From cc382ec62848855f6fe7302fe7a37ac62af35a9c Mon Sep 17 00:00:00 2001
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Thu, 30 Jan 2014 11:03:25 -0600
Subject: [PATCH] network: insert masq rule

This fixes IP masquerading on systems with reject rules at the end of
the POSTROUTING table, by inserting the rule at the beginning of the
table instead of adding it at the end.

Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
---
 network.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/network.go b/network.go
index c72ea12055..d9771ac008 100644
--- a/network.go
+++ b/network.go
@@ -327,7 +327,7 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
 		natArgs := []string{"POSTROUTING", "-t", "nat", "-s", addr.String(), "!", "-d", addr.String(), "-j", "MASQUERADE"}
 
 		if !iptables.Exists(natArgs...) {
-			if output, err := iptables.Raw(append([]string{"-A"}, natArgs...)...); err != nil {
+			if output, err := iptables.Raw(append([]string{"-I"}, natArgs...)...); err != nil {
 				return nil, fmt.Errorf("Unable to enable network bridge NAT: %s", err)
 			} else if len(output) != 0 {
 				return nil, fmt.Errorf("Error iptables postrouting: %s", output)