diff --git a/libnetwork/controller.go b/libnetwork/controller.go index b3985719aa..2896011dbf 100644 --- a/libnetwork/controller.go +++ b/libnetwork/controller.go @@ -679,29 +679,6 @@ func (c *controller) isAgent() bool { return c.cfg.Daemon.ClusterProvider.IsAgent() } -func (c *controller) hasIPTablesEnabled() bool { - c.Lock() - defer c.Unlock() - - if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { - return false - } - - genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] - if !ok { - return false - } - - optMap := genericData.(map[string]interface{}) - - enabled, ok := optMap["EnableIPTables"].(bool) - if !ok { - return false - } - - return enabled -} - func (c *controller) isDistributedControl() bool { return !c.isManager() && !c.isAgent() } @@ -925,9 +902,7 @@ addToStore: c.Unlock() } - if c.hasIPTablesEnabled() { - c.arrangeUserFilterRule() - } + c.arrangeUserFilterRule() return network, nil } diff --git a/libnetwork/firewall_linux.go b/libnetwork/firewall_linux.go index 54f9621f81..d27f60ca0c 100644 --- a/libnetwork/firewall_linux.go +++ b/libnetwork/firewall_linux.go @@ -2,6 +2,7 @@ package libnetwork import ( "github.com/docker/libnetwork/iptables" + "github.com/docker/libnetwork/netlabel" "github.com/sirupsen/logrus" ) @@ -9,15 +10,44 @@ const userChain = "DOCKER-USER" func (c *controller) arrangeUserFilterRule() { c.Lock() - arrangeUserFilterRule() + + if c.hasIPTablesEnabled() { + arrangeUserFilterRule() + } + c.Unlock() + iptables.OnReloaded(func() { c.Lock() - arrangeUserFilterRule() + + if c.hasIPTablesEnabled() { + arrangeUserFilterRule() + } + c.Unlock() }) } +func (c *controller) hasIPTablesEnabled() bool { + // Locking c should be handled in the calling method. + if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { + return false + } + + genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] + if !ok { + return false + } + + optMap := genericData.(map[string]interface{}) + enabled, ok := optMap["EnableIPTables"].(bool) + if !ok { + return false + } + + return enabled +} + // This chain allow users to configure firewall policies in a way that persists // docker operations/restarts. Docker will not delete or modify any pre-existing // rules from the DOCKER-USER filter chain.