Merge branch 'master' into snyk-fix-5cac6f76b2bf66820ec12fefb1bb49bc

qoomon · Jul 29, 2024 · 8002675 · 8002675
2 parents 6be5c74 + 236ff50
commit 8002675
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 9 deletions.
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - "*"
+    paths:
+      - Dockerfile
+      - entrypoint.sh
     tags:
       - "v*"
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM alpine:3.20
+FROM alpine:3.20.2
 
 RUN apk --no-cache upgrade \
  && apk --no-cache add  \

diff --git a/README.md b/README.md
@@ -16,14 +16,12 @@ also works for (rootless) podman. This README.md uses the term docker, but you
 can read that as both `docker` and `podman` (it works for both), unless
 otherwise specified.
 
-This container will determine docker host address in the following order
-* Use ip from environment variable `DOCKER_HOST` if set
+This container will determine the docker host address in the following order
+* If set use environment variable `DOCKER_HOST`. Can be an IP address or a DNS name.
   * This allows you to use this image to forward traffic to arbitrary destinations, not only the docker host.
-* Try to resolve host using DNS names e.g. `getent ahostsv4 host.docker.internal` 
+* Try to resolve host address from DNS names.
   * docker hostname `host.docker.internal` 
   * podman hostname `host.containers.internal`
-
-
 * Defaults to default gateway (`ip -4 route show default`)
 
 #### Ports

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -3,6 +3,11 @@
 set -euo pipefail
 c=$'\n\t'
 
+# since alpine version 3.19.0 iptables-nft is used by default (https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.19.0),  
+# however this causes compatibility issues for hosts with older kernels (e.g. Windows > https://github.com/microsoft/WSL/issues/6044), 
+# therefore we still use iptables-legacy
+alias iptables=iptables-legacy
+
 # --- Ensure container network capabilities ----------------------------------
 
 if ! capsh --has-p='cap_net_admin' --has-p='cap_net_raw' &>/dev/null
@@ -82,20 +87,20 @@ do
   # nft add rule nat prerouting tcp \
   #   dport "${docker_container_port}" \
   #   dnat to "$docker_host_ip:$docker_host_port"
-  iptables-legacy --table nat --insert PREROUTING \
+  iptables --table nat --insert PREROUTING \
     --protocol tcp --destination-port "${docker_container_port/-/:}" \
     --jump DNAT --to-destination "$docker_host_ip:$docker_host_port"   
 
   # nft add rule nat prerouting udp \
   #   dport "${docker_container_port}" \
   #   dnat to "$docker_host_ip:$docker_host_port"
-  iptables-legacy --table nat --insert PREROUTING \
+  iptables --table nat --insert PREROUTING \
     --protocol udp --destination-port "${docker_container_port/-/:}" \
     --jump DNAT --to-destination "$docker_host_ip:$docker_host_port"
 done
 
 # nft add rule nat postrouting masquerade
-iptables-legacy --table nat --insert POSTROUTING --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --jump MASQUERADE
 
 
 # --- Drop root access and "Ah, ha, ha, ha, stayin' alive" ---------------------