iptables: Drop explicit RETURN rule from DOCKER-USER

Signed-off-by: Rob Murray <rob.murray@docker.com>

integration/network/bridge/iptablesdoc/generated/new-daemon.md

@@ -45,7 +45,6 @@ Table `filter`:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -72,7 +71,6 @@ Table `filter`:
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/swarm-portmap.md

@@ -60,7 +60,6 @@ The filter table is:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -99,7 +98,6 @@ The filter table is:
     -A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-internal.md

@@ -66,7 +66,6 @@ The filter table is updated as follows:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -99,7 +98,6 @@ The filter table is updated as follows:
     -A DOCKER-ISOLATION-STAGE-1 ! -d 192.0.2.0/24 -i bridgeICC -j DROP
     -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md

@@ -59,7 +59,6 @@ The filter and nat tables are identical to [nat mode][0]:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
     -P INPUT ACCEPT
@@ -90,7 +89,6 @@ The filter and nat tables are identical to [nat mode][0]:
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md

@@ -56,7 +56,6 @@ The filter table is:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -89,7 +88,6 @@ The filter table is:
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md

@@ -58,7 +58,6 @@ The filter table is:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -93,7 +92,6 @@ The filter table is:
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md

@@ -60,7 +60,6 @@ The filter table is the same as with the userland proxy enabled.
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
     -P INPUT ACCEPT
@@ -91,7 +90,6 @@ The filter table is the same as with the userland proxy enabled.
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md

@@ -60,7 +60,6 @@ The filter table is:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -97,7 +96,6 @@ The filter table is:
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap.md

@@ -56,7 +56,6 @@ The filter table is updated as follows:
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -90,7 +89,6 @@ The filter table is updated as follows:
     -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-    -A DOCKER-USER -j RETURN
     
 
 </details>

libnetwork/firewall_linux.go

@@ -45,9 +45,6 @@ func setupUserChain(ipVersion iptables.IPVersion) error {
 	if _, err := ipt.NewChain(userChain, iptables.Filter); err != nil {
 		return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err)
 	}
-	if err := ipt.AddReturnRule(userChain); err != nil {
-		return fmt.Errorf("failed to add the RETURN rule for %s %v: %w", userChain, ipVersion, err)
-	}
 	if err := ipt.EnsureJumpRule("FORWARD", userChain); err != nil {
 		return fmt.Errorf("failed to ensure the jump rule for %s %v: %w", userChain, ipVersion, err)
 	}

libnetwork/testdata/TestUserChain_iptables-true_append-false_usrafter4

@@ -1,2 +1 @@
 -N DOCKER-USER
--A DOCKER-USER -j RETURN

libnetwork/testdata/TestUserChain_iptables-true_append-false_usrafter6

@@ -1,2 +1 @@
 -N DOCKER-USER
--A DOCKER-USER -j RETURN

libnetwork/testdata/TestUserChain_iptables-true_append-true_usrafter4

@@ -1,2 +1 @@
 -N DOCKER-USER
--A DOCKER-USER -j RETURN

libnetwork/testdata/TestUserChain_iptables-true_append-true_usrafter6

@@ -1,2 +1 @@
 -N DOCKER-USER
--A DOCKER-USER -j RETURN