
+	if peer.MD5EnvVar != "" {
+		if password := os.Getenv(peer.MD5EnvVar); password != "" {
+			return password
+		}
+	}
+
+	// Priority 2: Use password from config file
+	if peer.MD5Password != "" {
+		return peer.MD5Password
+	}
+
+	return ""
+}
+
+func (c *Controller) getApiPath(route *Route, peer *c.PeerConfig) *api.Path {
 	afi := api.Family_AFI_IP
 	if route.Net.IP.To4() == nil {
 		afi = api.Family_AFI_IP6
@@ -111,8 +164,15 @@ func (c *Controller) getApiPath(route *Route) *api.Path {
 	a2, _ := ptypes.MarshalAny(&api.NextHopAttribute{
 		NextHop: c.localIP.String(),
 	})
+
+	// Merge communities: global + per-peer + per-route
+	var allCommunities []string
+	allCommunities = append(allCommunities, c.communities...)
+	allCommunities = append(allCommunities, peer.Communities...)
+	allCommunities = append(allCommunities, route.Communities...)
+
 	var communities []uint32
-	for _, comm := range append(c.communities, route.Communities...) {
+	for _, comm := range allCommunities {
 		communities = append(communities, convertCommunity(comm))
 	}
 	a3, _ := ptypes.MarshalAny(&api.CommunitiesAttribute{
@@ -127,49 +187,105 @@ func (c *Controller) getApiPath(route *Route) *api.Path {
 }
 
 func (c *Controller) Announce(route *Route) error {
+	var errs []error
+
+	for i := range c.peers {
+		peer := &c.peers[i]
+
+		// Check if peer exists
 		var found bool
 		err := c.s.ListPeer(context.Background(), &api.ListPeerRequest{}, func(p *api.Peer) {
-		if p.Conf.NeighborAddress == c.peerIP.String() {
+			if p.Conf.NeighborAddress == peer.PeerIP {
 				found = true
 			}
 		})
 		if err != nil {
-		return err
+			errs = append(errs, fmt.Errorf("peer %s: list error: %v", peer.PeerIP, err))
+			continue
 		}
+
+		// Add peer if not found
 		if !found {
-		if err := c.AddPeer(c.peerIP.String()); err != nil {
+			if err := c.addPeer(peer); err != nil {
-			return err
+				errs = append(errs, fmt.Errorf("peer %s: add error: %v", peer.PeerIP, err))
+				continue
 			}
 		}
-	_, err = c.s.AddPath(context.Background(), &api.AddPathRequest{Path: c.getApiPath(route)})
+
-	return err
+		// Announce route to this peer
+		path := c.getApiPath(route, peer)
+		if _, err := c.s.AddPath(context.Background(), &api.AddPathRequest{Path: path}); err != nil {
+			errs = append(errs, fmt.Errorf("peer %s: announce error: %v", peer.PeerIP, err))
+			continue
+		}
+	}
+
+	// Return aggregated errors if any peer failed
+	if len(errs) > 0 {
+		return fmt.Errorf("announcement errors: %v", errs)
+	}
+	return nil
 }
 
 func (c *Controller) Withdraw(route *Route) error {
-	return c.s.DeletePath(context.Background(), &api.DeletePathRequest{Path: c.getApiPath(route)})
+	var errs []error
+
+	for i := range c.peers {
+		peer := &c.peers[i]
+		path := c.getApiPath(route, peer)
+		if err := c.s.DeletePath(context.Background(), &api.DeletePathRequest{Path: path}); err != nil {
+			errs = append(errs, fmt.Errorf("peer %s: withdraw error: %v", peer.PeerIP, err))
+			continue
+		}
+	}
+
+	// Return aggregated errors if any peer failed
+	if len(errs) > 0 {
+		return fmt.Errorf("withdrawal errors: %v", errs)
+	}
+	return nil
 }
 
-func (c *Controller) PeerInfo() (*api.Peer, error) {
+func (c *Controller) PeerInfo() ([]*api.Peer, error) {
-	var peer *api.Peer
+	var peers []*api.Peer
+	peerMap := make(map[string]bool)
+
+	// Build map of configured peer IPs
+	for _, peer := range c.peers {
+		peerMap[peer.PeerIP] = true
+	}
+
+	// Collect info for all configured peers
 	err := c.s.ListPeer(context.Background(), &api.ListPeerRequest{}, func(p *api.Peer) {
-		if p.Conf.NeighborAddress == c.peerIP.String() {
+		if peerMap[p.Conf.NeighborAddress] {
-			peer = p
+			peers = append(peers, p)
 		}
 	})
 	if err != nil {
 		return nil, err
 	}
-	return peer, nil
+	return peers, nil
 }
 
 func (c *Controller) Shutdown() error {
+	var errs []error
+
+	// Shutdown all peer sessions
+	for _, peer := range c.peers {
 		if err := c.s.ShutdownPeer(context.Background(), &api.ShutdownPeerRequest{
-		Address: c.peerIP.String(),
+			Address: peer.PeerIP,
 		}); err != nil {
-		return err
+			errs = append(errs, fmt.Errorf("peer %s: shutdown error: %v", peer.PeerIP, err))
 		}
+	}
+
+	// Stop BGP server
 	if err := c.s.StopBgp(context.Background(), &api.StopBgpRequest{}); err != nil {
-		return err
+		errs = append(errs, fmt.Errorf("stop bgp error: %v", err))
+	}
+
+	if len(errs) > 0 {
+		return fmt.Errorf("shutdown errors: %v", errs)
 	}
 	return nil
 }

controller/bgp_test.go

@@ -102,3 +102,578 @@ func TestBgpNew(t *testing.T) {
 	a.Equal("20.30.40.0/24", path)
 	ctrl.Shutdown()
 }
+
+func TestLegacyConfigConversion(t *testing.T) {
+	a := assert.New(t)
+
+	// Test legacy single-peer config
+	legacyConfig := config.BgpConfig{
+		LocalAS: 11111,
+		PeerAS:  22222,
+		PeerIP:  "10.10.10.1",
+		LocalIP: "192.168.1.100",
+		Communities: []string{"100:100"},
+		Origin: "igp",
+	}
+
+	ctrl, err := NewController(legacyConfig)
+	if err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.Shutdown()
+
+	// Verify legacy config was converted to multi-peer format
+	a.Equal(1, len(ctrl.peers), "Should have exactly 1 peer")
+	a.Equal("10.10.10.1", ctrl.peers[0].PeerIP)
+	a.Equal(22222, ctrl.peers[0].PeerAS)
+}
+
+func TestMultiPeerConfig(t *testing.T) {
+	a := assert.New(t)
+
+	// Test new multi-peer config
+	multiPeerConfig := config.BgpConfig{
+		LocalAS: 11111,
+		LocalIP: "192.168.1.100",
+		Peers: []config.PeerConfig{
+			{PeerIP: "10.10.10.1", PeerAS: 22222},
+			{PeerIP: "10.10.10.2", PeerAS: 22222},
+		},
+		Communities: []string{"100:100"},
+		Origin: "igp",
+	}
+
+	ctrl, err := NewController(multiPeerConfig)
+	if err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.Shutdown()
+
+	// Verify both peers are configured
+	a.Equal(2, len(ctrl.peers), "Should have exactly 2 peers")
+	a.Equal("10.10.10.1", ctrl.peers[0].PeerIP)
+	a.Equal("10.10.10.2", ctrl.peers[1].PeerIP)
+}
+
+func TestDefaultGatewayPeer(t *testing.T) {
+	a := assert.New(t)
+
+	// Test config with no peer_ip - should use default gateway
+	defaultGatewayConfig := config.BgpConfig{
+		LocalAS: 11111,
+		LocalIP: "192.168.1.100",
+		PeerAS:  22222,
+		Origin:  "igp",
+	}
+
+	ctrl, err := NewController(defaultGatewayConfig)
+	a.NoError(err, "Should not error when peer_ip is not specified")
+	if err == nil {
+		defer ctrl.Shutdown()
+
+		// Verify a peer was configured using gateway
+		a.Equal(1, len(ctrl.peers), "Should have exactly 1 peer")
+		a.NotEmpty(ctrl.peers[0].PeerIP, "Peer IP should be set from gateway")
+		a.Equal(22222, ctrl.peers[0].PeerAS, "Peer AS should match config")
+	}
+}
+
+func TestCommunityMerging(t *testing.T) {
+	a := assert.New(t)
+
+	ctrl := &Controller{
+		localAS: 11111,
+		localIP: net.ParseIP("192.168.1.100"),
+		communities: []string{"1000:1000", "2000:2000"}, // Global
+		origin: 0,
+	}
+
+	peer := &config.PeerConfig{
+		PeerIP: "10.10.10.1",
+		PeerAS: 22222,
+		Communities: []string{"100:100", "200:200"}, // Per-peer
+	}
+
+	route := &Route{
+		Net: &net.IPNet{
+			IP: net.ParseIP("20.30.40.0"),
+			Mask: net.CIDRMask(24, 32),
+		},
+		Communities: []string{"5000:5000"}, // Per-route
+	}
+
+	path := ctrl.getApiPath(route, peer)
+
+	// Extract communities from path
+	var commAttr *api.CommunitiesAttribute
+	for _, attr := range path.Pattrs {
+		var dynAny ptypes.DynamicAny
+		if err := ptypes.UnmarshalAny(attr, &dynAny); err == nil {
+			if c, ok := dynAny.Message.(*api.CommunitiesAttribute); ok {
+				commAttr = c
+				break
+			}
+		}
+	}
+
+	a.NotNil(commAttr, "Should have communities attribute")
+	a.Equal(5, len(commAttr.Communities), "Should have 5 communities (2 global + 2 peer + 1 route)")
+
+	// Verify community values (converted to uint32)
+	expectedCommunities := []uint32{
+		convertCommunity("1000:1000"), // Global
+		convertCommunity("2000:2000"), // Global
+		convertCommunity("100:100"),   // Per-peer
+		convertCommunity("200:200"),   // Per-peer
+		convertCommunity("5000:5000"), // Per-route
+	}
+	a.Equal(expectedCommunities, commAttr.Communities)
+}
+
+func TestMultiHopConfiguration(t *testing.T) {
+	a := assert.New(t)
+
+	testCases := []struct {
+		name         string
+		localAS      int
+		peerAS       int
+		multiHopPtr  *bool
+		expectMH     bool
+	}{
+		{
+			name:        "default - multihop not enabled",
+			localAS:     11111,
+			peerAS:      22222,
+			multiHopPtr: nil,
+			expectMH:    false,
+		},
+		{
+			name:        "explicit disable",
+			localAS:     11111,
+			peerAS:      22222,
+			multiHopPtr: boolPtr(false),
+			expectMH:    false,
+		},
+		{
+			name:        "explicit enable",
+			localAS:     11111,
+			peerAS:      22222,
+			multiHopPtr: boolPtr(true),
+			expectMH:    true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctrl := &Controller{
+				localAS: tc.localAS,
+				localIP: net.ParseIP("192.168.1.100"),
+				s:       gobgp.NewBgpServer(),
+			}
+			go ctrl.s.Serve()
+
+			if err := ctrl.s.StartBgp(context.Background(), &api.StartBgpRequest{
+				Global: &api.Global{
+					As:         uint32(tc.localAS),
+					RouterId:   ctrl.localIP.String(),
+					ListenPort: -1,
+				},
+			}); err != nil {
+				a.FailNow(err.Error())
+			}
+			defer ctrl.s.StopBgp(context.Background(), &api.StopBgpRequest{})
+
+			peer := &config.PeerConfig{
+				PeerIP:   "10.10.10.1",
+				PeerAS:   tc.peerAS,
+				MultiHop: tc.multiHopPtr,
+			}
+
+			err := ctrl.addPeer(peer)
+			a.NoError(err)
+
+			// Verify multihop setting by checking peer config
+			var foundPeer *api.Peer
+			ctrl.s.ListPeer(context.Background(), &api.ListPeerRequest{}, func(p *api.Peer) {
+				if p.Conf.NeighborAddress == peer.PeerIP {
+					foundPeer = p
+				}
+			})
+
+			a.NotNil(foundPeer, "Peer should be added")
+			if tc.expectMH {
+				a.NotNil(foundPeer.EbgpMultihop, "Should have multihop configured")
+				a.True(foundPeer.EbgpMultihop.Enabled, "Multihop should be enabled")
+			} else {
+				if foundPeer.EbgpMultihop != nil {
+					a.False(foundPeer.EbgpMultihop.Enabled, "Multihop should not be enabled")
+				}
+			}
+		})
+	}
+}
+
+// Helper function to create bool pointer
+func boolPtr(b bool) *bool {
+	return &b
+}
+
+func TestMultiPeerAnnouncement(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("Skipping testing in CI environment")
+	}
+
+	a := assert.New(t)
+
+	// Create two BGP listeners
+	listener1, err := NewBgpListener(22222)
+	if err != nil {
+		panic(err)
+	}
+	defer listener1.Shutdown()
+
+	listener2, err := NewBgpListener(33333)
+	if err != nil {
+		panic(err)
+	}
+	defer listener2.Shutdown()
+
+	// Create controller with two peers
+	multiPeerConfig := config.BgpConfig{
+		LocalAS: 11111,
+		LocalIP: "192.168.1.100",
+		Peers: []config.PeerConfig{
+			{PeerIP: "127.0.0.1", PeerAS: 22222},
+			{PeerIP: "127.0.0.1", PeerAS: 33333},
+		},
+		Communities: []string{"100:100"},
+		Origin:      "igp",
+	}
+
+	ctrl, err := NewController(multiPeerConfig)
+	if err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.Shutdown()
+
+	// Announce a route
+	_, ipnet, _ := net.ParseCIDR("20.30.40.0/24")
+	r := &Route{Net: ipnet}
+	if err := ctrl.Announce(r); err != nil {
+		a.FailNow(err.Error())
+	}
+
+	// Verify both listeners received the route
+	path1 := <-listener1.recvdPaths
+	a.Equal("20.30.40.0/24", path1)
+
+	path2 := <-listener2.recvdPaths
+	a.Equal("20.30.40.0/24", path2)
+}
+
+func TestBestEffortAnnouncement(t *testing.T) {
+	a := assert.New(t)
+
+	// Create controller with two peers
+	mixedConfig := config.BgpConfig{
+		LocalAS: 11111,
+		LocalIP: "192.168.1.100",
+		Peers: []config.PeerConfig{
+			{PeerIP: "127.0.0.1", PeerAS: 22222},
+			{PeerIP: "127.0.0.2", PeerAS: 33333},
+		},
+		Origin: "igp",
+	}
+
+	ctrl, err := NewController(mixedConfig)
+	if err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.Shutdown()
+
+	// Announce a route - both peers will be added successfully
+	// (they won't have actual BGP sessions established, but peers are added to GoBGP)
+	_, ipnet, _ := net.ParseCIDR("20.30.40.0/24")
+	r := &Route{Net: ipnet}
+
+	// The announcement should succeed for both peers being added
+	err = ctrl.Announce(r)
+	a.NoError(err, "Announcement should succeed for both peers")
+
+	// Verify both peers were added
+	peers, err := ctrl.PeerInfo()
+	a.NoError(err)
+	a.Equal(2, len(peers), "Should have both peers configured")
+}
+
+func TestWithdrawMultiplePeers(t *testing.T) {
+	a := assert.New(t)
+
+	ctrl := &Controller{
+		localAS: 11111,
+		localIP: net.ParseIP("192.168.1.100"),
+		peers: []config.PeerConfig{
+			{PeerIP: "10.10.10.1", PeerAS: 22222},
+			{PeerIP: "10.10.10.2", PeerAS: 22222},
+		},
+		origin: 0,
+		s:      gobgp.NewBgpServer(),
+	}
+	go ctrl.s.Serve()
+
+	if err := ctrl.s.StartBgp(context.Background(), &api.StartBgpRequest{
+		Global: &api.Global{
+			As:         uint32(11111),
+			RouterId:   ctrl.localIP.String(),
+			ListenPort: -1,
+		},
+	}); err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.s.StopBgp(context.Background(), &api.StopBgpRequest{})
+
+	_, ipnet, _ := net.ParseCIDR("20.30.40.0/24")
+	r := &Route{Net: ipnet}
+
+	// Withdraw should iterate through all peers
+	// This will fail because peers aren't established, but it should try both
+	err := ctrl.Withdraw(r)
+	// We expect an error but it should have tried both peers
+	if err != nil {
+		a.Contains(err.Error(), "withdrawal errors")
+	}
+}
+
+func TestPeerInfoMultiplePeers(t *testing.T) {
+	a := assert.New(t)
+
+	ctrl := &Controller{
+		localAS: 11111,
+		localIP: net.ParseIP("192.168.1.100"),
+		peers: []config.PeerConfig{
+			{PeerIP: "10.10.10.1", PeerAS: 22222},
+			{PeerIP: "10.10.10.2", PeerAS: 33333},
+		},
+		origin: 0,
+		s:      gobgp.NewBgpServer(),
+	}
+	go ctrl.s.Serve()
+
+	if err := ctrl.s.StartBgp(context.Background(), &api.StartBgpRequest{
+		Global: &api.Global{
+			As:         uint32(11111),
+			RouterId:   ctrl.localIP.String(),
+			ListenPort: -1,
+		},
+	}); err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.s.StopBgp(context.Background(), &api.StopBgpRequest{})
+
+	// Add peers
+	for i := range ctrl.peers {
+		ctrl.addPeer(&ctrl.peers[i])
+	}
+
+	// Get peer info
+	peers, err := ctrl.PeerInfo()
+	a.NoError(err)
+	a.Equal(2, len(peers), "Should return info for both peers")
+
+	// Verify peer addresses
+	peerAddrs := make(map[string]bool)
+	for _, p := range peers {
+		peerAddrs[p.Conf.NeighborAddress] = true
+	}
+	a.True(peerAddrs["10.10.10.1"], "Should have first peer")
+	a.True(peerAddrs["10.10.10.2"], "Should have second peer")
+}
+
+func TestMD5Authentication(t *testing.T) {
+	a := assert.New(t)
+
+	testCases := []struct {
+		name           string
+		md5Password    string
+		md5EnvVar      string
+		envValue       string
+		expectedAuth   string
+	}{
+		{
+			name:         "MD5 password from config",
+			md5Password:  "secret123",
+			md5EnvVar:    "",
+			envValue:     "",
+			expectedAuth: "secret123",
+		},
+		{
+			name:         "MD5 password from environment variable",
+			md5Password:  "",
+			md5EnvVar:    "BGP_PEER_PASSWORD",
+			envValue:     "env_secret456",
+			expectedAuth: "env_secret456",
+		},
+		{
+			name:         "Environment variable takes priority over config",
+			md5Password:  "config_password",
+			md5EnvVar:    "BGP_PEER_PASSWORD",
+			envValue:     "env_password",
+			expectedAuth: "env_password",
+		},
+		{
+			name:         "No authentication when neither is set",
+			md5Password:  "",
+			md5EnvVar:    "",
+			envValue:     "",
+			expectedAuth: "",
+		},
+		{
+			name:         "Config password used when env var is set but empty",
+			md5Password:  "fallback_password",
+			md5EnvVar:    "EMPTY_VAR",
+			envValue:     "",
+			expectedAuth: "fallback_password",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Set environment variable if specified
+			if tc.md5EnvVar != "" && tc.envValue != "" {
+				os.Setenv(tc.md5EnvVar, tc.envValue)
+				defer os.Unsetenv(tc.md5EnvVar)
+			}
+
+			ctrl := &Controller{
+				localAS: 11111,
+				localIP: net.ParseIP("192.168.1.100"),
+				s:       gobgp.NewBgpServer(),
+			}
+			go ctrl.s.Serve()
+
+			if err := ctrl.s.StartBgp(context.Background(), &api.StartBgpRequest{
+				Global: &api.Global{
+					As:         uint32(11111),
+					RouterId:   ctrl.localIP.String(),
+					ListenPort: -1,
+				},
+			}); err != nil {
+				a.FailNow(err.Error())
+			}
+			defer ctrl.s.StopBgp(context.Background(), &api.StopBgpRequest{})
+
+			peer := &config.PeerConfig{
+				PeerIP:      "10.10.10.1",
+				PeerAS:      22222,
+				MD5Password: tc.md5Password,
+				MD5EnvVar:   tc.md5EnvVar,
+			}
+
+			err := ctrl.addPeer(peer)
+			a.NoError(err)
+
+			// Verify MD5 authentication is configured correctly
+			var foundPeer *api.Peer
+			ctrl.s.ListPeer(context.Background(), &api.ListPeerRequest{}, func(p *api.Peer) {
+				if p.Conf.NeighborAddress == peer.PeerIP {
+					foundPeer = p
+				}
+			})
+
+			a.NotNil(foundPeer, "Peer should be added")
+			a.Equal(tc.expectedAuth, foundPeer.Conf.AuthPassword, "MD5 password should match expected")
+		})
+	}
+}
+
+func TestGetMD5Password(t *testing.T) {
+	a := assert.New(t)
+
+	ctrl := &Controller{}
+
+	// Test 1: Environment variable takes priority
+	os.Setenv("TEST_BGP_PASS", "env_password")
+	defer os.Unsetenv("TEST_BGP_PASS")
+
+	peer := &config.PeerConfig{
+		MD5Password: "config_password",
+		MD5EnvVar:   "TEST_BGP_PASS",
+	}
+	a.Equal("env_password", ctrl.getMD5Password(peer))
+
+	// Test 2: Config password when env var not set
+	peer2 := &config.PeerConfig{
+		MD5Password: "config_only",
+		MD5EnvVar:   "NONEXISTENT_VAR",
+	}
+	a.Equal("config_only", ctrl.getMD5Password(peer2))
+
+	// Test 3: Empty string when nothing is set
+	peer3 := &config.PeerConfig{}
+	a.Equal("", ctrl.getMD5Password(peer3))
+
+	// Test 4: Only env var specified
+	os.Setenv("ANOTHER_PASS", "another_env_password")
+	defer os.Unsetenv("ANOTHER_PASS")
+
+	peer4 := &config.PeerConfig{
+		MD5EnvVar: "ANOTHER_PASS",
+	}
+	a.Equal("another_env_password", ctrl.getMD5Password(peer4))
+}
+
+func TestMultiPeerWithMD5(t *testing.T) {
+	a := assert.New(t)
+
+	// Set environment variables for testing
+	os.Setenv("PEER1_PASSWORD", "peer1_secret")
+	os.Setenv("PEER2_PASSWORD", "peer2_secret")
+	defer os.Unsetenv("PEER1_PASSWORD")
+	defer os.Unsetenv("PEER2_PASSWORD")
+
+	// Create controller with multiple peers using different MD5 configurations
+	multiPeerConfig := config.BgpConfig{
+		LocalAS: 11111,
+		LocalIP: "192.168.1.100",
+		Peers: []config.PeerConfig{
+			{
+				PeerIP:      "10.10.10.1",
+				PeerAS:      22222,
+				MD5EnvVar:   "PEER1_PASSWORD",
+			},
+			{
+				PeerIP:      "10.10.10.2",
+				PeerAS:      33333,
+				MD5Password: "peer2_config_password",
+			},
+			{
+				PeerIP:   "10.10.10.3",
+				PeerAS:   44444,
+				// No MD5 authentication
+			},
+		},
+		Origin: "igp",
+	}
+
+	ctrl, err := NewController(multiPeerConfig)
+	if err != nil {
+		a.FailNow(err.Error())
+	}
+	defer ctrl.Shutdown()
+
+	// Trigger peer addition by announcing a route (peers are added lazily)
+	_, ipnet, _ := net.ParseCIDR("20.30.40.0/24")
+	r := &Route{Net: ipnet}
+	ctrl.Announce(r)
+
+	// Verify all peers have correct MD5 configuration
+	peers := make(map[string]string) // map[peerIP]authPassword
+	ctrl.s.ListPeer(context.Background(), &api.ListPeerRequest{}, func(p *api.Peer) {
+		peers[p.Conf.NeighborAddress] = p.Conf.AuthPassword
+	})
+
+	a.Equal(3, len(peers), "Should have all three peers")
+	a.Equal("peer1_secret", peers["10.10.10.1"], "First peer should use env var password")
+	a.Equal("peer2_config_password", peers["10.10.10.2"], "Second peer should use config password")
+	a.Equal("", peers["10.10.10.3"], "Third peer should have no authentication")
+}

controller/monitor.go

@@ -98,6 +98,11 @@ func NewMonitor(config *c.Config) *MonitorMgr {
 	if config.Agent.CleanupTimer == 0 {
 		config.Agent.CleanupTimer = defaultCleanupTimer
 	}
+	// Set iptables binary (defaults to "iptables" if not specified)
+	if config.Agent.IptablesBinary == "" {
+		config.Agent.IptablesBinary = "iptables"
+	}
+	SetIptablesBinary(config.Agent.IptablesBinary)
 	mon.config = config
 	// add apps defined in config
 	for _, a := range config.Apps {
@@ -339,6 +344,240 @@ func (m *MonitorMgr) CloseAll() {
 	}
 }
 
+// Reload re-reads the configuration file and applies changes
+func (m *MonitorMgr) Reload(configPath string) error {
+	glog.Infof("Reloading configuration from %s", configPath)
+
+	// Read new configuration
+	newConfig := c.GetConfig(configPath)
+	if newConfig == nil {
+		return fmt.Errorf("Failed to load configuration")
+	}
+
+	// Set defaults if not specified
+	if newConfig.Agent.MonitorInterval == 0 {
+		newConfig.Agent.MonitorInterval = defaultMonitorInterval
+	}
+	if newConfig.Agent.CleanupTimer == 0 {
+		newConfig.Agent.CleanupTimer = defaultCleanupTimer
+	}
+	if newConfig.Agent.IptablesBinary == "" {
+		newConfig.Agent.IptablesBinary = "iptables"
+	}
+
+	// Update iptables binary if changed
+	if m.config.Agent.IptablesBinary != newConfig.Agent.IptablesBinary {
+		glog.Infof("Iptables binary changed from %s to %s", m.config.Agent.IptablesBinary, newConfig.Agent.IptablesBinary)
+		SetIptablesBinary(newConfig.Agent.IptablesBinary)
+	}
+
+	// Check if BGP configuration has changed
+	bgpChanged := m.bgpConfigChanged(m.config.Bgp, newConfig.Bgp)
+
+	if bgpChanged {
+		glog.Infof("BGP configuration changed, restarting BGP controller")
+
+		// Withdraw all current routes before shutting down
+		m.monMu.Lock()
+		for _, am := range m.monitors {
+			if am.announced {
+				if err := m.ctrl.Withdraw(am.app.Vip); err != nil {
+					glog.Errorf("Failed to withdraw route during reload: %v", err)
+				}
+				am.announced = false
+			}
+		}
+		m.monMu.Unlock()
+
+		// Shutdown old BGP controller
+		if err := m.ctrl.Shutdown(); err != nil {
+			glog.Errorf("Failed to shutdown BGP controller: %v", err)
+		}
+
+		// Start new BGP controller
+		ctrl, err := NewController(newConfig.Bgp)
+		if err != nil {
+			return fmt.Errorf("Failed to start new BGP controller: %v", err)
+		}
+		m.ctrl = ctrl
+
+		// Re-announce all routes with new BGP config
+		m.monMu.Lock()
+		for _, am := range m.monitors {
+			// Only re-announce if the app was previously announced and is still healthy
+			if m.runMonitors(am.app) {
+				if err := m.ctrl.Announce(am.app.Vip); err != nil {
+					glog.Errorf("Failed to re-announce route %s: %v", am.app.Vip.Net.String(), err)
+				} else {
+					am.announced = true
+					glog.Infof("Re-announced route %s", am.app.Vip.Net.String())
+				}
+			}
+		}
+		m.monMu.Unlock()
+	}
+
+	// Handle consul configuration changes
+	if m.config.Agent.ConsulAddr != newConfig.Agent.ConsulAddr ||
+	   m.config.Agent.ConsulToken != newConfig.Agent.ConsulToken {
+		glog.Infof("Consul configuration changed")
+		if newConfig.Agent.ConsulAddr != "" {
+			cmon, err := NewConsulMon(newConfig.Agent.ConsulAddr, newConfig.Agent.ConsulToken)
+			if err != nil {
+				glog.Errorf("Failed to start consul monitor: %v", err)
+			} else {
+				m.consul = cmon
+				// Start consul monitoring in background if not already running
+				if m.config.Agent.ConsulAddr == "" {
+					go m.consulMon()
+				}
+			}
+		}
+	}
+
+	// Update agent configuration
+	oldConfig := m.config
+	m.config = newConfig
+
+	// Handle app configuration changes
+	m.reloadApps(oldConfig.Apps, newConfig.Apps)
+
+	glog.Infof("Configuration reloaded successfully")
+	return nil
+}
+
+// bgpConfigChanged checks if BGP configuration has changed
+func (m *MonitorMgr) bgpConfigChanged(old, new c.BgpConfig) bool {
+	// Check basic parameters
+	if old.LocalAS != new.LocalAS || old.LocalIP != new.LocalIP || old.Origin != new.Origin {
+		return true
+	}
+
+	// Check legacy peer config
+	if old.PeerAS != new.PeerAS || old.PeerIP != new.PeerIP {
+		return true
+	}
+
+	// Check peers
+	if len(old.Peers) != len(new.Peers) {
+		return true
+	}
+
+	// Compare each peer
+	for i := range old.Peers {
+		if old.Peers[i].PeerIP != new.Peers[i].PeerIP ||
+			old.Peers[i].PeerAS != new.Peers[i].PeerAS ||
+			old.Peers[i].MD5Password != new.Peers[i].MD5Password ||
+			old.Peers[i].MD5EnvVar != new.Peers[i].MD5EnvVar {
+			return true
+		}
+
+		// Check multi-hop
+		if (old.Peers[i].MultiHop == nil) != (new.Peers[i].MultiHop == nil) {
+			return true
+		}
+		if old.Peers[i].MultiHop != nil && new.Peers[i].MultiHop != nil {
+			if *old.Peers[i].MultiHop != *new.Peers[i].MultiHop {
+				return true
+			}
+		}
+
+		// Check communities
+		if len(old.Peers[i].Communities) != len(new.Peers[i].Communities) {
+			return true
+		}
+		for j := range old.Peers[i].Communities {
+			if old.Peers[i].Communities[j] != new.Peers[i].Communities[j] {
+				return true
+			}
+		}
+	}
+
+	// Check global communities
+	if len(old.Communities) != len(new.Communities) {
+		return true
+	}
+	for i := range old.Communities {
+		if old.Communities[i] != new.Communities[i] {
+			return true
+		}
+	}
+
+	return false
+}
+
+// reloadApps compares old and new app configurations and applies changes
+func (m *MonitorMgr) reloadApps(oldApps, newApps []c.AppConfig) {
+	// Build maps for easy comparison
+	oldAppMap := make(map[string]c.AppConfig)
+	for _, app := range oldApps {
+		oldAppMap[app.Name] = app
+	}
+
+	newAppMap := make(map[string]c.AppConfig)
+	for _, app := range newApps {
+		newAppMap[app.Name] = app
+	}
+
+	// Remove apps that are no longer in config
+	for name := range oldAppMap {
+		if _, exists := newAppMap[name]; !exists {
+			m.monMu.Lock()
+			if am, ok := m.monitors[name]; ok {
+				if am.app.Source == "config" {
+					glog.Infof("Removing app %s (no longer in config)", name)
+					m.monMu.Unlock()
+					m.Remove(name)
+					continue
+				}
+			}
+			m.monMu.Unlock()
+		}
+	}
+
+	// Add new apps or update existing ones
+	for name, newAppConfig := range newAppMap {
+		oldAppConfig, existed := oldAppMap[name]
+
+		// Check if app configuration changed
+		configChanged := !existed ||
+			oldAppConfig.Vip != newAppConfig.Vip ||
+			!equalStringSlices(oldAppConfig.Monitors, newAppConfig.Monitors) ||
+			!equalStringSlices(oldAppConfig.Nats, newAppConfig.Nats) ||
+			!equalStringSlices(oldAppConfig.VipConfig.BgpCommunities, newAppConfig.VipConfig.BgpCommunities)
+
+		if configChanged {
+			if existed {
+				glog.Infof("App %s configuration changed, reloading", name)
+				m.Remove(name)
+			} else {
+				glog.Infof("Adding new app %s from config", name)
+			}
+
+			app, err := NewApp(newAppConfig.Name, newAppConfig.Vip, newAppConfig.VipConfig,
+				newAppConfig.Monitors, newAppConfig.Nats, "config")
+			if err != nil {
+				glog.Errorf("Failed to add app %s: %v", name, err)
+				continue
+			}
+			m.Add(app)
+		}
+	}
+}
+
+// equalStringSlices compares two string slices
+func equalStringSlices(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
 // CleanUp periodically monitors for stale apps and cleans them up
 func (m *MonitorMgr) Cleanup(app string, exit chan bool) {
 	t := time.NewTimer(m.config.Agent.CleanupTimer)
@@ -356,6 +595,6 @@ func (m *MonitorMgr) Cleanup(app string, exit chan bool) {
 }
 
 // GetInfo returns basic BGP info for established peers
-func (m *MonitorMgr) GetInfo() (*api.Peer, error) {
+func (m *MonitorMgr) GetInfo() ([]*api.Peer, error) {
 	return m.ctrl.PeerInfo()
 }

controller/reload_test.go

@@ -0,0 +1,293 @@
+package controller
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	config "github.com/mayuresh82/gocast/config"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBgpConfigChanged(t *testing.T) {
+	a := assert.New(t)
+
+	mon := &MonitorMgr{}
+
+	// Test 1: No changes
+	cfg1 := config.BgpConfig{
+		LocalAS: 12345,
+		LocalIP: "192.168.1.100",
+		Origin:  "igp",
+		Peers: []config.PeerConfig{
+			{PeerIP: "10.10.10.1", PeerAS: 6789},
+		},
+		Communities: []string{"100:100"},
+	}
+	cfg2 := cfg1
+	a.False(mon.bgpConfigChanged(cfg1, cfg2), "Identical configs should not be considered changed")
+
+	// Test 2: LocalAS changed
+	cfg3 := cfg1
+	cfg3.LocalAS = 54321
+	a.True(mon.bgpConfigChanged(cfg1, cfg3), "LocalAS change should be detected")
+
+	// Test 3: Peer IP changed
+	cfg4 := cfg1
+	cfg4.Peers = []config.PeerConfig{
+		{PeerIP: "10.10.10.2", PeerAS: 6789},
+	}
+	a.True(mon.bgpConfigChanged(cfg1, cfg4), "Peer IP change should be detected")
+
+	// Test 4: MD5 password changed
+	cfg5 := cfg1
+	cfg5.Peers = []config.PeerConfig{
+		{PeerIP: "10.10.10.1", PeerAS: 6789, MD5Password: "secret"},
+	}
+	a.True(mon.bgpConfigChanged(cfg1, cfg5), "MD5 password change should be detected")
+
+	// Test 5: Community added
+	cfg6 := cfg1
+	cfg6.Communities = []string{"100:100", "200:200"}
+	a.True(mon.bgpConfigChanged(cfg1, cfg6), "Community addition should be detected")
+
+	// Test 6: Peer added
+	cfg7 := cfg1
+	cfg7.Peers = []config.PeerConfig{
+		{PeerIP: "10.10.10.1", PeerAS: 6789},
+		{PeerIP: "10.10.10.2", PeerAS: 6789},
+	}
+	a.True(mon.bgpConfigChanged(cfg1, cfg7), "Peer addition should be detected")
+
+	// Test 7: MultiHop changed
+	multiHopTrue := true
+	cfg8 := cfg1
+	cfg8.Peers = []config.PeerConfig{
+		{PeerIP: "10.10.10.1", PeerAS: 6789, MultiHop: &multiHopTrue},
+	}
+	a.True(mon.bgpConfigChanged(cfg1, cfg8), "MultiHop change should be detected")
+}
+
+func TestEqualStringSlices(t *testing.T) {
+	a := assert.New(t)
+
+	a.True(equalStringSlices([]string{}, []string{}), "Empty slices should be equal")
+	a.True(equalStringSlices([]string{"a", "b"}, []string{"a", "b"}), "Identical slices should be equal")
+	a.False(equalStringSlices([]string{"a"}, []string{"a", "b"}), "Different length slices should not be equal")
+	a.False(equalStringSlices([]string{"a", "b"}, []string{"a", "c"}), "Different content should not be equal")
+}
+
+func TestReload(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("Skipping reload test in CI environment")
+	}
+
+	a := assert.New(t)
+
+	// Create initial config file
+	initialConfig := `
+agent:
+  listen_addr: :8080
+  monitor_interval: 10s
+  cleanup_timer: 15m
+
+bgp:
+  local_as: 12345
+  peer_as: 6789
+  local_ip: 192.168.1.100
+  origin: igp
+  communities:
+    - 100:100
+
+apps:
+  - name: test-app
+    vip: 1.1.1.1/32
+    monitors:
+      - exec:echo
+`
+
+	// Create temporary config file
+	tmpfile, err := ioutil.TempFile("", "gocast-test-*.yaml")
+	a.NoError(err)
+	defer os.Remove(tmpfile.Name())
+
+	_, err = tmpfile.Write([]byte(initialConfig))
+	a.NoError(err)
+	tmpfile.Close()
+
+	// Initialize monitor with initial config
+	conf := config.GetConfig(tmpfile.Name())
+	mon := NewMonitor(conf)
+	defer mon.CloseAll()
+
+	// Wait a bit for initialization
+	time.Sleep(100 * time.Millisecond)
+
+	// Verify initial state
+	a.Equal(12345, mon.ctrl.localAS)
+	m := mon.monitors["test-app"]
+	a.NotNil(m, "Initial app should be loaded")
+
+	// Update config file with new BGP AS and remove app
+	updatedConfig := `
+agent:
+  listen_addr: :8080
+  monitor_interval: 10s
+  cleanup_timer: 15m
+
+bgp:
+  local_as: 54321
+  peer_as: 6789
+  local_ip: 192.168.1.100
+  origin: igp
+  communities:
+    - 200:200
+`
+
+	err = ioutil.WriteFile(tmpfile.Name(), []byte(updatedConfig), 0644)
+	a.NoError(err)
+
+	// Reload configuration
+	err = mon.Reload(tmpfile.Name())
+	a.NoError(err)
+
+	// Wait for reload to complete
+	time.Sleep(200 * time.Millisecond)
+
+	// Verify new state
+	a.Equal(54321, mon.ctrl.localAS)
+	a.Equal([]string{"200:200"}, mon.ctrl.communities)
+
+	// Verify app was removed
+	mon.monMu.Lock()
+	_, exists := mon.monitors["test-app"]
+	mon.monMu.Unlock()
+	a.False(exists, "App should be removed after reload")
+}
+
+func TestReloadAddApp(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("Skipping reload test in CI environment")
+	}
+
+	a := assert.New(t)
+
+	// Create initial config without apps
+	initialConfig := `
+agent:
+  listen_addr: :8080
+  monitor_interval: 10s
+
+bgp:
+  local_as: 12345
+  peer_as: 6789
+  local_ip: 192.168.1.100
+  origin: igp
+`
+
+	tmpfile, err := ioutil.TempFile("", "gocast-test-*.yaml")
+	a.NoError(err)
+	defer os.Remove(tmpfile.Name())
+
+	_, err = tmpfile.Write([]byte(initialConfig))
+	a.NoError(err)
+	tmpfile.Close()
+
+	conf := config.GetConfig(tmpfile.Name())
+	mon := NewMonitor(conf)
+	defer mon.CloseAll()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Verify no apps initially
+	mon.monMu.Lock()
+	initialCount := len(mon.monitors)
+	mon.monMu.Unlock()
+	a.Equal(0, initialCount)
+
+	// Add app to config
+	updatedConfig := `
+agent:
+  listen_addr: :8080
+  monitor_interval: 10s
+
+bgp:
+  local_as: 12345
+  peer_as: 6789
+  local_ip: 192.168.1.100
+  origin: igp
+
+apps:
+  - name: new-app
+    vip: 2.2.2.2/32
+    monitors:
+      - exec:echo
+`
+
+	err = ioutil.WriteFile(tmpfile.Name(), []byte(updatedConfig), 0644)
+	a.NoError(err)
+
+	// Reload
+	err = mon.Reload(tmpfile.Name())
+	a.NoError(err)
+
+	time.Sleep(200 * time.Millisecond)
+
+	// Verify app was added
+	mon.monMu.Lock()
+	_, exists := mon.monitors["new-app"]
+	mon.monMu.Unlock()
+	a.True(exists, "New app should be added after reload")
+}
+
+func TestReloadMD5Change(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("Skipping reload test in CI environment")
+	}
+
+	a := assert.New(t)
+
+	// Set environment variable for MD5 password
+	os.Setenv("BGP_TEST_PASSWORD", "initial_secret")
+	defer os.Unsetenv("BGP_TEST_PASSWORD")
+
+	initialConfig := `
+agent:
+  listen_addr: :8080
+
+bgp:
+  local_as: 12345
+  local_ip: 192.168.1.100
+  peers:
+    - peer_ip: 10.10.10.1
+      peer_as: 6789
+      md5_env_var: BGP_TEST_PASSWORD
+  origin: igp
+`
+
+	tmpfile, err := ioutil.TempFile("", "gocast-test-*.yaml")
+	a.NoError(err)
+	defer os.Remove(tmpfile.Name())
+
+	_, err = tmpfile.Write([]byte(initialConfig))
+	a.NoError(err)
+	tmpfile.Close()
+
+	conf := config.GetConfig(tmpfile.Name())
+	mon := NewMonitor(conf)
+	defer mon.CloseAll()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Update environment variable
+	os.Setenv("BGP_TEST_PASSWORD", "updated_secret")
+
+	// Reload (MD5 env var change should trigger BGP reload)
+	err = mon.Reload(tmpfile.Name())
+	a.NoError(err)
+
+	// Note: We can't easily verify the MD5 password changed without
+	// actually establishing BGP sessions, but we can verify reload succeeded
+	a.NotNil(mon.ctrl)
+}

controller/system.go

@@ -8,6 +8,7 @@ import (
 )
 
 var execCmd = "bash"
+var iptablesBinary = "iptables"
 
 func getCmdList(mainCmd string) []string {
 	cmdList := []string{}
@@ -88,8 +89,8 @@ func deleteLoopback(addr *net.IPNet) error {
 
 func natRule(op string, vip, localAddr net.IP, protocol, lport, dport string) error {
 	cmd := fmt.Sprintf(
-		"iptables -t nat -%s PREROUTING -p %s -d %s --dport %s -j DNAT --to-destination %s:%s",
+		"%s -t nat -%s PREROUTING -p %s -d %s --dport %s -j DNAT --to-destination %s:%s",
-		op, protocol, vip.String(), lport, localAddr.String(), dport,
+		iptablesBinary, op, protocol, vip.String(), lport, localAddr.String(), dport,
 	)
 	cmdList := getCmdList(cmd)
 	_, err := exec.Command(execCmd, cmdList...).Output()
@@ -98,3 +99,10 @@ func natRule(op string, vip, localAddr net.IP, protocol, lport, dport string) er
 	}
 	return nil
 }
+
+// SetIptablesBinary sets the iptables binary to use for NAT rules
+func SetIptablesBinary(binary string) {
+	if binary != "" {
+		iptablesBinary = binary
+	}
+}

controller/system_test.go

@@ -43,6 +43,71 @@ func TestAddLoopback(t *testing.T) {
 	assert.NotNil(t, err)
 }
 
+func TestSetIptablesBinary(t *testing.T) {
+	a := assert.New(t)
+
+	// Save original value
+	originalBinary := iptablesBinary
+	defer func() {
+		iptablesBinary = originalBinary
+	}()
+
+	// Test setting custom binary
+	SetIptablesBinary("iptables-nft")
+	a.Equal("iptables-nft", iptablesBinary)
+
+	// Test setting back to default
+	SetIptablesBinary("iptables")
+	a.Equal("iptables", iptablesBinary)
+
+	// Test that empty string doesn't change the value
+	SetIptablesBinary("iptables-custom")
+	a.Equal("iptables-custom", iptablesBinary)
+	SetIptablesBinary("")
+	a.Equal("iptables-custom", iptablesBinary, "Empty string should not change the binary")
+}
+
+func TestNatRuleCommandFormat(t *testing.T) {
+	a := assert.New(t)
+
+	// Save original values
+	originalBinary := iptablesBinary
+	originalExecCmd := execCmd
+	defer func() {
+		iptablesBinary = originalBinary
+		execCmd = originalExecCmd
+	}()
+
+	vip := net.ParseIP("192.0.2.1")
+	localAddr := net.ParseIP("10.0.0.1")
+
+	// Test with default iptables
+	SetIptablesBinary("iptables")
+	err := natRule("A", vip, localAddr, "tcp", "80", "8080")
+	// We expect this to fail in test environment, but we can check the error message
+	// contains our command
+	if err != nil {
+		a.Contains(err.Error(), "iptables -t nat -A PREROUTING")
+	}
+
+	// Test with iptables-nft
+	SetIptablesBinary("iptables-nft")
+	err = natRule("A", vip, localAddr, "tcp", "80", "8080")
+	if err != nil {
+		a.Contains(err.Error(), "iptables-nft -t nat -A PREROUTING")
+	}
+
+	// Test with custom binary path
+	SetIptablesBinary("/usr/sbin/iptables")
+	err = natRule("D", vip, localAddr, "udp", "53", "5353")
+	if err != nil {
+		a.Contains(err.Error(), "/usr/sbin/iptables -t nat -D PREROUTING")
+		a.Contains(err.Error(), "udp")
+		a.Contains(err.Error(), "53")
+		a.Contains(err.Error(), "5353")
+	}
+}
+
 func TestMain(m *testing.M) {
 	switch os.Getenv("test_name") {
 	case "test_gateway":

main.go

@@ -33,7 +33,16 @@ func main() {
 	go func() {
 		for {
 			sig := <-signalChan
-			if sig == os.Interrupt || sig == syscall.SIGTERM {
+			switch sig {
+			case syscall.SIGHUP:
+				log.Info("Received SIGHUP, reloading configuration")
+				if err := mon.Reload(*config); err != nil {
+					log.Errorf("Failed to reload configuration: %v", err)
+				} else {
+					log.Info("Configuration reloaded successfully")
+				}
+			case os.Interrupt, syscall.SIGTERM:
+				log.Info("Received shutdown signal, cleaning up")
 				mon.CloseAll()
 				cancel()
 				return

server/server.go

@@ -72,11 +72,11 @@ func (s *Server) unregisterHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) infoHandler(w http.ResponseWriter, r *http.Request) {
-	peer, err := s.mon.GetInfo()
+	peers, err := s.mon.GetInfo()
 	if err != nil {
 		http.Error(w, fmt.Sprintf("Internal error getting peers: %v", err), http.StatusInternalServerError)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(peer)
+	json.NewEncoder(w).Encode(peers)
 }