From df4caf48d07746d86940ed69aab9a0d5aa5ba07a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nicolas.masse@itix.fr>
Date: Thu, 4 Jun 2026 18:31:51 +0000
Subject: [PATCH] enable communication between clair and quay

---
 cookbooks/nftables/config/00-global.nft            | 14 +++++++++-----
 .../quay/dropins/quay-clair.container.d/quay.conf  |  4 ++++
 cookbooks/quay/other/nftables/50-quay.nft          |  1 +
 3 files changed, 14 insertions(+), 5 deletions(-)
 create mode 100644 cookbooks/quay/dropins/quay-clair.container.d/quay.conf

diff --git a/cookbooks/nftables/config/00-global.nft b/cookbooks/nftables/config/00-global.nft
index 59b7a31..650ead3 100755
--- a/cookbooks/nftables/config/00-global.nft
+++ b/cookbooks/nftables/config/00-global.nft
@@ -4,7 +4,7 @@ flush ruleset
 
 table inet itix-fw {
     chain input {
-        type filter hook input priority filter + 20
+        type filter hook input priority filter
         policy drop
 
         ct state invalid counter drop
@@ -15,7 +15,7 @@ table inet itix-fw {
     }
 
     chain output {
-        type filter hook output priority filter + 20
+        type filter hook output priority filter
         policy drop
 
         ct state invalid counter drop
@@ -26,7 +26,7 @@ table inet itix-fw {
     }
 
     chain forward {
-        type filter hook forward priority filter + 20
+        type filter hook forward priority filter
         policy drop
 
         # Loopback
@@ -36,11 +36,15 @@ table inet itix-fw {
 
 table inet itix-nat {
     chain prerouting {
-        type nat hook prerouting priority dstnat + 20
+        type nat hook prerouting priority dstnat
         policy accept
     }
     chain postrouting {
-        type nat hook postrouting priority srcnat + 20
+        type nat hook postrouting priority srcnat
+        policy accept
+    }
+    chain output {
+        type nat hook output priority dstnat
         policy accept
     }
 }
diff --git a/cookbooks/quay/dropins/quay-clair.container.d/quay.conf b/cookbooks/quay/dropins/quay-clair.container.d/quay.conf
new file mode 100644
index 0000000..c5036bf
--- /dev/null
+++ b/cookbooks/quay/dropins/quay-clair.container.d/quay.conf
@@ -0,0 +1,4 @@
+[Container]
+# Inject a DNS record into /etc/hosts to allow Clair to reach Quay over the loopback interface.
+# TODO: replace "quay" with the FQDN of the Quay instance.
+AddHost=quay:127.0.0.1
diff --git a/cookbooks/quay/other/nftables/50-quay.nft b/cookbooks/quay/other/nftables/50-quay.nft
index 60b09f3..2f0cca8 100755
--- a/cookbooks/quay/other/nftables/50-quay.nft
+++ b/cookbooks/quay/other/nftables/50-quay.nft
@@ -5,3 +5,4 @@ add rule inet itix-fw input tcp dport { 80, 8443 } counter accept
 
 # Redirect port 443 to 8443 (Quay)
 add rule inet itix-nat prerouting tcp dport 443 counter redirect to 8443
+add rule inet itix-nat output ip daddr 127.0.0.1 tcp dport 443 counter redirect to 8443