From 04964dd174bcc089cf27b60918d46e2cdfd19fb0 Mon Sep 17 00:00:00 2001
From: gitea <gitea@thisisfake.lol>
Date: Fri, 20 Feb 2026 17:12:20 +0000
Subject: [PATCH] fix: switch to iptables-legacy in container

Debian node:18-slim defaults to iptables-nft which requires nftables
kernel access that Docker's seccomp profile blocks even with NET_ADMIN.
Switch to iptables-legacy which works correctly with NET_ADMIN + NET_RAW.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index dee053b..aa23a01 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,6 +24,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
       ipset \
       curl \
       jq \
+    && update-alternatives --set iptables  /usr/sbin/iptables-legacy \
+    && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy \
     && rm -rf /var/lib/apt/lists/* \
     # Remove debian default jail (enables sshd which has no log file in container)
     && rm -f /etc/fail2ban/jail.d/defaults-debian.conf