feat(validation): Add MicroK8s firewall validation tests for egress a… (#94)

NVJCameron · web-flow · commit ccc63c83f17a · 2026-02-20T17:16:25.000-08:00
* feat(validation): Add MicroK8s firewall validation tests for egress and pod-to-pod communication

- Implemented `ValidateMicroK8sFirewallAllowsEgress` to test egress connectivity from MicroK8s pods.
- Implemented `ValidateMicroK8sFirewallAllowsPodToPodCommunication` to verify communication between MicroK8s pods.
- Updated validation suite to include new tests for MicroK8s firewall rules.

* refactor(validation): Simplify MicroK8s firewall validation by extracting tests into dedicated functions

- Removed inline tests for MicroK8s firewall egress and pod-to-pod communication from the validation suite.
- Introduced `runMicroK8sFirewallValidation` function to encapsulate MicroK8s firewall tests.
- Enhanced readability and maintainability of the validation code.

* refactor: modify tests to fit rest of format

* fix: remove IP tables fix for testing

* fix: focus the iptables for shadeform

* fix(validation): Remove unnecessary blank line in MicroK8s firewall validation tests

* refactor(validation): Extract firewall validation tests into dedicated function

- Introduced `runFirewallSubtests` to encapsulate firewall-related validation tests for improved readability and maintainability.
- Removed inline firewall tests from `RunInstanceLifecycleValidation` and `RunFirewallValidation` functions.
- Ensured consistent testing structure across different validation scenarios.

* refactor(validation): Update parameter order in runFirewallSubtests for consistency

- Changed the parameter order in `runFirewallSubtests` to place context first, aligning with common Go practices.
- Updated all calls to `runFirewallSubtests` to reflect the new parameter order, enhancing code readability and maintainability.

* feat(validation): Enhance MicroK8s service readiness checks and installation retries

- Added a command to wait for MicroK8s Nginx service endpoints to be ready before proceeding with tests, preventing race conditions.
- Implemented a retry mechanism for the MicroK8s installation process, allowing up to three attempts with delays between retries for improved reliability.
- Included a check to wait for CoreDNS pods to be ready, ensuring subsequent commands relying on DNS resolution do not fail.

* fix: revert the retries. Didn't help nebius

* fix: enable the iptables changes to fix egress
diff --git a/internal/validation/suite.go b/internal/validation/suite.go
@@ -50,6 +50,40 @@ func RunValidationSuite(t *testing.T, config ProviderConfig) {
 	})
 }
 
+func runFirewallSubtests(ctx context.Context, t *testing.T, client v1.CloudInstanceReader, instance *v1.Instance, privateKey string, testPort int) {
+	t.Helper()
+
+	t.Run("ValidateFirewallBlocksPort", func(t *testing.T) {
+		err := v1.ValidateFirewallBlocksPort(ctx, client, instance, privateKey, testPort)
+		require.NoError(t, err, "ValidateFirewallBlocksPort should pass - port should be blocked")
+	})
+
+	t.Run("ValidateDockerFirewallBlocksPort", func(t *testing.T) {
+		err := v1.ValidateDockerFirewallBlocksPort(ctx, client, instance, privateKey, testPort)
+		require.NoError(t, err, "ValidateDockerFirewallBlocksPort should pass - docker port should be blocked")
+	})
+
+	t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) {
+		err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, privateKey)
+		require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed")
+	})
+
+	t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) {
+		err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, privateKey)
+		require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed")
+	})
+
+	t.Run("ValidateMicroK8sFirewallAllowsEgress", func(t *testing.T) {
+		err := v1.ValidateMicroK8sFirewallAllowsEgress(ctx, client, instance, privateKey)
+		require.NoError(t, err, "ValidateMicroK8sFirewallAllowsEgress should pass - microk8s pod egress should be allowed")
+	})
+
+	t.Run("ValidateMicroK8sFirewallAllowsPodToPodCommunication", func(t *testing.T) {
+		err := v1.ValidateMicroK8sFirewallAllowsPodToPodCommunication(ctx, client, instance, privateKey)
+		require.NoError(t, err, "ValidateMicroK8sFirewallAllowsPodToPodCommunication should pass - microk8s pod to pod communication should be allowed")
+	})
+}
+
 func RunInstanceLifecycleValidation(t *testing.T, config ProviderConfig) {
 	if testing.Short() {
 		t.Skip("Skipping validation tests in short mode")
@@ -119,25 +153,7 @@ func RunInstanceLifecycleValidation(t *testing.T, config ProviderConfig) {
 			require.NoError(t, err, "ValidateInstanceImage should pass")
 		})
 
-		t.Run("ValidateFirewallBlocksPort", func(t *testing.T) {
-			err := v1.ValidateFirewallBlocksPort(ctx, client, instance, ssh.GetTestPrivateKey(), v1.DefaultFirewallTestPort)
-			require.NoError(t, err, "ValidateFirewallBlocksPort should pass - non-allowed port should be blocked")
-		})
-
-		t.Run("ValidateDockerFirewallBlocksPort", func(t *testing.T) {
-			err := v1.ValidateDockerFirewallBlocksPort(ctx, client, instance, ssh.GetTestPrivateKey(), v1.DefaultFirewallTestPort)
-			require.NoError(t, err, "ValidateDockerFirewallBlocksPort should pass - docker port should be blocked by iptables")
-		})
-
-		t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) {
-			err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey())
-			require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed")
-		})
-
-		t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) {
-			err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey())
-			require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed")
-		})
+		runFirewallSubtests(ctx, t, client, instance, ssh.GetTestPrivateKey(), v1.DefaultFirewallTestPort)
 
 		if capabilities.IsCapable(v1.CapabilityStopStartInstance) && instance.Stoppable {
 			t.Run("ValidateStopStartInstance", func(t *testing.T) {
@@ -321,26 +337,7 @@ func RunFirewallValidation(t *testing.T, config ProviderConfig, opts FirewallVal
 		testPort = v1.DefaultFirewallTestPort
 	}
 
-	// Test that regular server on 0.0.0.0 is blocked
-	t.Run("ValidateFirewallBlocksPort", func(t *testing.T) {
-		err := v1.ValidateFirewallBlocksPort(ctx, client, instance, ssh.GetTestPrivateKey(), testPort)
-		require.NoError(t, err, "ValidateFirewallBlocksPort should pass - port should be blocked")
-	})
-
-	t.Run("ValidateDockerFirewallBlocksPort", func(t *testing.T) {
-		err := v1.ValidateDockerFirewallBlocksPort(ctx, client, instance, ssh.GetTestPrivateKey(), testPort)
-		require.NoError(t, err, "ValidateDockerFirewallBlocksPort should pass - docker port should be blocked")
-	})
-
-	t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) {
-		err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey())
-		require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed")
-	})
-
-	t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) {
-		err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey())
-		require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed")
-	})
+	runFirewallSubtests(ctx, t, client, instance, ssh.GetTestPrivateKey(), testPort)
 
 	// Test that SSH port is accessible (sanity check)
 	t.Run("ValidateSSHPortAccessible", func(t *testing.T) {
diff --git a/v1/networking_validation.go b/v1/networking_validation.go
@@ -280,6 +280,190 @@ func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.C
 	return nil
 }
 
+func ValidateMicroK8sFirewallAllowsEgress(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string) error {
+	var err error
+	instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout)
+	if err != nil {
+		return fmt.Errorf("failed to wait for instance running: %w", err)
+	}
+
+	publicIP := instance.PublicIP
+	if publicIP == "" {
+		return fmt.Errorf("public IP is not available for instance %s", instance.CloudID)
+	}
+
+	sshClient, err := ssh.ConnectToHost(ctx, ssh.ConnectionConfig{
+		User:     instance.SSHUser,
+		HostPort: fmt.Sprintf("%s:%d", publicIP, instance.SSHPort),
+		PrivKey:  privateKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to SSH into instance: %w", err)
+	}
+	defer func() { _ = sshClient.Close() }()
+
+	microK8sCmd, err := setupMicroK8sCommand(ctx, sshClient, instance.CloudID)
+	if err != nil {
+		return err
+	}
+
+	// Ensure prior run artifacts do not interfere.
+	_, _, _ = sshClient.RunCommand(ctx, fmt.Sprintf("%s kubectl delete pod mk8s-egress-test --ignore-not-found=true", microK8sCmd))
+
+	cmd := fmt.Sprintf(
+		"%s kubectl run mk8s-egress-test --image=alpine:3.20 --restart=Never --command -- sh -c 'ping -c 3 8.8.8.8'",
+		microK8sCmd,
+	)
+	_, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to create microk8s egress test pod: %w, stderr: %s", err, stderr)
+	}
+
+	defer func() {
+		_, _, _ = sshClient.RunCommand(ctx, fmt.Sprintf("%s kubectl delete pod mk8s-egress-test --ignore-not-found=true", microK8sCmd))
+	}()
+
+	cmd = fmt.Sprintf("%s kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/mk8s-egress-test --timeout=180s", microK8sCmd)
+	_, stderr, err = sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		logsCmd := fmt.Sprintf("%s kubectl logs mk8s-egress-test 2>/dev/null || true", microK8sCmd)
+		logs, _, _ := sshClient.RunCommand(ctx, logsCmd)
+		return fmt.Errorf("microk8s egress test pod did not succeed: %w, stderr: %s, logs: %s", err, stderr, logs)
+	}
+
+	cmd = fmt.Sprintf("%s kubectl logs mk8s-egress-test", microK8sCmd)
+	stdout, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to get microk8s egress test pod logs: %w, stderr: %s", err, stderr)
+	}
+	if !strings.Contains(stdout, "3 packets transmitted, 3 packets received") {
+		return fmt.Errorf("expected successful pod egress ping, got logs: %s", stdout)
+	}
+
+	return nil
+}
+
+func ValidateMicroK8sFirewallAllowsPodToPodCommunication(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string) error {
+	var err error
+	instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout)
+	if err != nil {
+		return fmt.Errorf("failed to wait for instance running: %w", err)
+	}
+
+	publicIP := instance.PublicIP
+	if publicIP == "" {
+		return fmt.Errorf("public IP is not available for instance %s", instance.CloudID)
+	}
+
+	sshClient, err := ssh.ConnectToHost(ctx, ssh.ConnectionConfig{
+		User:     instance.SSHUser,
+		HostPort: fmt.Sprintf("%s:%d", publicIP, instance.SSHPort),
+		PrivKey:  privateKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to SSH into instance: %w", err)
+	}
+	defer func() { _ = sshClient.Close() }()
+
+	microK8sCmd, err := setupMicroK8sCommand(ctx, sshClient, instance.CloudID)
+	if err != nil {
+		return err
+	}
+
+	cleanupMicroK8sPodToPodArtifacts(ctx, sshClient, microK8sCmd)
+	defer cleanupMicroK8sPodToPodArtifacts(ctx, sshClient, microK8sCmd)
+
+	if err := createMicroK8sNginxPod(ctx, sshClient, microK8sCmd); err != nil {
+		return err
+	}
+	if err := waitForMicroK8sNginxReady(ctx, sshClient, microK8sCmd); err != nil {
+		return err
+	}
+	if err := exposeMicroK8sNginxService(ctx, sshClient, microK8sCmd); err != nil {
+		return err
+	}
+	return runMicroK8sPodToPodTest(ctx, sshClient, microK8sCmd)
+}
+
+func cleanupMicroK8sPodToPodArtifacts(ctx context.Context, sshClient *ssh.Client, microK8sCmd string) {
+	_, _, _ = sshClient.RunCommand(ctx, fmt.Sprintf("%s kubectl delete pod mk8s-nginx mk8s-c2c-test --ignore-not-found=true", microK8sCmd))
+	_, _, _ = sshClient.RunCommand(ctx, fmt.Sprintf("%s kubectl delete service mk8s-nginx-svc --ignore-not-found=true", microK8sCmd))
+}
+
+func createMicroK8sNginxPod(ctx context.Context, sshClient *ssh.Client, microK8sCmd string) error {
+	cmd := fmt.Sprintf("%s kubectl run mk8s-nginx --image=nginx:alpine --restart=Never --port=80", microK8sCmd)
+	_, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to create microk8s nginx pod: %w, stderr: %s", err, stderr)
+	}
+
+	return nil
+}
+
+func waitForMicroK8sNginxReady(ctx context.Context, sshClient *ssh.Client, microK8sCmd string) error {
+	cmd := fmt.Sprintf("%s kubectl wait --for=condition=Ready pod/mk8s-nginx --timeout=180s", microK8sCmd)
+	_, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("microk8s nginx pod did not become ready: %w, stderr: %s", err, stderr)
+	}
+
+	return nil
+}
+
+func exposeMicroK8sNginxService(ctx context.Context, sshClient *ssh.Client, microK8sCmd string) error {
+	cmd := fmt.Sprintf("%s kubectl expose pod mk8s-nginx --name=mk8s-nginx-svc --port=80 --target-port=80", microK8sCmd)
+	_, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to create microk8s nginx service: %w, stderr: %s", err, stderr)
+	}
+
+	// Wait for the service to have endpoints before the test pod tries to connect.
+	// This avoids the race where DNS resolves but the service has no backing endpoints yet.
+	epCmd := fmt.Sprintf(
+		"%s kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/mk8s-nginx-svc --timeout=60s",
+		microK8sCmd,
+	)
+	_, stderr, err = sshClient.RunCommand(ctx, epCmd)
+	if err != nil {
+		return fmt.Errorf("service endpoints did not become ready: %w, stderr: %s", err, stderr)
+	}
+
+	return nil
+}
+
+func runMicroK8sPodToPodTest(ctx context.Context, sshClient *ssh.Client, microK8sCmd string) error {
+	// Retry wget up to 10 times with 3-second sleeps so transient DNS propagation
+	// delays don't cause an immediate hard failure.
+	wgetScript := `for i in $(seq 1 10); do wget -q -O- http://mk8s-nginx-svc && exit 0; sleep 3; done; exit 1`
+	cmd := fmt.Sprintf(
+		"%s kubectl run mk8s-c2c-test --image=alpine:3.20 --restart=Never --command -- sh -c '%s'",
+		microK8sCmd, wgetScript,
+	)
+	_, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to create microk8s pod-to-pod test pod: %w, stderr: %s", err, stderr)
+	}
+
+	cmd = fmt.Sprintf("%s kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/mk8s-c2c-test --timeout=180s", microK8sCmd)
+	_, stderr, err = sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		logsCmd := fmt.Sprintf("%s kubectl logs mk8s-c2c-test 2>/dev/null || true", microK8sCmd)
+		logs, _, _ := sshClient.RunCommand(ctx, logsCmd)
+		return fmt.Errorf("microk8s pod-to-pod test pod did not succeed: %w, stderr: %s, logs: %s", err, stderr, logs)
+	}
+
+	cmd = fmt.Sprintf("%s kubectl logs mk8s-c2c-test", microK8sCmd)
+	stdout, stderr, err := sshClient.RunCommand(ctx, cmd)
+	if err != nil {
+		return fmt.Errorf("failed to get microk8s pod-to-pod test pod logs: %w, stderr: %s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Welcome to nginx") {
+		return fmt.Errorf("expected successful pod-to-pod communication, got logs: %s", stdout)
+	}
+
+	return nil
+}
+
 // setupDockerCommand ensures Docker is available and returns the command to use (always with sudo)
 func setupDockerCommand(ctx context.Context, sshClient *ssh.Client, instanceID CloudProviderInstanceID) (string, error) {
 	// Check if Docker is available
@@ -301,6 +485,38 @@ func setupDockerCommand(ctx context.Context, sshClient *ssh.Client, instanceID C
 	return "sudo docker", nil
 }
 
+// setupMicroK8sCommand ensures MicroK8s is available and returns the command to use (always with sudo).
+func setupMicroK8sCommand(ctx context.Context, sshClient *ssh.Client, instanceID CloudProviderInstanceID) (string, error) {
+	checkCmd := "sudo microk8s status --wait-ready --timeout 120"
+	_, _, err := sshClient.RunCommand(ctx, checkCmd)
+	if err != nil {
+		fmt.Printf("MicroK8s not found or not ready, attempting to install on instance %s\n", instanceID)
+		_, stderr, installErr := sshClient.RunCommand(ctx, "sudo snap install microk8s --classic")
+		if installErr != nil {
+			return "", fmt.Errorf("microk8s not available and failed to install: %w, stderr: %s", installErr, stderr)
+		}
+		_, stderr, readyErr := sshClient.RunCommand(ctx, checkCmd)
+		if readyErr != nil {
+			return "", fmt.Errorf("microk8s installed but not ready: %w, stderr: %s", readyErr, stderr)
+		}
+	}
+
+	_, stderr, err := sshClient.RunCommand(ctx, "sudo microk8s enable dns")
+	if err != nil && !strings.Contains(stderr, "Nothing to do for dns") && !strings.Contains(stderr, "is already enabled") {
+		return "", fmt.Errorf("failed to enable microk8s dns addon: %w, stderr: %s", err, stderr)
+	}
+
+	// Wait for CoreDNS pods to be ready before returning. Without this,
+	// subsequent kubectl commands that rely on DNS resolution may fail.
+	dnsWaitCmd := "sudo microk8s kubectl wait --for=condition=Ready pod -l k8s-app=kube-dns -n kube-system --timeout=120s"
+	_, stderr, err = sshClient.RunCommand(ctx, dnsWaitCmd)
+	if err != nil {
+		return "", fmt.Errorf("CoreDNS pods did not become ready: %w, stderr: %s", err, stderr)
+	}
+
+	return "sudo microk8s", nil
+}
+
 // waitForDockerService waits for a Docker container's service to be ready and responding
 func waitForDockerService(ctx context.Context, sshClient *ssh.Client, dockerCmd, containerName string, port int) error {
 	for i := 0; i < 30; i++ { // Try for up to 30 seconds
diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go
@@ -1815,8 +1815,12 @@ func generateIPTablesCommands() []string {
 		"iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
 		"iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT",
 		"iptables -A DOCKER-USER -i br+     ! -o br+     -j ACCEPT",
+		"iptables -A DOCKER-USER -i cni+    ! -o cni+    -j ACCEPT", // TODO: add these back in when we have a way to test it
+		"iptables -A DOCKER-USER -i cali+   ! -o cali+   -j ACCEPT",
 		"iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT",
 		"iptables -A DOCKER-USER -i br+     -o br+     -j ACCEPT",
+		"iptables -A DOCKER-USER -i cni+    -o cni+    -j ACCEPT",
+		"iptables -A DOCKER-USER -i cali+   -o cali+   -j ACCEPT",
 		"iptables -A DOCKER-USER -i lo -j ACCEPT",
 		"iptables -A DOCKER-USER -j DROP",
 		"iptables -A DOCKER-USER -j RETURN", // Expected by Docker
diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go
@@ -24,10 +24,14 @@ const (
 	// Allow containers to initiate outbound traffic (default bridge + user-defined bridges).
 	ipTablesAllowDockerUserOutboundInit0 = "iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT"
 	ipTablesAllowDockerUserOutboundInit1 = "iptables -A DOCKER-USER -i br+     ! -o br+     -j ACCEPT"
+	ipTablesAllowDockerUserOutboundInit2 = "iptables -A DOCKER-USER -i cni+    ! -o cni+    -j ACCEPT"
+	ipTablesAllowDockerUserOutboundInit3 = "iptables -A DOCKER-USER -i cali+   ! -o cali+   -j ACCEPT"
 
 	// Allow container-to-container on the same bridge.
 	ipTablesAllowDockerUserDockerToDocker0 = "iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT"
 	ipTablesAllowDockerUserDockerToDocker1 = "iptables -A DOCKER-USER -i br+     -o br+     -j ACCEPT"
+	ipTablesAllowDockerUserDockerToDocker2 = "iptables -A DOCKER-USER -i cni+    -o cni+    -j ACCEPT"
+	ipTablesAllowDockerUserDockerToDocker3 = "iptables -A DOCKER-USER -i cali+   -o cali+   -j ACCEPT"
 
 	// Allow inbound traffic on the loopback interface.
 	ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT"
@@ -80,8 +84,12 @@ func (c *ShadeformClient) getIPTablesCommands() []string {
 		ipTablesAllowDockerUserOutbound,
 		ipTablesAllowDockerUserOutboundInit0,
 		ipTablesAllowDockerUserOutboundInit1,
+		ipTablesAllowDockerUserOutboundInit2, // TODO: add these back in when we have a way to test it
+		ipTablesAllowDockerUserOutboundInit3,
 		ipTablesAllowDockerUserDockerToDocker0,
 		ipTablesAllowDockerUserDockerToDocker1,
+		ipTablesAllowDockerUserDockerToDocker2,
+		ipTablesAllowDockerUserDockerToDocker3,
 		ipTablesAllowDockerUserInpboundLoopback,
 		ipTablesDropDockerUserInbound,
 		ipTablesReturnDockerUser, // Expected by Docker
