From 94e5081baca9a3b3408d3a6ffa2926d1e262d6fe Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosby.michael@gmail.com>
Date: Thu, 24 Oct 2013 09:08:50 -0700
Subject: [PATCH] Move iptable rules outside of create bridge

This allows the user to toggle enabling and
disabling intercontainer communication when
they run the daemon.
---
 iptables/iptables.go |  5 +++++
 network.go           | 27 +++++++++++++++++----------
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/iptables/iptables.go b/iptables/iptables.go
index 5974d4d9c6..463f443fda 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -92,6 +92,11 @@ func (c *Chain) Remove() error {
 	return nil
 }
 
+// Check if an existing rule exists
+func Exists(args ...string) bool {
+	return Raw(append([]string{"-C"}, args...)...) == nil
+}
+
 func Raw(args ...string) error {
 	path, err := exec.LookPath("iptables")
 	if err != nil {
diff --git a/network.go b/network.go
index 593ed6cab0..c237ccc86d 100644
--- a/network.go
+++ b/network.go
@@ -145,16 +145,6 @@ func CreateBridgeIface(config *DaemonConfig) error {
 			"!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
 			return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
 		}
-
-		if !config.InterContainerCommunication {
-			utils.Debugf("Disable inter-container communication")
-			if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil {
-				return fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
-			}
-		} else {
-			utils.Debugf("Enable inter-container communication")
-			iptables.Raw("-D", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP")
-		}
 	}
 	return nil
 }
@@ -659,6 +649,23 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
 	}
 	network := addr.(*net.IPNet)
 
+	// Configure iptables for link support
+	if config.EnableIptables {
+		args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"}
+
+		if !config.InterContainerCommunication {
+			if !iptables.Exists(args...) {
+				utils.Debugf("Disable inter-container communication")
+				if err := iptables.Raw(append([]string{"-A"}, args...)...); err != nil {
+					return nil, fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
+				}
+			}
+		} else {
+			utils.Debugf("Enable inter-container communication")
+			iptables.Raw(append([]string{"-D"}, args...)...)
+		}
+	}
+
 	ipAllocator := newIPAllocator(network)
 
 	tcpPortAllocator, err := newPortAllocator()