Merge pull request #299 from icecrime/13956_duplicate_iptables_rules

Fix duplicated iptables rules

libnetwork/iptables/iptables.go

@@ -99,7 +99,8 @@ func NewChain(name, bridge string, table Table, hairpinMode bool) (*Chain, error
 	case Nat:
 		preroute := []string{
 			"-m", "addrtype",
-			"--dst-type", "LOCAL"}
+			"--dst-type", "LOCAL",
+			"-j", c.Name}
 		if !Exists(Nat, "PREROUTING", preroute...) {
 			if err := c.Prerouting(Append, preroute...); err != nil {
 				return nil, fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)
@@ -107,7 +108,8 @@ func NewChain(name, bridge string, table Table, hairpinMode bool) (*Chain, error
 		}
 		output := []string{
 			"-m", "addrtype",
-			"--dst-type", "LOCAL"}
+			"--dst-type", "LOCAL",
+			"-j", c.Name}
 		if !hairpinMode {
 			output = append(output, "!", "--dst", "127.0.0.0/8")
 		}
@@ -228,7 +230,7 @@ func (c *Chain) Prerouting(action Action, args ...string) error {
 	if len(args) > 0 {
 		a = append(a, args...)
 	}
-	if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
+	if output, err := Raw(a...); err != nil {
 		return err
 	} else if len(output) != 0 {
 		return ChainError{Chain: "PREROUTING", Output: output}
@@ -242,7 +244,7 @@ func (c *Chain) Output(action Action, args ...string) error {
 	if len(args) > 0 {
 		a = append(a, args...)
 	}
-	if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
+	if output, err := Raw(a...); err != nil {
 		return err
 	} else if len(output) != 0 {
 		return ChainError{Chain: "OUTPUT", Output: output}
@@ -254,9 +256,9 @@ func (c *Chain) Output(action Action, args ...string) error {
 func (c *Chain) Remove() error {
 	// Ignore errors - This could mean the chains were never set up
 	if c.Table == Nat {
-		c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL")
-		c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8")
-		c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL") // Created in versions <= 0.1.6
+		c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "-j", c.Name)
+		c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", c.Name)
+		c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "-j", c.Name) // Created in versions <= 0.1.6
 
 		c.Prerouting(Delete)
 		c.Output(Delete)

libnetwork/iptables/iptables_test.go

@@ -131,16 +131,11 @@ func TestPrerouting(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	rule := []string{
-		"-j", natChain.Name}
-
-	rule = append(rule, args...)
-
-	if !Exists(natChain.Table, "PREROUTING", rule...) {
+	if !Exists(natChain.Table, "PREROUTING", args...) {
 		t.Fatalf("rule does not exist")
 	}
 
-	delRule := append([]string{"-D", "PREROUTING", "-t", string(Nat)}, rule...)
+	delRule := append([]string{"-D", "PREROUTING", "-t", string(Nat)}, args...)
 	if _, err = Raw(delRule...); err != nil {
 		t.Fatal(err)
 	}
@@ -156,17 +151,12 @@ func TestOutput(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	rule := []string{
-		"-j", natChain.Name}
-
-	rule = append(rule, args...)
-
-	if !Exists(natChain.Table, "OUTPUT", rule...) {
+	if !Exists(natChain.Table, "OUTPUT", args...) {
 		t.Fatalf("rule does not exist")
 	}
 
 	delRule := append([]string{"-D", "OUTPUT", "-t",
-		string(natChain.Table)}, rule...)
+		string(natChain.Table)}, args...)
 	if _, err = Raw(delRule...); err != nil {
 		t.Fatal(err)
 	}