From 2407497230da42632135c4b7c0540d0f490acd56 Mon Sep 17 00:00:00 2001
From: Florian Eckert <fe@dev.tdt.de>
Date: Wed, 24 Jun 2020 09:25:50 +0200
Subject: [PATCH] docker-ce: cleanup firewall rules on service stop

Until now, the firewall rules from the dockerd were preserved after the
service was stopped. This is not nice. With this change the firewall rules
created by dockerd will be deleted when the dockerd service is stopped.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 utils/docker-ce/files/dockerd.init | 33 ++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init
index 3b77f11311..a61dc89e87 100644
--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@@ -58,3 +58,36 @@ start_service() {
 	procd_set_param limits nofile="${nofile} ${nofile}"
 	procd_close_instance
 }
+
+ip4tables_remove_nat() {
+	iptables -t nat -D OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+	iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+
+	iptables -t nat -F DOCKER
+	iptables -t nat -X DOCKER
+}
+
+ip4tables_remove_filter() {
+	iptables -t filter -D FORWARD -j DOCKER-USER
+	iptables -t filter -D FORWARD -j DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -D FORWARD -o docker0 -j DOCKER
+
+	iptables -t filter -F DOCKER
+	iptables -t filter -F DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -F DOCKER-ISOLATION-STAGE-2
+	iptables -t filter -F DOCKER-USER
+
+	iptables -t filter -X DOCKER
+	iptables -t filter -X DOCKER-ISOLATION-STAGE-1
+	iptables -t filter -X DOCKER-ISOLATION-STAGE-2
+	iptables -t filter -X DOCKER-USER
+}
+
+ip4tables_remove() {
+	ip4tables_remove_nat
+	ip4tables_remove_filter
+}
+
+stop_service() {
+	ip4tables_remove
+}
-- 
2.30.2