Skip to content

Add iptables to http-proxy docker images#658

Open
AGMETEOR wants to merge 10 commits intomainfrom
iptables-in-docker
Open

Add iptables to http-proxy docker images#658
AGMETEOR wants to merge 10 commits intomainfrom
iptables-in-docker

Conversation

@AGMETEOR
Copy link
Contributor

@AGMETEOR AGMETEOR commented Jul 4, 2025

No description provided.

@AGMETEOR AGMETEOR self-assigned this Jul 4, 2025
@AGMETEOR AGMETEOR requested a review from Copilot July 4, 2025 11:36

This comment was marked as outdated.

Sign in to view

@AGMETEOR AGMETEOR requested a review from Copilot July 4, 2025 16:12
Copilot AI reviewed Jul 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds an iptables-based masquerading setup to the http-proxy container, driven by environment variables.

  • Install and enable iptables in the Docker runtime image
  • Introduce servermasq.sh to configure a custom NAT chain at container start
  • Update Dockerfile to run servermasq.sh as the entrypoint before launching the proxy

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
servermasq.sh New startup script that creates/flushes a LANTERN_SERVERMASQ chain and applies DNAT rules based on $PROXY_ADDR, $PROXY_PORT, and $MASQ_ADDR
Dockerfile Installs iptables, copies and marks servermasq.sh executable, and sets it as the container entrypoint prior to running the proxy
Comments suppressed due to low confidence (1)

servermasq.sh:1

  • [nitpick] Add a header comment describing the purpose of this script and its required environment variables (PROXY_ADDR, PROXY_PORT, MASQ_ADDR) to improve maintainability.
#!/bin/sh

Dockerfile
Comment on lines 27 to +28
USER lantern
ENTRYPOINT ["/servermasq.sh"]
Copy link

Copilot AI Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The servermasq.sh entrypoint executes iptables commands, which require root privileges, but the container switches to the unprivileged lantern user before running the script. Consider moving USER lantern below the entrypoint or running the iptables setup as root and then dropping privileges before starting the proxy.

Suggested change
USER lantern
ENTRYPOINT ["/servermasq.sh"]
ENTRYPOINT ["/servermasq.sh"]
USER lantern

Copilot uses AI. Check for mistakes.
@AGMETEOR AGMETEOR requested a review from Crosse July 7, 2025 09:30
Crosse
Crosse approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@Crosse Crosse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this, but I do think we need to test it on a single track first before rolling it out fleet-wide.

servermasq.sh Outdated
exec "$@"
fi

# The iptables rules can be expalined as follows:
Copy link
Contributor

@Crosse Crosse Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# The iptables rules can be expalined as follows:
# The iptables rules can be explained as follows:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Crosse Crosse Crosse approved these changes

Assignees

@AGMETEOR AGMETEOR

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AGMETEOR @Crosse