Add wrapper and sudoers entries for iptables/NAT forward setup

[hickeng]

Story As a VIC user I want to have docker style NAT port fowarding available in a VHC As a security engineer I want all VCH endpointVM components running with least privilege

Detail We currently use the docker/libnetwork/iptables package to configure NAT forwarding rules in the endpointVM. This package shells out to iptables binary which needs to be run as root. It's possible there's a simple CAP for it, e.g. NET_ADMIN, but that would still grant global access to iptables use and I'd prefer a more locked down set of commands just for the runtime requirements with a tight pattern match, hence considering sudoers.

Acceptance docker-personality runs as nobody (or similar) but can still correctly manage port forwarding Running iptables as the personality user only permits portforwarding configuration FROM client.localhost interface TO bridge.localhost interface - it should NOT be possible to add a rule that forwards to the management network for example.

[hickeng]

Dropping estimate to 2 and committing to the sudoers path.

[zjs]

This would be an improvement. However, we should consider moving away from shelling out to iptables as an alternative to investing in this way.

[hickeng]

8031 is the issue to investigate moving from iptables to BPF.

In the interim, simply adding CAP_NET_ADMIN and running as non-root may well be an improvement.