Split portals into host and container

After this DNS is resolvable from the host, if the DNS server is targetted
explicitly.  This does NOT add the cluster DNS to the host's resolv.conf.  That
is a larger problem, with distro-specific tie-ins and circular deps.

pkg/util/iptables/iptables.go

@@ -32,8 +32,10 @@ import (
 type Interface interface {
 	// EnsureChain checks if the specified chain exists and, if not, creates it.  If the chain existed, return true.
 	EnsureChain(table Table, chain Chain) (bool, error)
-	// FlushChain clears the specified chain.
+	// FlushChain clears the specified chain.  If the chain did not exist, return error.
 	FlushChain(table Table, chain Chain) error
+	// DeleteChain deletes the specified chain.  If the chain did not exist, return error.
+	DeleteChain(table Table, chain Chain) error
 	// EnsureRule checks if the specified rule is present and, if not, creates it.  If the rule existed, return true.
 	EnsureRule(table Table, chain Chain, args ...string) (bool, error)
 	// DeleteRule checks if the specified rule is present and, if so, deletes it.
@@ -108,6 +110,21 @@ func (runner *runner) FlushChain(table Table, chain Chain) error {
 	return nil
 }
 
+// DeleteChain is part of Interface.
+func (runner *runner) DeleteChain(table Table, chain Chain) error {
+	fullArgs := makeFullArgs(table, chain)
+
+	runner.mu.Lock()
+	defer runner.mu.Unlock()
+
+	// TODO: we could call iptable -S first, ignore the output and check for non-zero return (more like DeleteRule)
+	out, err := runner.run(opDeleteChain, fullArgs)
+	if err != nil {
+		return fmt.Errorf("error deleting chain %q: %v: %s", chain, err, out)
+	}
+	return nil
+}
+
 // EnsureRule is part of Interface.
 func (runner *runner) EnsureRule(table Table, chain Chain, args ...string) (bool, error) {
 	fullArgs := makeFullArgs(table, chain, args...)
@@ -257,6 +274,7 @@ type operation string
 const (
 	opCreateChain operation = "-N"
 	opFlushChain  operation = "-F"
+	opDeleteChain operation = "-X"
 	opAppendRule  operation = "-A"
 	opCheckRule   operation = "-C"
 	opDeleteRule  operation = "-D"

pkg/util/iptables/iptables_test.go

@@ -124,6 +124,40 @@ func TestFlushChain(t *testing.T) {
 	}
 }
 
+func TestDeleteChain(t *testing.T) {
+	fcmd := exec.FakeCmd{
+		CombinedOutputScript: []exec.FakeCombinedOutputAction{
+			// Success.
+			func() ([]byte, error) { return []byte{}, nil },
+			// Failure.
+			func() ([]byte, error) { return nil, &exec.FakeExitError{1} },
+		},
+	}
+	fexec := exec.FakeExec{
+		CommandScript: []exec.FakeCommandAction{
+			func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
+			func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
+		},
+	}
+	runner := New(&fexec, ProtocolIpv4)
+	// Success.
+	err := runner.DeleteChain(TableNAT, Chain("FOOBAR"))
+	if err != nil {
+		t.Errorf("expected success, got %v", err)
+	}
+	if fcmd.CombinedOutputCalls != 1 {
+		t.Errorf("expected 1 CombinedOutput() call, got %d", fcmd.CombinedOutputCalls)
+	}
+	if !util.NewStringSet(fcmd.CombinedOutputLog[0]...).HasAll("iptables", "-t", "nat", "-X", "FOOBAR") {
+		t.Errorf("wrong CombinedOutput() log, got %s", fcmd.CombinedOutputLog[0])
+	}
+	// Failure.
+	err = runner.DeleteChain(TableNAT, Chain("FOOBAR"))
+	if err == nil {
+		t.Errorf("expected failure")
+	}
+}
+
 func TestEnsureRuleAlreadyExists(t *testing.T) {
 	fcmd := exec.FakeCmd{
 		CombinedOutputScript: []exec.FakeCombinedOutputAction{