hotfix(firewall): re-add iptables-legacy for setups with nft kernel support

Dockerfile

@@ -222,7 +222,7 @@ RUN apk add --no-cache --update -l wget && \
     apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \
     apk del openvpn && \
-    apk add --no-cache --update openvpn ca-certificates iptables unbound tzdata && \
+    apk add --no-cache --update openvpn ca-certificates iptables iptables-legacy unbound tzdata && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.6 && \
     rm -rf /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-* /etc/openvpn/*.sh /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so && \
     deluser openvpn && \

internal/firewall/firewall.go

@@ -38,7 +38,7 @@ type Config struct { //nolint:maligned
 func NewConfig(ctx context.Context, logger Logger,
 	runner command.Runner, defaultRoutes []routing.DefaultRoute,
 	localNetworks []routing.LocalNetwork) (config *Config, err error) {
-	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft")
+	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft", "iptables-legacy")
 	if err != nil {
 		return nil, err
 	}

internal/firewall/iptables.go

@@ -269,12 +269,18 @@ func (c *Config) runUserPostRules(ctx context.Context, filepath string, remove b
 		case strings.HasPrefix(line, "iptables-nft "):
 			ipv4 = true
 			rule = strings.TrimPrefix(line, "iptables-nft ")
+		case strings.HasPrefix(line, "iptables-legacy "):
+			ipv4 = true
+			rule = strings.TrimPrefix(line, "iptables-legacy ")
 		case strings.HasPrefix(line, "ip6tables "):
 			ipv4 = false
 			rule = strings.TrimPrefix(line, "ip6tables ")
 		case strings.HasPrefix(line, "ip6tables-nft "):
 			ipv4 = false
 			rule = strings.TrimPrefix(line, "ip6tables-nft ")
+		case strings.HasPrefix(line, "ip6tables-legacy "):
+			ipv4 = false
+			rule = strings.TrimPrefix(line, "ip6tables-legacy ")
 		default:
 			continue
 		}