diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go index 0591a1243c..bd2822e39c 100644 --- a/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/libnetwork/drivers/bridge/setup_ip_tables.go @@ -244,11 +244,10 @@ func setupIPTablesInternal(hostIP net.IP, bridgeIface string, addr *net.IPNet, i } } - // In hairpin mode, masquerade traffic from localhost - if hairpin { - if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable); err != nil { - return err - } + // In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down + // that bridge, make sure the iptables rule isn't lying around. + if err := programChainRule(ipVersion, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil { + return err } // Set Inter Container Communication.