Clean up docker chain of filter table as well on driver init

Signed-off-by: Chun Chen <ramichen@tencent.com>

libnetwork/drivers/bridge/bridge.go

@@ -134,10 +134,7 @@ func Init(dc driverapi.DriverCallback, config map[string]interface{}) error {
 	if err := iptables.FirewalldInit(); err != nil {
 		logrus.Debugf("Fail to initialize firewalld: %v, using raw iptables instead", err)
 	}
-	if err := iptables.RemoveExistingChain(DockerChain, iptables.Nat); err != nil {
-		logrus.Warnf("Failed to remove existing iptables entries in %s : %v", DockerChain, err)
-	}
-
+	removeIPChains()
 	d := newDriver()
 	if err := d.configure(config); err != nil {
 		return err

libnetwork/drivers/bridge/bridge_test.go

@@ -816,3 +816,32 @@ func TestSetDefaultGw(t *testing.T) {
 		t.Fatalf("Failed to configure default gateway. Expected %v. Found %v", gw6, te.gw6)
 	}
 }
+
+type fakeCallBack struct{}
+
+func (cb fakeCallBack) RegisterDriver(name string, driver driverapi.Driver, capability driverapi.Capability) error {
+	return nil
+}
+
+func TestCleanupIptableRules(t *testing.T) {
+	defer testutils.SetupTestOSContext(t)()
+	bridgeChain := []iptables.ChainInfo{
+		iptables.ChainInfo{Name: DockerChain, Table: iptables.Nat},
+		iptables.ChainInfo{Name: DockerChain, Table: iptables.Filter},
+		iptables.ChainInfo{Name: IsolationChain, Table: iptables.Filter},
+	}
+	if _, _, _, err := setupIPChains(&configuration{EnableIPTables: true}); err != nil {
+		t.Fatalf("Error setting up ip chains: %v", err)
+	}
+	for _, chainInfo := range bridgeChain {
+		if !iptables.ExistChain(chainInfo.Name, chainInfo.Table) {
+			t.Fatalf("iptables chain %s of %s table should have been created", chainInfo.Name, chainInfo.Table)
+		}
+	}
+	Init(fakeCallBack{}, make(map[string]interface{}))
+	for _, chainInfo := range bridgeChain {
+		if iptables.ExistChain(chainInfo.Name, chainInfo.Table) {
+			t.Fatalf("iptables chain %s of %s table should have been deleted", chainInfo.Name, chainInfo.Table)
+		}
+	}
+}

libnetwork/drivers/bridge/setup_ip_tables.go

@@ -309,3 +309,15 @@ func ensureJumpRule(fromChain, toChain string) error {
 
 	return nil
 }
+
+func removeIPChains() {
+	for _, chainInfo := range []iptables.ChainInfo{
+		iptables.ChainInfo{Name: DockerChain, Table: iptables.Nat},
+		iptables.ChainInfo{Name: DockerChain, Table: iptables.Filter},
+		iptables.ChainInfo{Name: IsolationChain, Table: iptables.Filter},
+	} {
+		if err := chainInfo.Remove(); err != nil {
+			logrus.Warnf("Failed to remove existing iptables entries in table %s chain %s : %v", chainInfo.Table, chainInfo.Name, err)
+		}
+	}
+}

libnetwork/iptables/iptables.go

@@ -361,3 +361,11 @@ func RawCombinedOutput(args ...string) error {
 	}
 	return nil
 }
+
+// ExistChain checks if a chain exists
+func ExistChain(chain string, table Table) bool {
+	if _, err := Raw("-t", string(table), "-L", chain); err == nil {
+		return true
+	}
+	return false
+}