Merge pull request #3759 from jpoimboe/links-iptables-cleanup

network: remove unnecessary links iptables rule for return traffic

links.go

@@ -131,18 +131,6 @@ func (l *Link) toggle(action string, ignoreErrors bool) error {
 		} else if len(output) != 0 {
 			return fmt.Errorf("Error toggle iptables forward: %s", output)
 		}
-
-		if output, err := iptables.Raw(action, "FORWARD",
-			"-i", l.BridgeInterface, "-o", l.BridgeInterface,
-			"-p", p.Proto(),
-			"-s", l.ChildIP,
-			"--sport", p.Port(),
-			"-d", l.ParentIP,
-			"-j", "ACCEPT"); !ignoreErrors && err != nil {
-			return err
-		} else if len(output) != 0 {
-			return fmt.Errorf("Error toggle iptables forward: %s", output)
-		}
 	}
 	return nil
 }

network.go

@@ -450,28 +450,6 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
 			}
 		}
 
-		// Accept incoming packets for existing connections
-		existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
-
-		if !iptables.Exists(existingArgs...) {
-			if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
-				return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
-			} else if len(output) != 0 {
-				return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
-			}
-		}
-
-		// Accept all non-intercontainer outgoing packets
-		outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
-
-		if !iptables.Exists(outgoingArgs...) {
-			if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
-				return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
-			} else if len(output) != 0 {
-				return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
-			}
-		}
-
 		args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
 		acceptArgs := append(args, "ACCEPT")
 		dropArgs := append(args, "DROP")
@@ -497,6 +475,29 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
 				}
 			}
 		}
+
+		// Accept all non-intercontainer outgoing packets
+		outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
+
+		if !iptables.Exists(outgoingArgs...) {
+			if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
+				return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
+			} else if len(output) != 0 {
+				return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
+			}
+		}
+
+		// Accept incoming packets for existing connections
+		existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
+
+		if !iptables.Exists(existingArgs...) {
+			if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
+				return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
+			} else if len(output) != 0 {
+				return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
+			}
+		}
+
 	}
 
 	portMapper, err := newPortMapper(config)