From 96a11a9c023f673e05e882a10b5ae3c3eefd8cec Mon Sep 17 00:00:00 2001
From: Florian Eckert <fe@dev.tdt.de>
Date: Mon, 16 Nov 2020 10:28:03 +0100
Subject: [PATCH] docker-ce: do not delete generated iptables by docker-ce

Deleting rules that docker has created is error-prone, because with
every update docker we have  to check if anything has changed.
Cleaning up the firewall rules is part of the docker and should and must be
cleaned up and handeled by them when the service is terminated.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 utils/docker-ce/files/dockerd.init | 33 ------------------------------
 1 file changed, 33 deletions(-)

diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init
index 1ca5e5420b..f5388c083d 100755
--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@@ -216,41 +216,8 @@ iptables_add_blocking_rule() {
 	config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
 }
 
-ip4tables_remove_nat() {
-	iptables --table nat --delete OUTPUT ! --destination 127.0.0.0/8 --match addrtype --dst-type LOCAL --jump DOCKER
-	iptables --table nat --delete PREROUTING --match addrtype --dst-type LOCAL --jump DOCKER
-
-	iptables --table nat --flush DOCKER
-	iptables --table nat --delete-chain DOCKER
-}
-
-ip4tables_remove_filter() {
-	iptables --table filter --delete FORWARD --jump DOCKER-USER
-	iptables --table filter --delete FORWARD --jump DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --delete FORWARD --out-interface docker0 --jump DOCKER
-	iptables --table filter --delete FORWARD --out-interface docker0 --match conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
-	iptables --table filter --delete FORWARD --in-interface docker0 --out-interface docker0 --jump ACCEPT
-	iptables --table filter --delete FORWARD --in-interface docker0 ! --out-interface docker0 --jump ACCEPT
-
-	iptables --table filter --flush DOCKER
-	iptables --table filter --flush DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --flush DOCKER-ISOLATION-STAGE-2
-	iptables --table filter --flush DOCKER-USER
-
-	iptables --table filter --delete-chain DOCKER
-	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-1
-	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-2
-	iptables --table filter --delete-chain DOCKER-USER
-}
-
-ip4tables_remove() {
-	ip4tables_remove_nat
-	ip4tables_remove_filter
-}
-
 stop_service() {
 	if /etc/init.d/dockerd running; then
 		service_stop "/usr/bin/dockerd"
-		ip4tables_remove
 	fi
 }
-- 
2.30.2