From 204db10dffeeed3ce133285d692704a6824b0c45 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Sat, 20 Feb 2021 23:07:56 +1000
Subject: [PATCH 1/6] dockerd: Updated patch file format

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/patches/001-libdevmapper_name_fix.patch | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/utils/dockerd/patches/001-libdevmapper_name_fix.patch b/utils/dockerd/patches/001-libdevmapper_name_fix.patch
index ba6bba32c..b9b0a6b8c 100644
--- a/utils/dockerd/patches/001-libdevmapper_name_fix.patch
+++ b/utils/dockerd/patches/001-libdevmapper_name_fix.patch
@@ -1,7 +1,5 @@
-Index: docker-ce-20.10.0/hack/make.sh
-===================================================================
---- docker-ce-20.10.0.orig/hack/make.sh
-+++ docker-ce-20.10.0/hack/make.sh
+--- a/hack/make.sh
++++ b/hack/make.sh
 @@ -95,7 +95,7 @@ fi
  # with a newer libdevmapper than the one it was built with.
  if

From 8f899db305aca18b16a8b4cd7c23a9dd81362417 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Mon, 25 Jan 2021 16:57:08 +1000
Subject: [PATCH 2/6] dockerd: Normalized config quotation marks

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/files/etc/config/dockerd | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/utils/dockerd/files/etc/config/dockerd b/utils/dockerd/files/etc/config/dockerd
index cfb5f8c3f..aad1dbb70 100644
--- a/utils/dockerd/files/etc/config/dockerd
+++ b/utils/dockerd/files/etc/config/dockerd
@@ -5,14 +5,14 @@
 # device
 
 config globals 'globals'
-#	option alt_config_file "/etc/docker/daemon.json"
-	option data_root "/opt/docker/"
-	option log_level "warn"
-	list hosts "unix:///var/run/docker.sock"
-	option bip "172.18.0.1/24"
-#	option iptables "0"
-#	list registry_mirrors "https://<my-docker-mirror-host>"
-#	list registry_mirrors "https://hub.docker.com"
+#	option alt_config_file '/etc/docker/daemon.json'
+	option data_root '/opt/docker/'
+	option log_level 'warn'
+	list hosts 'unix:///var/run/docker.sock'
+	option bip '172.18.0.1/24'
+#	option iptables '0'
+#	list registry_mirrors 'https://<my-docker-mirror-host>'
+#	list registry_mirrors 'https://hub.docker.com'
 
 # Docker ignores fw3 rules and by default all external source IPs are allowed to connect to the Docker host.
 # See https://docs.docker.com/network/iptables/ for more details.

From f4cc4c0c70d40d2188ecdc7db3ddf17f77aeb11d Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Mon, 25 Jan 2021 17:46:35 +1000
Subject: [PATCH 3/6] dockerd: made registry_mirrors and hosts omittable *
 Moved logic out of config writing * Made default config only specify OpenWrt
 dictated defaults   Otherwise, docker defaults can be assumed

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/files/dockerd.init       | 24 ++++++++++++++----------
 utils/dockerd/files/etc/config/dockerd |  6 +++---
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/utils/dockerd/files/dockerd.init b/utils/dockerd/files/dockerd.init
index c1493ba2b..1eaed6710 100755
--- a/utils/dockerd/files/dockerd.init
+++ b/utils/dockerd/files/dockerd.init
@@ -136,24 +136,28 @@ process_config() {
 	config_get data_root globals data_root "/opt/docker/"
 	config_get log_level globals log_level "warn"
 	config_get_bool iptables globals iptables "1"
+
+	# Don't add these options by default
+	# omission == docker defaults
 	config_get bip globals bip ""
+	config_get registry_mirrors globals registry_mirrors ""
+	config_get hosts globals hosts ""
 
 	. /usr/share/libubox/jshn.sh
 	json_init
 	json_add_string "data-root" "${data_root}"
 	json_add_string "log-level" "${log_level}"
+	json_add_boolean "iptables" "${iptables}"
 	[ -z "${bip}" ] || json_add_string "bip" "${bip}"
-	json_add_array "registry-mirrors"
-	config_list_foreach globals registry_mirrors json_add_array_string
-	json_close_array
-	json_add_array "hosts"
-	config_list_foreach globals hosts json_add_array_string
-	json_close_array
-
-	json_add_boolean iptables "${iptables}"
-	[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
-
+	[ -z "${registry_mirrors}" ] || json_add_array "registry-mirrors"
+	[ -z "${registry_mirrors}" ] || config_list_foreach globals registry_mirrors json_add_array_string
+	[ -z "${registry_mirrors}" ] || json_close_array
+	[ -z "${hosts}" ] || json_add_array "hosts"
+	[ -z "${hosts}" ] || config_list_foreach globals hosts json_add_array_string
+	[ -z "${hosts}" ] || json_close_array
 	json_dump > "${DOCKERD_CONF}"
+
+	[ "${iptables}" -eq "1" ] && config_foreach iptables_add_blocking_rule firewall
 }
 
 start_service() {
diff --git a/utils/dockerd/files/etc/config/dockerd b/utils/dockerd/files/etc/config/dockerd
index aad1dbb70..6ba850bde 100644
--- a/utils/dockerd/files/etc/config/dockerd
+++ b/utils/dockerd/files/etc/config/dockerd
@@ -8,9 +8,9 @@ config globals 'globals'
 #	option alt_config_file '/etc/docker/daemon.json'
 	option data_root '/opt/docker/'
 	option log_level 'warn'
-	list hosts 'unix:///var/run/docker.sock'
-	option bip '172.18.0.1/24'
-#	option iptables '0'
+	option iptables '1'
+#	list hosts 'unix:///var/run/docker.sock'
+#	option bip '172.18.0.1/24'
 #	list registry_mirrors 'https://<my-docker-mirror-host>'
 #	list registry_mirrors 'https://hub.docker.com'
 

From 774a0e8be05b9f8e3a1a1220a3b8bea1f07fba61 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Sat, 20 Feb 2021 17:32:31 +1000
Subject: [PATCH 4/6] dockerd: Made blocked_interfaces ip rule REJECT * Changed
 from DROP to REJECT to be consistant with other firewall rules

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/files/dockerd.init | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utils/dockerd/files/dockerd.init b/utils/dockerd/files/dockerd.init
index 1eaed6710..1ad2b62ea 100755
--- a/utils/dockerd/files/dockerd.init
+++ b/utils/dockerd/files/dockerd.init
@@ -208,9 +208,9 @@ iptables_add_blocking_rule() {
 
 		# Ignore errors as it might already be present
 		iptables --table filter --new DOCKER-USER 2>/dev/null
-		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump DROP 2>/dev/null; then
+		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then
 			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
-			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump DROP
+			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT
 		fi
 	}
 

From e64d4bd05b77ced7dd68939f3afd193527fb8785 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Sat, 20 Feb 2021 19:31:55 +1000
Subject: [PATCH 5/6] dockerd: Added iptables wait to ensure rules are added

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/files/dockerd.init | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/utils/dockerd/files/dockerd.init b/utils/dockerd/files/dockerd.init
index 1ad2b62ea..25ce4eff9 100755
--- a/utils/dockerd/files/dockerd.init
+++ b/utils/dockerd/files/dockerd.init
@@ -206,11 +206,14 @@ iptables_add_blocking_rule() {
 			return
 		}
 
+		# Wait for a maximum of 10 second per command, retrying every millisecond
+		local iptables_wait_args="--wait 10 --wait-interval 1000"
+
 		# Ignore errors as it might already be present
-		iptables --table filter --new DOCKER-USER 2>/dev/null
-		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then
+		iptables ${iptables_wait_args} --table filter --new DOCKER-USER 2>/dev/null
+		if ! iptables ${iptables_wait_args} --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then
 			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
-			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT
+			iptables ${iptables_wait_args} --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT
 		fi
 	}
 

From e882ff47e51981ea99e897cf4517c843dfd6286f Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Sat, 20 Feb 2021 20:26:05 +1000
Subject: [PATCH 6/6] dockerd: Package release bump

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/dockerd/Makefile b/utils/dockerd/Makefile
index ef1b1e825..c34640a85 100644
--- a/utils/dockerd/Makefile
+++ b/utils/dockerd/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dockerd
 PKG_VERSION:=20.10.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE