iptables: Drop explicit RETURN rule from DOCKER-USER

[robmry]

- What I did

• fix DOCKER-USER is modified upon network creation #50067

Stop adding an explicit RETURN rule to the DOCKER-USER chain - it'll return anyway, and having the rule means users can't append rules to the chain (only insert) without some juggling.

Note that this doesn't remove the rule. (So, it'll persist on upgrade but not over reboot.)

- How I did it

- How to verify it

- Human readable description for the release notes

When creating the iptables `DOCKER-USER` chain, do not add an explicit `RETURN` rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot.

[thaJeztah]

SGTM

[vin01]

the description seems misleading .. same in release notes

When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot.

instead of but it will be replaced after a reboot.

[robmry]

Hi @vin01 - I think the text is ok.

Upgraded versions of docker won't delete an existing RETURN rule from the DOCKER-USER chain, but they won't add one either. So, after upgrade, the rule will still be there. But, on reboot, all of the rules are deleted. When the new daemon starts, it won't create the RETURN rule.

Does that make sense?

[vin01]

Thanks for the quick response. It does make sense granted that one knows that after a reboot the rules are created afresh, for me replaced was what made me wonder if this behavior has been changed so I had to take a closer look, re-created might have been slightly more explicit.

I am looking at it in context of #50129 which does not seem like an iptables issue now but something else internally in swarm networking.

[robmry]

Ah, right - makes sense, thank you. Hopefully this discussion will clarify things for anyone else who comes looking.