Thanks for your interest. anchord is feature-complete and in beta; contributions are very welcome — especially real-host validation, edge-case bug reports, and SPEC-level discussion before code.
- Read
ARCHITECTURE.md,SPEC.md, andCONTEXT.mdin that order. The three-role model is the part that's easiest to misread; getting it right makes the rest of the codebase obvious. - For non-trivial changes (anything touching SPEC, adding/removing environment variables, changing the mental model), open an issue first to discuss the approach. Routine refactors, test additions, docs fixes, and obvious bug fixes can go straight to a PR.
git clone https://github.com/AlexCherrypi/anchord
cd anchord
go mod tidy
go build ./cmd/anchord
docker build -t anchord:dev .See TESTING.md for the unit + e2e test commands per
platform. The full suite runs host-independently inside Docker via
scripts/update-test-report.sh.
A change is ready to merge when:
go vet ./...clean.go test ./...passes.- Touched code is covered by at least one test.
- If user-visible: README updated. If design-visible: CONTEXT or SPEC updated.
- Manual smoke test on real Docker:
docker compose upagainstcompose.example.yamlproduces a working NAT path. - The commit message explains why, not just what.
- iptables paths — nftables only.
- Config file formats — environment variables only.
- Layer-7 features (HTTP routing, TLS termination, hostname-based multiplexing). anchord stops at layer 4 by design. If you need layer-7, run a reverse proxy as a service-anchor.
- Shelling out to
nft/ip/ other userland tools when a netlink Go library is available.conntrackis currently the only intentional subprocess dependency. (DHCP is pure-Go viagithub.com/insomniacslk/dhcp; don't regress that.)
See CLAUDE.md "Don't do" for the full list.
Open an issue with:
- What you ran (compose snippet, env vars).
- What you expected.
- What happened (logs,
nft list rulesetoutput if relevant). - Kernel version, Docker version, host OS.
For security-sensitive issues, see SECURITY.md.