docker-ce: do not delete generated iptables by docker-ce

Deleting rules that docker has created is error-prone, because with every update docker we have to check if anything has changed. Cleaning up the firewall rules is part of the docker and should and must be cleaned up and handeled by them when the service is terminated. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-11-16 10:28:03 +01:00 · 2020-11-16 10:28:03 +01:00 · 96a11a9c02
commit 96a11a9c02
parent 19fc933330
1 changed files with 0 additions and 33 deletions
--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@ -216,41 +216,8 @@ iptables_add_blocking_rule() {
 	config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
 }

-ip4tables_remove_nat() {
-	iptables --table nat --delete OUTPUT ! --destination 127.0.0.0/8 --match addrtype --dst-type LOCAL --jump DOCKER
-	iptables --table nat --delete PREROUTING --match addrtype --dst-type LOCAL --jump DOCKER
-
-	iptables --table nat --flush DOCKER
-	iptables --table nat --delete-chain DOCKER
-}
-
-ip4tables_remove_filter() {
-	iptables --table filter --delete FORWARD --jump DOCKER-USER
-	iptables --table filter --delete FORWARD --jump DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --delete FORWARD --out-interface docker0 --jump DOCKER
-	iptables --table filter --delete FORWARD --out-interface docker0 --match conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
-	iptables --table filter --delete FORWARD --in-interface docker0 --out-interface docker0 --jump ACCEPT
-	iptables --table filter --delete FORWARD --in-interface docker0 ! --out-interface docker0 --jump ACCEPT
-
-	iptables --table filter --flush DOCKER
-	iptables --table filter --flush DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --flush DOCKER-ISOLATION-STAGE-2
-	iptables --table filter --flush DOCKER-USER
-
-	iptables --table filter --delete-chain DOCKER
-	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-2
-	iptables --table filter --delete-chain DOCKER-USER
-}
-
-ip4tables_remove() {
-	ip4tables_remove_nat
-	ip4tables_remove_filter
-}
-
 stop_service() {
 	if /etc/init.d/dockerd running; then
 		service_stop "/usr/bin/dockerd"
-		ip4tables_remove
 	fi
 }