Skip to content

iptables post-stop service cleanup executed even if no iptables filters are defined

Summary

Even if I don't define docker_service_port_filters, my Docker service still tries to mess with iptables and I get weird error messages.

Steps to reproduce

Define a Docker service. Do not define docker_service_port_filters.

Expected behavior

No iptables configuration changes should be performed.

Actual behavior

The service has a post-stop script defined, and the script tries to do something with iptables:

nginx.service

ExecStartPre=-/usr/bin/docker rm nginx
ExecStartPre=/usr/bin/docker pull nginx:1.15.2
ExecStart=/usr/bin/docker run \
    --name nginx \
    --publish 8200:8200 \
    --network=vault-network \
    --volume /etc/nginx/nginx.conf:/etc/nginx/nginx.conf \
    --volume /etc/nginx/conf.d:/etc/nginx/conf.d \
    --volume /etc/nginx/certs:/etc/nginx/certs \
    nginx:1.15.2
ExecStop=-/usr/bin/docker stop nginx
ExecStopPost=/usr/local/bin/docker.services/nginx_poststop.sh

nginx_poststop.sh

#!/bin/bash
iptables --table mangle --flush nginx
iptables --table mangle --delete PREROUTING --jump nginx
iptables --table mangle --delete-chain nginx

ipset list -name | grep --extended-regexp "^nginx[TU][0-9]{1,5}$" | xargs --max-args=1 ipset destroy
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information