@@ -31,7 +31,6 @@ import (

 	"github.com/docker/docker/integration-cli/cli/build"

 	"github.com/docker/docker/integration-cli/daemon"

 	"github.com/docker/docker/libnetwork/drivers/bridge"

-	"github.com/docker/docker/libnetwork/iptables"

 	"github.com/docker/docker/opts"

 	"github.com/docker/docker/testutil"

 	testdaemon "github.com/docker/docker/testutil/daemon"

@@ -795,44 +794,6 @@ func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {

 	assert.NilError(c, err, out)

 }

-func (s *DockerDaemonSuite) TestDaemonLinksIpTablesRulesWhenLinkAndUnlink(c *testing.T) {

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	bridgeName := "ext-bridge7"

-	bridgeIP := "192.169.1.1/24"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	s.d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")

-	defer s.d.Restart(c)

-

-	out, err := s.d.Cmd("run", "-d", "--name", "child", "--publish", "8080:80", "busybox", "top")

-	assert.NilError(c, err, out)

-	out, err = s.d.Cmd("run", "-d", "--name", "parent", "--link", "child:http", "busybox", "top")

-	assert.NilError(c, err, out)

-

-	childIP := s.d.FindContainerIP(c, "child")

-	parentIP := s.d.FindContainerIP(c, "parent")

-

-	sourceRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", childIP, "--sport", "80", "-d", parentIP, "-j", "ACCEPT"}

-	destinationRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", parentIP, "--dport", "80", "-d", childIP, "-j", "ACCEPT"}

-	iptable := iptables.GetIptable(iptables.IPv4)

-	if !iptable.Exists("filter", "DOCKER", sourceRule...) || !iptable.Exists("filter", "DOCKER", destinationRule...) {

-		c.Fatal("Iptables rules not found")

-	}

-

-	s.d.Cmd("rm", "--link", "parent/http")

-	if iptable.Exists("filter", "DOCKER", sourceRule...) || iptable.Exists("filter", "DOCKER", destinationRule...) {

-		c.Fatal("Iptables rules should be removed when unlink")

-	}

-

-	s.d.Cmd("kill", "child")

-	s.d.Cmd("kill", "parent")

-}

-

 func (s *DockerDaemonSuite) TestDaemonUlimitDefaults(c *testing.T) {

 	s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-ulimit", "nofile=42:42", "--default-ulimit", "nproc=1024:1024")

@@ -558,3 +558,65 @@ func TestFirewalldReloadNoZombies(t *testing.T) {

 	assert.Check(t, !strings.Contains(resAfterReload.Combined(), bridgeName),

 		"After deletes: did not expect rules for %s in: %s", bridgeName, resAfterReload.Combined())

 }

+

+// TestRemoveLegacyLink checks that a legacy link can be deleted while the

+// linked containers are running.

+//

+// Replacement for DockerDaemonSuite/TestDaemonLinksIpTablesRulesWhenLinkAndUnlink

+func TestRemoveLegacyLink(t *testing.T) {

+	ctx := setupTest(t)

+

+	// Tidy up after the test by starting a new daemon, which will remove the icc=false

+	// rules this test will create for docker0.

+	defer func() {

+		d := daemon.New(t)

+		d.StartWithBusybox(ctx, t)

+		defer d.Stop(t)

+	}()

+

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t, "--icc=false")

+	defer d.Stop(t)

+	c := d.NewClientT(t)

+

+	// Run an http server.

+	const svrName = "svr"

+	svrId := ctr.Run(ctx, t, c,

+		ctr.WithExposedPorts("80/tcp"),

+		ctr.WithName(svrName),

+		ctr.WithCmd("httpd", "-f"),

+	)

+	defer ctr.Remove(ctx, t, c, svrId, containertypes.RemoveOptions{Force: true})

+

+	// Run a container linked to the http server.

+	const svrAlias = "thealias"

+	const clientName = "client"

+	clientId := ctr.Run(ctx, t, c,

+		ctr.WithName(clientName),

+		ctr.WithLinks(svrName+":"+svrAlias),

+	)

+	defer ctr.Remove(ctx, t, c, clientId, containertypes.RemoveOptions{Force: true})

+

+	// Check the link works.

+	res := ctr.ExecT(ctx, t, c, clientId, []string{"wget", "-T3", "http://" + svrName})

+	assert.Check(t, is.Contains(res.Stderr(), "404 Not Found"))

+

+	// Remove the link ("docker rm --link client/thealias").

+	err := c.ContainerRemove(ctx, clientName+"/"+svrAlias, containertypes.RemoveOptions{RemoveLinks: true})

+	assert.Check(t, err)

+

+	// Check both containers are still running.

+	inspSvr := ctr.Inspect(ctx, t, c, svrId)

+	assert.Check(t, is.Equal(inspSvr.State.Running, true))

+	inspClient := ctr.Inspect(ctx, t, c, clientId)

+	assert.Check(t, is.Equal(inspClient.State.Running, true))

+

+	// Check the link's alias doesn't work.

+	res = ctr.ExecT(ctx, t, c, clientId, []string{"wget", "-T3", "http://" + svrName})

+	assert.Check(t, is.Contains(res.Stderr(), "bad address"))

+

+	// Check the icc=false rules now block access by address.

+	svrAddr := inspSvr.NetworkSettings.Networks["bridge"].IPAddress

+	res = ctr.ExecT(ctx, t, c, clientId, []string{"wget", "-T3", "http://" + svrAddr})

+	assert.Check(t, is.Contains(res.Stderr(), "download timed out"))

+}

@@ -899,6 +899,12 @@ func (ep *Endpoint) sbLeave(ctx context.Context, sb *Sandbox, force bool) error

 		log.G(ctx).WithError(err).Warn("Failed to clean up network resources on container disconnect")

 	}

+	// Even if the interface was initially created in the container's namespace, it's

+	// now been moved out. When a legacy link is deleted, the Endpoint is removed and

+	// then re-added to the Sandbox. So, to make sure the re-add works, note that the

+	// interface is now outside the container's netns.

+	ep.iface.createdInContainer = false

+

 	// Update the store about the sandbox detach only after we

 	// have completed sb.clearNetworkResources above to avoid

 	// spurious logs when cleaning up the sandbox when the daemon