From: Florian Eckert <redacted>
Date: Wed, 24 Jun 2020 07:25:50 +0000 (+0200)
Subject: docker-ce: cleanup firewall rules on service stop
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=2407497230da42632135c4b7c0540d0f490acd56;p=openwrt-packages.git

docker-ce: cleanup firewall rules on service stop

Until now, the firewall rules from the dockerd were preserved after the
service was stopped. This is not nice. With this change the firewall rules
created by dockerd will be deleted when the dockerd service is stopped.

Signed-off-by: Florian Eckert <redacted>
---

diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init
index 3b77f1131..a61dc89e8 100644
--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@@ -58,3 +58,36 @@ start_service() {
 	procd_set_param limits nofile="${nofile} ${nofile}"
 	procd_close_instance
 }
+
+ip4tables_remove_nat() {
+	iptables -t nat -D OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+	iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+
+	iptables -t nat -F DOCKER
+	iptables -t nat -X DOCKER
+}
+
+ip4tables_remove_filter() {
+	iptables -t filter -D FORWARD -j DOCKER-USER
+	iptables -t filter -D FORWARD -j DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -D FORWARD -o docker0 -j DOCKER
+
+	iptables -t filter -F DOCKER
+	iptables -t filter -F DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -F DOCKER-ISOLATION-STAGE-2
+	iptables -t filter -F DOCKER-USER
+
+	iptables -t filter -X DOCKER
+	iptables -t filter -X DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -X DOCKER-ISOLATION-STAGE-2
+	iptables -t filter -X DOCKER-USER
+}
+
+ip4tables_remove() {
+	ip4tables_remove_nat
+	ip4tables_remove_filter
+}
+
+stop_service() {
+	ip4tables_remove
+}