LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

docker-ce: do not delete generated iptables by docker-ce 

Deleting rules that docker has created is error-prone, because with
every update docker we have  to check if anything has changed.
Cleaning up the firewall rules is part of the docker and should and must be
cleaned up and handeled by them when the service is terminated.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
lilik-openwrt-22.03
Florian Eckert 4 years ago
parent
19fc933330
commit
96a11a9c02
1 changed files with 0 additions and 33 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -33
      utils/docker-ce/files/dockerd.init

+ 0
- 33
utils/docker-ce/files/dockerd.init View File

@ -216,41 +216,8 @@ iptables_add_blocking_rule() {
config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
}
ip4tables_remove_nat() {
iptables --table nat --delete OUTPUT ! --destination 127.0.0.0/8 --match addrtype --dst-type LOCAL --jump DOCKER
iptables --table nat --delete PREROUTING --match addrtype --dst-type LOCAL --jump DOCKER
iptables --table nat --flush DOCKER
iptables --table nat --delete-chain DOCKER
}
ip4tables_remove_filter() {
iptables --table filter --delete FORWARD --jump DOCKER-USER
iptables --table filter --delete FORWARD --jump DOCKER-ISOLATION-STAGE-1
iptables --table filter --delete FORWARD --out-interface docker0 --jump DOCKER
iptables --table filter --delete FORWARD --out-interface docker0 --match conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
iptables --table filter --delete FORWARD --in-interface docker0 --out-interface docker0 --jump ACCEPT
iptables --table filter --delete FORWARD --in-interface docker0 ! --out-interface docker0 --jump ACCEPT
iptables --table filter --flush DOCKER
iptables --table filter --flush DOCKER-ISOLATION-STAGE-1
iptables --table filter --flush DOCKER-ISOLATION-STAGE-2
iptables --table filter --flush DOCKER-USER
iptables --table filter --delete-chain DOCKER
iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-1
iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-2
iptables --table filter --delete-chain DOCKER-USER
}
ip4tables_remove() {
ip4tables_remove_nat
ip4tables_remove_filter
}
stop_service() {
if /etc/init.d/dockerd running; then
service_stop "/usr/bin/dockerd"
ip4tables_remove
fi
}

Write Preview
Loading…
Cancel
Save