diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..7d77234
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,35 @@
+name: Build Images
+
+on:
+  push:
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log into DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ github.actor }}/ufw-docker-agent
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64/v8
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
index eee76c2..b63c63e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,7 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
-ARG docker_version="20.10.17"
+ARG docker_version="27.3.1"
+ARG use_iptables_legacy=false
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
@@ -12,9 +13,17 @@ RUN apt-get update \
             | tee /etc/apt/sources.list.d/docker.list > /dev/null \
     && apt-get update \
     && apt-get install -y --no-install-recommends locales ufw \
-    && ( apt-get install -y --no-install-recommends "docker-ce=5:${docker_version}~*" || \
-         apt-get install -y --no-install-recommends "docker-ce=${docker_version}~*" ) \
+    && apt-get install -y --no-install-recommends "docker-ce=$(apt-cache madison docker-ce | grep -m1 -F "${docker_version}" | cut -d'|' -f2 | tr -d '[[:blank:]]')" \
     && locale-gen en_US.UTF-8 \
+    && if "$use_iptables_legacy"; then \
+          apt-get -y install arptables ebtables \
+          && update-alternatives --install /usr/sbin/arptables arptables /usr/sbin/arptables-legacy 100 \
+          && update-alternatives --install /usr/sbin/ebtables ebtables /usr/sbin/ebtables-legacy 100 \
+          && update-alternatives --set iptables /usr/sbin/iptables-legacy \
+          && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy \
+          && update-alternatives --set arptables /usr/sbin/arptables-legacy \
+          && update-alternatives --set ebtables /usr/sbin/ebtables-legacy; \
+       fi \
     && apt-get clean autoclean \
     && apt-get autoremove --yes \
     && rm -rf /var/lib/{apt,dpkg,cache,log}/
diff --git a/Vagrantfile b/Vagrantfile
index ced906d..7e69446 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -6,16 +6,15 @@
 ENV['VAGRANT_NO_PARALLEL']="true"
 
 Vagrant.configure('2') do |config|
-
-  docker_version = "20.10.17"
-
   ubuntu_version = File.readlines("Dockerfile").filter { |line|
     line.start_with?("FROM ")
   }.first.match(/\d\d\.\d\d/)[0]
 
-  config.vm.box = "chaifeng/ubuntu-#{ubuntu_version}-docker-#{docker_version}#{(`uname -m`.strip == "arm64")?"-arm64":""}"
+  docker_version = File.readlines("Dockerfile").filter { |line|
+    line.start_with?("ARG docker_version=")
+  }.first.match(/"([\d\.]+)"/)[1]
 
-  #config.vm.box = "chaifeng/ubuntu-20.04-docker-20.10.17#{(`uname -m`.strip == "arm64")?"-arm64":""}"
+  config.vm.box = "chaifeng/ubuntu-#{ubuntu_version}-docker-#{docker_version}"
 
   config.vm.provider 'virtualbox' do |vb|
     vb.memory = '1024'
@@ -88,12 +87,13 @@ Vagrant.configure('2') do |config|
             daemonize: true
     end
 
-    ufw_docker_agent_image = "#{private_registry}/chaifeng/ufw-docker-agent:test-legacy"
+    ufw_docker_agent_image = "#{private_registry}/chaifeng/ufw-docker-agent:test"
 
     master.vm.provision "docker-build-ufw-docker-agent", preserve_order: true, type: 'shell', inline: <<-SHELL
-      set -euo pipefail
+      set -xeuo pipefail
       suffix="$(iptables --version | grep -o '\\(nf_tables\\|legacy\\)')"
-      docker build -t "#{ufw_docker_agent_image}-${suffix}" /vagrant
+      if [[ "$suffix" = legacy ]]; then use_iptables_legacy=true; else use_iptables_legacy=false; fi
+      docker build --build-arg use_iptables_legacy="${use_iptables_legacy:-false}" -t "#{ufw_docker_agent_image}-${suffix}" /vagrant
       docker push "#{ufw_docker_agent_image}-${suffix}"
 
       echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}-${suffix}" > /etc/profile.d/ufw-docker.sh
@@ -116,10 +116,10 @@ Vagrant.configure('2') do |config|
         docker build -t #{private_registry}/chaifeng/hostname-webapp - <<\\DOCKERFILE
 FROM httpd:alpine
 
+RUN printf "Listen %s\\n" 7000 8080 >> /usr/local/apache2/conf/httpd.conf
+
 RUN { echo '#!/bin/sh'; \\
     echo 'set -e; (echo -n "${name:-Hi} "; hostname;) > /usr/local/apache2/htdocs/index.html'; \\
-    echo 'grep "^Listen 7000" || echo Listen 7000 >> /usr/local/apache2/conf/httpd.conf'; \\
-    echo 'grep "^Listen 8080" || echo Listen 8080 >> /usr/local/apache2/conf/httpd.conf'; \\
     echo 'exec "$@"'; \\
     } > /entrypoint.sh; chmod +x /entrypoint.sh
 
@@ -178,16 +178,17 @@ DOCKERFILE
 
         ufw-docker service allow public_service 80/tcp
 
-        docker service create --name "public_multiport" \
-            --publish "40080:80" --publish "47000:7000" --publish "48080:8080" \
-            --env name="public_multiport" --replicas 3 #{private_registry}/chaifeng/hostname-webapp
+        docker service inspect "public_multiport" ||
+            docker service create --name "public_multiport" \
+                --publish "40080:80" --publish "47000:7000" --publish "48080:8080" \
+                --env name="public_multiport" --replicas 3 #{private_registry}/chaifeng/hostname-webapp
 
         ufw-docker service allow public_multiport 80/tcp
         ufw-docker service allow public_multiport 8080/tcp
     SHELL
   end
 
-  1.upto 2 do |ip|
+  1.upto 1 do |ip|
     config.vm.define "node#{ip}" do | node |
       node.vm.hostname = "node#{ip}"
       node.vm.network "private_network", ip: "#{ip_prefix}.#{ 130 + ip }"
@@ -202,6 +203,11 @@ DOCKERFILE
     end
   end
 
+  config.vm.define "node-internal" do |node|
+    node.vm.hostname = "node-internal"
+    node.vm.network "private_network", ip: "#{ip_prefix}.142"
+  end
+
   config.vm.define "external" do |external|
     external.vm.hostname = "external"
     external.vm.network "private_network", ip: "#{ip_prefix}.127"
diff --git a/test/bach b/test/bach
index 447edb6..27885eb 160000
--- a/test/bach
+++ b/test/bach
@@ -1 +1 @@
-Subproject commit 447edb60db232d3dbc2267f37c49bd7a070cc83d
+Subproject commit 27885eb79c11e4652dede994c886ae5f9e30994f
diff --git a/test/ufw-docker.test.sh b/test/ufw-docker.test.sh
index 45ec074..73ca3f7 100755
--- a/test/ufw-docker.test.sh
+++ b/test/ufw-docker.test.sh
@@ -18,7 +18,7 @@ source "$working_dir"/bach/bach.sh
     @mocktrue docker -v
     @mock docker -v === @stdout Docker version 0.0.0, build dummy
 
-    @ignore remove_blank_lines
+    @mockpipe remove_blank_lines
     @ignore echo
     @ignore err
 
@@ -465,7 +465,7 @@ test-ufw-docker--instance-name-found-a-name() {
 }
 test-ufw-docker--instance-name-found-a-name-assert() {
     docker inspect --format="{{.Name}}" foo
-    echo -n foo
+    @dryrun echo -n foo
 }
 
 
@@ -557,7 +557,7 @@ test-ufw-docker--list-number-assert() {
 
 test-ufw-docker--delete-empty-result() {
     @mock ufw-docker--list-number webapp 80 tcp === @stdout ""
-    @mock sort -rn
+    @mockpipe sort -rn
 
     load-ufw-docker-function ufw-docker--delete
     ufw-docker--delete webapp 80 tcp
@@ -569,7 +569,7 @@ test-ufw-docker--delete-empty-result-assert() {
 
 test-ufw-docker--delete-all() {
     @mock ufw-docker--list-number webapp 80 tcp === @stdout 5 8 9
-    @mock sort -rn
+    @mockpipe sort -rn
 
     load-ufw-docker-function ufw-docker--delete
     ufw-docker--delete webapp 80 tcp