8000 Merge pull request #50098 from robmry/remove_docker-user_return_rule · moby/moby@b43afbf · GitHub
[go: up one dir, main page]
Skip to content

Commit b43afbf

Browse files
robmryrobmry
authored
Merge pull request #50098 from robmry/remove_docker-user_return_rule
iptables: Drop explicit RETURN rule from DOCKER-USER
2 parents 0e2cc22 + dc519a0 commit b43afbf

14 files changed

+0
-25
lines changed

integration/network/bridge/iptablesdoc/generated/new-daemon.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,6 @@ Table `filter`:
4545

4646
Chain DOCKER-USER (1 references)
4747
num pkts bytes target prot opt in out source destination
48-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
4948

5049

5150
<details>
@@ -72,7 +71,6 @@ Table `filter`:
7271
-A DOCKER-FORWARD -i docker0 -j ACCEPT
7372
-A DOCKER- 10000 ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
7473
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
75-
-A DOCKER-USER -j RETURN
7674

7775

7876
</details>

integration/network/bridge/iptablesdoc/generated/swarm-portmap.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,6 @@ The filter table is:
6060

6161
Chain DOCKER-USER (1 references)
6262
num pkts bytes target prot opt in out source destination
63-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6463

6564

6665
<details>
@@ -99,7 +98,6 @@ The filter table is:
9998
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
10099
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
101100
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
102-
-A DOCKER-USER -j RETURN
103101

104102

105103
</details>

integration/network/bridge/iptablesdoc/generated/usernet-internal.md

Lines changed: 0 additions & 2 deletions
< 8000 tr class="diff-line-row">
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,6 @@ The filter table is updated as follows:
6666

6767
Chain DOCKER-USER (1 references)
6868
num pkts bytes target prot opt in out source destination
69-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
7069

7170

7271
<details>
@@ -99,7 +98,6 @@ The filter table is updated as follows:
9998
-A DOCKER-ISOLATION-STAGE-1 ! -d 192.0.2.0/24 -i bridgeICC -j DROP
10099
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
101100
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
102-
-A DOCKER-USER -j RETURN
103101

104102

105103
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,6 @@ The filter and nat tables are identical to [nat mode][0]:
5959

6060
Chain DOCKER-USER (1 references)
6161
num pkts bytes target prot opt in out source destination
62-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6362

6463

6564
-P INPUT ACCEPT
@@ -90,7 +89,6 @@ The filter and nat tables are identical to [nat mode][0]:
9089
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9190
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9291
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
93-
-A DOCKER-USER -j RETURN
9492

9593

9694
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,6 @@ The filter table is:
5656

5757
Chain DOCKER-USER (1 references)
5858
num pkts bytes target prot opt in out source destination
59-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6059

6160

6261
<details>
@@ -89,7 +88,6 @@ The filter table is:
8988
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9089
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9190
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
92-
-A DOCKER-USER -j RETURN
9391

9492

9593
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,6 @@ The filter table is:
5858

5959
Chain DOCKER-USER (1 references)
6060
num pkts bytes target prot opt in out source destination
61-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6261

6362

6463
<details>
@@ -93,7 +92,6 @@ The filter table is:
9392
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9493
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9594
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
96-
-A DOCKER-USER -j RETURN
9795

9896

9997
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,6 @@ The filter table is the same as with the userland proxy enabled.
6060

6161
Chain DOCKER-USER (1 references)
6262
num pkts bytes target prot opt in out source destination
63-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6463

6564

6665
-P INPUT ACCEPT
@@ -91,7 +90,6 @@ The filter table is the same as with the userland proxy enabled.
9190
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9291
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9392
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
94-
-A DOCKER-USER -j RETURN
9593

9694

9795
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,6 @@ The filter table is:
6060

6161
Chain DOCKER-USER (1 references)
6262
num pkts bytes target prot opt in out source destination
63-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6463

6564

6665
<details>
@@ -97,7 +96,6 @@ The filter table is:
9796
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9897
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9998
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
100-
-A DOCKER-USER -j RETURN
10199

102100

103101
</details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,6 @@ The filter table is updated as follows:
5656

5757
Chain DOCKER-USER (1 references)
5858
num pkts bytes target prot opt in out source destination
59-
1 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
6059

6160

6261
<details>
@@ -90,7 +89,6 @@ The filter table is updated as follows:
9089
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
9190
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
9291
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
93-
-A DOCKER-USER -j RETURN
9492

9593

9694
</details>

libnetwork/firewall_linux.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -55,9 +55,6 @@ func setupUserChain(ipVersion iptables.IPVersion) error {
5555
if _, err := ipt.NewChain(userChain, iptables.Filter); err != nil {
5656
return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err)
5757
}
58-
if err := ipt.AddReturnRule(userChain); err != nil {
59-
return fmt.Errorf("failed to add the RETURN rule for %s %v: %w", userChain, ipVersion, err)
60-
}
6158
if err := ipt.EnsureJumpRule("FORWARD", userChain); err != nil {
6259
return fmt.Errorf("failed to ensure the jump rule for %s %v: %w", userChain, ipVersion, err)
6360
}

0 commit comments

Comments
 (0)
0