@@ -3,7 +3,7 @@

 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When

 # updating the binary version, consider updating github.com/docker/libnetwork

 # in vendor.conf accordingly

-LIBNETWORK_COMMIT=f30a35b091cc2a431ef9856c75c343f75bb5f2e2

+LIBNETWORK_COMMIT=36d3bed0e9f4b3c8c66df9bd45278bb90b33e911

 install_proxy() {

 	case "$1" in

@@ -37,7 +37,7 @@ github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b

 #get libnetwork packages

 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly

-github.com/docker/libnetwork a79d3687931697244b8e03485bf7b2042f8ec6b6

+github.com/docker/libnetwork 36d3bed0e9f4b3c8c66df9bd45278bb90b33e911

 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9

 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80

 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

@@ -32,7 +32,7 @@ var (

 	ErrBitAllocated = errors.New("requested bit is already allocated")

 )

-// Handle contains the sequece representing the bitmask and its identifier

+// Handle contains the sequence representing the bitmask and its identifier

 type Handle struct {

 	bits       uint64

 	unselected uint64

@@ -95,7 +95,7 @@ func (s *Server) EnableDiagnostic(ip string, port int) {

 	s.srv = srv

 	s.enable = 1

 	go func(n *Server) {

-		// Ingore ErrServerClosed that is returned on the Shutdown call

+		// Ignore ErrServerClosed that is returned on the Shutdown call

 		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {

 			logrus.Errorf("ListenAndServe error: %s", err)

 			atomic.SwapInt32(&n.enable, 0)

@@ -598,7 +598,7 @@ func (d *driver) checkConflict(config *networkConfiguration) error {

 		nwConfig := nw.config

 		nw.Unlock()

 		if err := nwConfig.Conflicts(config); err != nil {

-			if config.DefaultBridge {

+			if nwConfig.DefaultBridge {

 				// We encountered and identified a stale default network

 				// We must delete it as libnetwork is the source of truth

 				// The default network being created must be the only one

@@ -24,7 +24,7 @@ func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo,

 		return fmt.Errorf("network id %q not found", nid)

 	}

 	if ifInfo.MacAddress() != nil {

-		return fmt.Errorf("%s interfaces do not support custom mac address assigment", ipvlanType)

+		return fmt.Errorf("%s interfaces do not support custom mac address assignment", ipvlanType)

 	}

 	ep := &endpoint{

 		id:     eid,

@@ -53,13 +53,15 @@ type SvcStats struct {

 // Destination defines an IPVS destination (real server) in its

 // entirety.

 type Destination struct {

-	Address         net.IP

-	Port            uint16

-	Weight          int

-	ConnectionFlags uint32

-	AddressFamily   uint16

-	UpperThreshold  uint32

-	LowerThreshold  uint32

+	Address             net.IP

+	Port                uint16

+	Weight              int

+	ConnectionFlags     uint32

+	AddressFamily       uint16

+	UpperThreshold      uint32

+	LowerThreshold      uint32

+	ActiveConnections   int

+	InactiveConnections int

 }

 // Handle provides a namespace specific ipvs handle to program ipvs

@@ -439,6 +439,10 @@ func assembleDestination(attrs []syscall.NetlinkRouteAttr) (*Destination, error)

 			d.LowerThreshold = native.Uint32(attr.Value)

 		case ipvsDestAttrAddressFamily:

 			d.AddressFamily = native.Uint16(attr.Value)

+		case ipvsDestAttrActiveConnections:

+			d.ActiveConnections = int(native.Uint16(attr.Value))

+		case ipvsDestAttrInactiveConnections:

+			d.InactiveConnections = int(native.Uint16(attr.Value))

 		}

 	}

 	return &d, nil

new file mode 100644

@@ -0,0 +1,3 @@

+package ns

+

+// File is present so that go build ./... is closer to working on Windows from repo root.

@@ -297,7 +297,7 @@ func (n *networkNamespace) AddInterface(srcName, dstPrefix string, options ...If

 			logrus.Errorf("renaming interface (%s->%s) failed, %v after config error %v", i.DstName(), i.SrcName(), nerr, err)

 		}

 		if nerr := nlh.LinkSetNsFd(iface, ns.ParseHandlerInt()); nerr != nil {

-			logrus.Errorf("moving inteface %s to host ns failed, %v, after config error %v", i.SrcName(), nerr, err)

+			logrus.Errorf("moving interface %s to host ns failed, %v, after config error %v", i.SrcName(), nerr, err)

 		}

 		return err

 	}

@@ -227,7 +227,7 @@ func NewSandbox(key string, osCreate, isRestore bool) (Sandbox, error) {

 		logrus.Warnf("Failed to set the timeout on the sandbox netlink handle sockets: %v", err)

 	}

 	// In live-restore mode, IPV6 entries are getting cleaned up due to below code

-	// We should retain IPV6 configrations in live-restore mode when Docker Daemon

+	// We should retain IPV6 configurations in live-restore mode when Docker Daemon

 	// comes back. It should work as it is on other cases

 	// As starting point, disable IPv6 on all interfaces

 	if !isRestore && !n.isDefault {

@@ -1,3 +1,5 @@

+// +build !windows

+

 package portallocator

 import (

new file mode 100644

@@ -0,0 +1 @@

+package portallocator

@@ -76,7 +76,7 @@ func reexecSetupResolver() {

 	for _, rule := range rules {

 		if iptables.RawCombinedOutputNative(rule...) != nil {

-			logrus.Errorf("setting up rule failed, %v", rule)

+			logrus.Errorf("set up rule failed, %v", rule)

 		}

 	}

 }

@@ -135,8 +135,7 @@ func (n *network) addLBBackend(ip net.IP, lb *loadBalancer) {

 			if ep := sb.getGatewayEndpoint(); ep != nil {

 				gwIP = ep.Iface().Address().IP

 			}

-			filteredPorts := filterPortConfigs(lb.service.ingressPorts, false)

-			if err := programIngress(gwIP, filteredPorts, false); err != nil {

+			if err := programIngress(gwIP, lb.service.ingressPorts, false); err != nil {

 				logrus.Errorf("Failed to add ingress: %v", err)

 				return

 			}

@@ -227,8 +226,7 @@ func (n *network) rmLBBackend(ip net.IP, lb *loadBalancer, rmService bool, fullR

 			if ep := sb.getGatewayEndpoint(); ep != nil {

 				gwIP = ep.Iface().Address().IP

 			}

-			filteredPorts := filterPortConfigs(lb.service.ingressPorts, true)

-			if err := programIngress(gwIP, filteredPorts, true); err != nil {

+			if err := programIngress(gwIP, lb.service.ingressPorts, true); err != nil {

 				logrus.Errorf("Failed to delete ingress: %v", err)

 			}

 		}

@@ -299,8 +297,10 @@ func filterPortConfigs(ingressPorts []*PortConfig, isDelete bool) []*PortConfig

 func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) error {

 	addDelOpt := "-I"

+	rollbackAddDelOpt := "-D"

 	if isDelete {

 		addDelOpt = "-D"

+		rollbackAddDelOpt = "-I"

 	}

 	ingressMu.Lock()

@@ -381,18 +381,35 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 		}

 	}

-	for _, iPort := range ingressPorts {

+	//Filter the ingress ports until port rules start to be added/deleted

+	filteredPorts := filterPortConfigs(ingressPorts, isDelete)

+	rollbackRules := make([][]string, 0, len(filteredPorts)*3)

+	var portErr error

+	defer func() {

+		if portErr != nil && !isDelete {

+			filterPortConfigs(filteredPorts, !isDelete)

+			for _, rule := range rollbackRules {

+				if err := iptables.RawCombinedOutput(rule...); err != nil {

+					logrus.Warnf("roll back rule failed, %v: %v", rule, err)

+				}

+			}

+		}

+	}()

+

+	for _, iPort := range filteredPorts {

 		if iptables.ExistChain(ingressChain, iptables.Nat) {

 			rule := strings.Fields(fmt.Sprintf("-t nat %s %s -p %s --dport %d -j DNAT --to-destination %s:%d",

 				addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, gwIP, iPort.PublishedPort))

-			if err := iptables.RawCombinedOutput(rule...); err != nil {

-				errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err)

+			if portErr = iptables.RawCombinedOutput(rule...); portErr != nil {

+				errStr := fmt.Sprintf("set up rule failed, %v: %v", rule, portErr)

 				if !isDelete {

 					return fmt.Errorf("%s", errStr)

 				}

-

 				logrus.Infof("%s", errStr)

 			}

+			rollbackRule := strings.Fields(fmt.Sprintf("-t nat %s %s -p %s --dport %d -j DNAT --to-destination %s:%d", rollbackAddDelOpt,

+				ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, gwIP, iPort.PublishedPort))

+			rollbackRules = append(rollbackRules, rollbackRule)

 		}

 		// Filter table rules to allow a published service to be accessible in the local node from..

@@ -400,24 +417,29 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 		// 2) unmanaged containers on bridge networks

 		rule := strings.Fields(fmt.Sprintf("%s %s -m state -p %s --sport %d --state ESTABLISHED,RELATED -j ACCEPT",

 			addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort))

-		if err := iptables.RawCombinedOutput(rule...); err != nil {

-			errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err)

+		if portErr = iptables.RawCombinedOutput(rule...); portErr != nil {

+			errStr := fmt.Sprintf("set up rule failed, %v: %v", rule, portErr)

 			if !isDelete {

 				return fmt.Errorf("%s", errStr)

 			}

 			logrus.Warnf("%s", errStr)

 		}

+		rollbackRule := strings.Fields(fmt.Sprintf("%s %s -m state -p %s --sport %d --state ESTABLISHED,RELATED -j ACCEPT", rollbackAddDelOpt,

+			ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort))

+		rollbackRules = append(rollbackRules, rollbackRule)

 		rule = strings.Fields(fmt.Sprintf("%s %s -p %s --dport %d -j ACCEPT",

 			addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort))

-		if err := iptables.RawCombinedOutput(rule...); err != nil {

-			errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err)

+		if portErr = iptables.RawCombinedOutput(rule...); portErr != nil {

+			errStr := fmt.Sprintf("set up rule failed, %v: %v", rule, portErr)

 			if !isDelete {

 				return fmt.Errorf("%s", errStr)

 			}

-

 			logrus.Warnf("%s", errStr)

 		}

+		rollbackRule = strings.Fields(fmt.Sprintf("%s %s -p %s --dport %d -j ACCEPT", rollbackAddDelOpt,

+			ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort))

+		rollbackRules = append(rollbackRules, rollbackRule)

 		if err := plumbProxy(iPort, isDelete); err != nil {

 			logrus.Warnf("failed to create proxy for port %d: %v", iPort.PublishedPort, err)

@@ -648,7 +670,7 @@ func fwMarker() {

 	for _, rule := range rules {

 		if err := iptables.RawCombinedOutputNative(rule...); err != nil {

-			logrus.Errorf("setting up rule failed, %v: %v", rule, err)

+			logrus.Errorf("set up rule failed, %v: %v", rule, err)

 			os.Exit(8)

 		}

 	}

@@ -735,7 +757,7 @@ func redirector() {

 	for _, rule := range rules {

 		if err := iptables.RawCombinedOutputNative(rule...); err != nil {

-			logrus.Errorf("setting up rule failed, %v: %v", rule, err)

+			logrus.Errorf("set up rule failed, %v: %v", rule, err)

 			os.Exit(6)

 		}

 	}

@@ -752,14 +774,14 @@ func redirector() {

 	} {

 		if !iptables.ExistsNative(iptables.Filter, "INPUT", rule...) {

 			if err := iptables.RawCombinedOutputNative(append([]string{"-A", "INPUT"}, rule...)...); err != nil {

-				logrus.Errorf("setting up rule failed, %v: %v", rule, err)

+				logrus.Errorf("set up rule failed, %v: %v", rule, err)

 				os.Exit(7)

 			}

 		}

 		rule[0] = "-s"

 		if !iptables.ExistsNative(iptables.Filter, "OUTPUT", rule...) {

 			if err := iptables.RawCombinedOutputNative(append([]string{"-A", "OUTPUT"}, rule...)...); err != nil {

-				logrus.Errorf("setting up rule failed, %v: %v", rule, err)

+				logrus.Errorf("set up rule failed, %v: %v", rule, err)

 				os.Exit(8)

 			}

 		}

@@ -1,21 +1,21 @@

 github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109

 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895

-github.com/Microsoft/go-winio v0.4.7

-github.com/Microsoft/hcsshim v0.6.11

+github.com/Microsoft/go-winio v0.4.11

+github.com/Microsoft/hcsshim v0.7.3

 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80

-github.com/boltdb/bolt fff57c100f4dea1905678da7e90d92429dff2904

 github.com/codegangsta/cli a65b733b303f0055f8d324d805f393cd3e7a7904

 github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b

 github.com/coreos/etcd v3.2.1

 github.com/coreos/go-semver v0.2.0

 github.com/deckarep/golang-set ef32fa3046d9f249d399f98ebaf9be944430fd1d

+go.etcd.io/bbolt v1.3.1-etcd.8

 github.com/docker/docker 162ba6016def672690ee4a1f3978368853a1e149

 github.com/docker/go-connections 7beb39f0b969b075d1325fecb092faf27fd357b6

 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9

 github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1

-github.com/docker/libkv 1d8431073ae03cdaedb198a89722f3aab6d418ef

+github.com/docker/libkv 458977154600b9f23984d9f4b82e79570b5ae12b

 github.com/godbus/dbus v4.0.0

 github.com/gogo/protobuf v1.0.0

@@ -36,7 +36,6 @@ github.com/opencontainers/runc 69663f0bd4b60df09991c08812a60108003fa340

 github.com/opencontainers/runtime-spec v1.0.1

 github.com/samuel/go-zookeeper d0e0d8e11f318e000a8cc434616d69e329edc374

 github.com/sirupsen/logrus v1.0.3

-github.com/syndtr/gocapability 33e07d32887e1e06b7c025f27ce52f62c7990bc0

 github.com/ugorji/go f1f1a805ed361a0e078bb537e4ea78cd37dcf065

 github.com/vishvananda/netlink b2de5d10e38ecce8607e6b438b6d174f389a004e

 github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25