[24.0 backport] libnetwork: fix resolver restore w/ chatty 'iptables -C'

[corhere]

• 24.0 backport of libnetwork: fix resolver restore w/ chatty 'iptables -C' #45657
• Fixes Restarting dockerd breaks the embedded DNS server #45646

Resolver.setupIPTable() checks whether it needs to flush or create the user chains used for NATing container DNS requests by testing for the existence of the rules which jump to said user chains. Unfortunately it does so using the IPTable.RawCombinedOutputNative() method, which returns a non-nil error if the iptables command returns any output even if the command exits with a zero status code. While that is fine with iptables-legacy as it prints no output if the rule exists, iptables-nft v1.8.7 prints some information about the rule. Consequently, Resolver.setupIPTable() would incorrectly think that the rule does not exist during container restore and attempt to create it. This happened work work by coincidence before 8f5a9a7 because the failure to create the already-existing table would be ignored and the new NAT rules would be inserted before the stale rules left in the table from when the container was last started/restored. Now that failing to create the table is treated as a fatal error, the incompatibility with iptables-nft is no longer hidden.

Switch to using IPTable.ExistsNative() to test for the existence of the jump rules as it correctly only checks the iptables command's exit status without regard for whether it outputs anything.

- What I did

- How I did it

- How to verify it

- Description for the changelog

• Fixed an issue which prevented DNS resolution from working in live-restored containers on systems using iptables-nft

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

LGTM

[akerouanton]

LGTM