From bb2ca3887ca232fab133dd6925030e26cf6f4895 Mon Sep 17 00:00:00 2001
From: Armen Boursalian <aboursalian@aol.com>
Date: Thu, 23 Aug 2018 22:44:48 -0700
Subject: [PATCH] Put DNS rule higher up in chain

---
 daemon/firewall/rules.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/daemon/firewall/rules.go b/daemon/firewall/rules.go
index ef4c8088..f58961aa 100644
--- a/daemon/firewall/rules.go
+++ b/daemon/firewall/rules.go
@@ -32,6 +32,27 @@ func RunRule(enable bool, rule []string) (err error) {
 
 // INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
 func QueueDNSResponses(enable bool, queueNum int) (err error) {
+	// If enable, we're going to insert as #1, not append
+	if enable {
+		// FIXME: this is basically copy/paste of RunRule() above b/c we can't
+		// shoehorn "-I" with the boolean 'enable' switch
+		rule := []string{
+			"-I",
+			"INPUT",
+			"1",
+			"--protocol", "udp",
+			"--sport", "53",
+			"-j", "NFQUEUE",
+			"--queue-num", fmt.Sprintf("%d", queueNum),
+			"--queue-bypass",
+		}
+		lock.Lock()
+		defer lock.Unlock()
+		_, err := core.Exec("iptables", rule)
+		return err
+	}
+
+	// Otherwise, it's going to be disable
 	return RunRule(enable, []string{
 		"INPUT",
 		"--protocol", "udp",