From baa5a896a23e1e318ea1c0fcb4eb666191fdb5a8 Mon Sep 17 00:00:00 2001
From: Arnaud Porterie <arnaud.porterie@docker.com>
Date: Mon, 10 Nov 2014 16:19:16 -0800
Subject: [PATCH] Add `--userland-proxy` daemon flag

The `--userland-proxy` daemon flag makes it possible to rely on hairpin
NAT and additional iptables routes instead of userland proxy for port
publishing and inter-container communication.

Usage of the userland proxy remains the default as hairpin NAT is
unsupported by older kernels.

Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
---
 iptables/firewalld_test.go | 2 +-
 iptables/iptables.go       | 9 +++++----
 iptables/iptables_test.go  | 5 ++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/iptables/firewalld_test.go b/iptables/firewalld_test.go
index 3896007..ff92657 100644
--- a/iptables/firewalld_test.go
+++ b/iptables/firewalld_test.go
@@ -14,7 +14,7 @@ func TestReloaded(t *testing.T) {
 	var err error
 	var fwdChain *Chain
 
-	fwdChain, err = NewChain("FWD", "lo", Filter)
+	fwdChain, err = NewChain("FWD", "lo", Filter, false)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/iptables/iptables.go b/iptables/iptables.go
index 9983ec6..64a45db 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -58,7 +58,7 @@ func initCheck() error {
 	return nil
 }
 
-func NewChain(name, bridge string, table Table) (*Chain, error) {
+func NewChain(name, bridge string, table Table, hairpinMode bool) (*Chain, error) {
 	c := &Chain{
 		Name:   name,
 		Bridge: bridge,
@@ -90,8 +90,10 @@ func NewChain(name, bridge string, table Table) (*Chain, error) {
 		}
 		output := []string{
 			"-m", "addrtype",
-			"--dst-type", "LOCAL",
-			"!", "--dst", "127.0.0.0/8"}
+			"--dst-type", "LOCAL"}
+		if !hairpinMode {
+			output = append(output, "!", "--dst", "127.0.0.0/8")
+		}
 		if !Exists(Nat, "OUTPUT", output...) {
 			if err := c.Output(Append, output...); err != nil {
 				return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
@@ -137,7 +139,6 @@ func (c *Chain) Forward(action Action, ip net.IP, port int, proto, destAddr stri
 		"-p", proto,
 		"-d", daddr,
 		"--dport", strconv.Itoa(port),
-		"!", "-i", c.Bridge,
 		"-j", "DNAT",
 		"--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort))); err != nil {
 		return err
diff --git a/iptables/iptables_test.go b/iptables/iptables_test.go
index ced4262..3539bd5 100644
--- a/iptables/iptables_test.go
+++ b/iptables/iptables_test.go
@@ -16,12 +16,12 @@ var filterChain *Chain
 func TestNewChain(t *testing.T) {
 	var err error
 
-	natChain, err = NewChain(chainName, "lo", Nat)
+	natChain, err = NewChain(chainName, "lo", Nat, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	filterChain, err = NewChain(chainName, "lo", Filter)
+	filterChain, err = NewChain(chainName, "lo", Filter, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -40,7 +40,6 @@ func TestForward(t *testing.T) {
 	}
 
 	dnatRule := []string{
-		"!", "-i", filterChain.Bridge,
 		"-d", ip.String(),
 		"-p", proto,
 		"--dport", strconv.Itoa(port),