@@ -22,7 +22,7 @@ clone git github.com/vdemeester/shakers 3c10293ce22b900c27acad7b28656196fcc2f73b

 clone git golang.org/x/net 47990a1ba55743e6ef1affd3a14e5bac8553615d https://github.com/golang/net.git

 #get libnetwork packages

-clone git github.com/docker/libnetwork b4ddf18317b19d6e4bcc821145589749206a7d00

+clone git github.com/docker/libnetwork 04cc1fa0a89f8c407b7be8cab883d4b17531ea7d

 clone git github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

 clone git github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b

 clone git github.com/hashicorp/memberlist 9a1e242e454d2443df330bdd51a436d5a9058fc4

@@ -49,14 +49,14 @@ clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

 clone git github.com/jfrazelle/go v1.5.1-1

 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

-# this runc commit from branch relabel_fix_docker_1.9.1, pls remove it when you

-# update next time

-clone git github.com/opencontainers/runc 1349b37bd56f4f5ce2690b5b2c0f53f88a261c67 # libcontainer

+clone git github.com/opencontainers/runc v0.0.5 # libcontainer

 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

 clone git github.com/coreos/go-systemd v4

-clone git github.com/godbus/dbus v2

-clone git github.com/syndtr/gocapability 66ef2aa7a23ba682594e2b6f74cf40c0692b49fb

-clone git github.com/golang/protobuf 655cdfa588ea

+clone git github.com/godbus/dbus v3

+clone git github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852

+clone git github.com/golang/protobuf f7137ae6b19afbfd61a94b746fda3b3fe0491874

+

+# gelf logging driver deps

 clone git github.com/Graylog2/go-gelf 6c62a85f1d47a67f2a5144c0e745b325889a8120

 clone git github.com/fluent/fluent-logger-golang v1.0.0

@@ -64,11 +64,11 @@ func PathBusEscape(path string) string {

 type Conn struct {

 	// sysconn/sysobj are only used to call dbus methods

 	sysconn *dbus.Conn

-	sysobj  *dbus.Object

+	sysobj  dbus.BusObject

 	// sigconn/sigobj are only used to receive dbus signals

 	sigconn *dbus.Conn

-	sigobj  *dbus.Object

+	sigobj  dbus.BusObject

 	jobListener struct {

 		jobs map[dbus.ObjectPath]chan<- string

@@ -86,14 +86,30 @@ type Conn struct {

 // New establishes a connection to the system bus and authenticates.

 // Callers should call Close() when done with the connection.

 func New() (*Conn, error) {

-	return newConnection(dbus.SystemBusPrivate)

+	return newConnection(func() (*dbus.Conn, error) {

+		return dbusAuthHelloConnection(dbus.SystemBusPrivate)

+	})

 }

 // NewUserConnection establishes a connection to the session bus and

 // authenticates. This can be used to connect to systemd user instances.

 // Callers should call Close() when done with the connection.

 func NewUserConnection() (*Conn, error) {

-	return newConnection(dbus.SessionBusPrivate)

+	return newConnection(func() (*dbus.Conn, error) {

+		return dbusAuthHelloConnection(dbus.SessionBusPrivate)

+	})

+}

+

+// NewSystemdConnection establishes a private, direct connection to systemd.

+// This can be used for communicating with systemd without a dbus daemon.

+// Callers should call Close() when done with the connection.

+func NewSystemdConnection() (*Conn, error) {

+	return newConnection(func() (*dbus.Conn, error) {

+		// We skip Hello when talking directly to systemd.

+		return dbusAuthConnection(func() (*dbus.Conn, error) {

+			return dbus.Dial("unix:path=/run/systemd/private")

+		})

+	})

 }

 // Close closes an established connection

@@ -103,12 +119,12 @@ func (c *Conn) Close() {

 }

 func newConnection(createBus func() (*dbus.Conn, error)) (*Conn, error) {

-	sysconn, err := dbusConnection(createBus)

+	sysconn, err := createBus()

 	if err != nil {

 		return nil, err

 	}

-	sigconn, err := dbusConnection(createBus)

+	sigconn, err := createBus()

 	if err != nil {

 		sysconn.Close()

 		return nil, err

@@ -132,7 +148,7 @@ func newConnection(createBus func() (*dbus.Conn, error)) (*Conn, error) {

 	return c, nil

 }

-func dbusConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {

+func dbusAuthConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {

 	conn, err := createBus()

 	if err != nil {

 		return nil, err

@@ -149,8 +165,16 @@ func dbusConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {

 		return nil, err

 	}

-	err = conn.Hello()

+	return conn, nil

+}

+

+func dbusAuthHelloConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {

+	conn, err := dbusAuthConnection(createBus)

 	if err != nil {

+		return nil, err

+	}

+

+	if err = conn.Hello(); err != nil {

 		conn.Close()

 		return nil, err

 	}

@@ -158,6 +182,6 @@ func dbusConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {

 	return conn, nil

 }

-func systemdObject(conn *dbus.Conn) *dbus.Object {

+func systemdObject(conn *dbus.Conn) dbus.BusObject {

 	return conn.Object("org.freedesktop.systemd1", dbus.ObjectPath("/org/freedesktop/systemd1"))

 }

new file mode 100644

@@ -0,0 +1,178 @@

+// Copyright 2015 CoreOS, Inc.

+//

+// Licensed under the Apache License, Version 2.0 (the "License");

+// you may not use this file except in compliance with the License.

+// You may obtain a copy of the License at

+//

+//     http://www.apache.org/licenses/LICENSE-2.0

+//

+// Unless required by applicable law or agreed to in writing, software

+// distributed under the License is distributed on an "AS IS" BASIS,

+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+// See the License for the specific language governing permissions and

+// limitations under the License.

+

+// Package journal provides write bindings to the local systemd journal.

+// It is implemented in pure Go and connects to the journal directly over its

+// unix socket.

+//

+// To read from the journal, see the "sdjournal" package, which wraps the

+// sd-journal a C API.

+//

+// http://www.freedesktop.org/software/systemd/man/systemd-journald.service.html

+package journal

+

+import (

+	"bytes"

+	"encoding/binary"

+	"errors"

+	"fmt"

+	"io"

+	"io/ioutil"

+	"net"

+	"os"

+	"strconv"

+	"strings"

+	"syscall"

+)

+

+// Priority of a journal message

+type Priority int

+

+const (

+	PriEmerg Priority = iota

+	PriAlert

+	PriCrit

+	PriErr

+	PriWarning

+	PriNotice

+	PriInfo

+	PriDebug

+)

+

+var conn net.Conn

+

+func init() {

+	var err error

+	conn, err = net.Dial("unixgram", "/run/systemd/journal/socket")

+	if err != nil {

+		conn = nil

+	}

+}

+

+// Enabled returns true if the local systemd journal is available for logging

+func Enabled() bool {

+	return conn != nil

+}

+

+// Send a message to the local systemd journal. vars is a map of journald

+// fields to values.  Fields must be composed of uppercase letters, numbers,

+// and underscores, but must not start with an underscore. Within these

+// restrictions, any arbitrary field name may be used.  Some names have special

+// significance: see the journalctl documentation

+// (http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html)

+// for more details.  vars may be nil.

+func Send(message string, priority Priority, vars map[string]string) error {

+	if conn == nil {

+		return journalError("could not connect to journald socket")

+	}

+

+	data := new(bytes.Buffer)

+	appendVariable(data, "PRIORITY", strconv.Itoa(int(priority)))

+	appendVariable(data, "MESSAGE", message)

+	for k, v := range vars {

+		appendVariable(data, k, v)

+	}

+

+	_, err := io.Copy(conn, data)

+	if err != nil && isSocketSpaceError(err) {

+		file, err := tempFd()

+		if err != nil {

+			return journalError(err.Error())

+		}

+		_, err = io.Copy(file, data)

+		if err != nil {

+			return journalError(err.Error())

+		}

+

+		rights := syscall.UnixRights(int(file.Fd()))

+

+		/* this connection should always be a UnixConn, but better safe than sorry */

+		unixConn, ok := conn.(*net.UnixConn)

+		if !ok {

+			return journalError("can't send file through non-Unix connection")

+		}

+		unixConn.WriteMsgUnix([]byte{}, rights, nil)

+	} else if err != nil {

+		return journalError(err.Error())

+	}

+	return nil

+}

+

+// Print prints a message to the local systemd journal using Send().

+func Print(priority Priority, format string, a ...interface{}) error {

+	return Send(fmt.Sprintf(format, a...), priority, nil)

+}

+

+func appendVariable(w io.Writer, name, value string) {

+	if !validVarName(name) {

+		journalError("variable name contains invalid character, ignoring")

+	}

+	if strings.ContainsRune(value, '\n') {

+		/* When the value contains a newline, we write:

+		 * - the variable name, followed by a newline

+		 * - the size (in 64bit little endian format)

+		 * - the data, followed by a newline

+		 */

+		fmt.Fprintln(w, name)

+		binary.Write(w, binary.LittleEndian, uint64(len(value)))

+		fmt.Fprintln(w, value)

+	} else {

+		/* just write the variable and value all on one line */

+		fmt.Fprintf(w, "%s=%s\n", name, value)

+	}

+}

+

+func validVarName(name string) bool {

+	/* The variable name must be in uppercase and consist only of characters,

+	 * numbers and underscores, and may not begin with an underscore. (from the docs)

+	 */

+

+	valid := name[0] != '_'

+	for _, c := range name {

+		valid = valid && ('A' <= c && c <= 'Z') || ('0' <= c && c <= '9') || c == '_'

+	}

+	return valid

+}

+

+func isSocketSpaceError(err error) bool {

+	opErr, ok := err.(*net.OpError)

+	if !ok {

+		return false

+	}

+

+	sysErr, ok := opErr.Err.(syscall.Errno)

+	if !ok {

+		return false

+	}

+

+	return sysErr == syscall.EMSGSIZE || sysErr == syscall.ENOBUFS

+}

+

+func tempFd() (*os.File, error) {

+	file, err := ioutil.TempFile("/dev/shm/", "journal.XXXXX")

+	if err != nil {

+		return nil, err

+	}

+	syscall.Unlink(file.Name())

+	if err != nil {

+		return nil, err

+	}

+	return file, nil

+}

+

+func journalError(s string) error {

+	s = "journal error: " + s

+	fmt.Fprintln(os.Stderr, s)

+	return errors.New(s)

+}

deleted file mode 100644

@@ -1,166 +0,0 @@

-// Copyright 2015 CoreOS, Inc.

-//

-// Licensed under the Apache License, Version 2.0 (the "License");

-// you may not use this file except in compliance with the License.

-// You may obtain a copy of the License at

-//

-//     http://www.apache.org/licenses/LICENSE-2.0

-//

-// Unless required by applicable law or agreed to in writing, software

-// distributed under the License is distributed on an "AS IS" BASIS,

-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-// See the License for the specific language governing permissions and

-// limitations under the License.

-

-// Package journal provides write bindings to the systemd journal

-package journal

-

-import (

-	"bytes"

-	"encoding/binary"

-	"errors"

-	"fmt"

-	"io"

-	"io/ioutil"

-	"net"

-	"os"

-	"strconv"

-	"strings"

-	"syscall"

-)

-

-// Priority of a journal message

-type Priority int

-

-const (

-	PriEmerg Priority = iota

-	PriAlert

-	PriCrit

-	PriErr

-	PriWarning

-	PriNotice

-	PriInfo

-	PriDebug

-)

-

-var conn net.Conn

-

-func init() {

-	var err error

-	conn, err = net.Dial("unixgram", "/run/systemd/journal/socket")

-	if err != nil {

-		conn = nil

-	}

-}

-

-// Enabled returns true iff the systemd journal is available for logging

-func Enabled() bool {

-	return conn != nil

-}

-

-// Send a message to the systemd journal. vars is a map of journald fields to

-// values.  Fields must be composed of uppercase letters, numbers, and

-// underscores, but must not start with an underscore. Within these

-// restrictions, any arbitrary field name may be used.  Some names have special

-// significance: see the journalctl documentation

-// (http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html)

-// for more details.  vars may be nil.

-func Send(message string, priority Priority, vars map[string]string) error {

-	if conn == nil {

-		return journalError("could not connect to journald socket")

-	}

-

-	data := new(bytes.Buffer)

-	appendVariable(data, "PRIORITY", strconv.Itoa(int(priority)))

-	appendVariable(data, "MESSAGE", message)

-	for k, v := range vars {

-		appendVariable(data, k, v)

-	}

-

-	_, err := io.Copy(conn, data)

-	if err != nil && isSocketSpaceError(err) {

-		file, err := tempFd()

-		if err != nil {

-			return journalError(err.Error())

-		}

-		_, err = io.Copy(file, data)

-		if err != nil {

-			return journalError(err.Error())

-		}

-

-		rights := syscall.UnixRights(int(file.Fd()))

-

-		/* this connection should always be a UnixConn, but better safe than sorry */

-		unixConn, ok := conn.(*net.UnixConn)

-		if !ok {

-			return journalError("can't send file through non-Unix connection")

-		}

-		unixConn.WriteMsgUnix([]byte{}, rights, nil)

-	} else if err != nil {

-		return journalError(err.Error())

-	}

-	return nil

-}

-

-func appendVariable(w io.Writer, name, value string) {

-	if !validVarName(name) {

-		journalError("variable name contains invalid character, ignoring")

-	}

-	if strings.ContainsRune(value, '\n') {

-		/* When the value contains a newline, we write:

-		 * - the variable name, followed by a newline

-		 * - the size (in 64bit little endian format)

-		 * - the data, followed by a newline

-		 */

-		fmt.Fprintln(w, name)

-		binary.Write(w, binary.LittleEndian, uint64(len(value)))

-		fmt.Fprintln(w, value)

-	} else {

-		/* just write the variable and value all on one line */

-		fmt.Fprintf(w, "%s=%s\n", name, value)

-	}

-}

-

-func validVarName(name string) bool {

-	/* The variable name must be in uppercase and consist only of characters,

-	 * numbers and underscores, and may not begin with an underscore. (from the docs)

-	 */

-

-	valid := name[0] != '_'

-	for _, c := range name {

-		valid = valid && ('A' <= c && c <= 'Z') || ('0' <= c && c <= '9') || c == '_'

-	}

-	return valid

-}

-

-func isSocketSpaceError(err error) bool {

-	opErr, ok := err.(*net.OpError)

-	if !ok {

-		return false

-	}

-

-	sysErr, ok := opErr.Err.(syscall.Errno)

-	if !ok {

-		return false

-	}

-

-	return sysErr == syscall.EMSGSIZE || sysErr == syscall.ENOBUFS

-}

-

-func tempFd() (*os.File, error) {

-	file, err := ioutil.TempFile("/dev/shm/", "journal.XXXXX")

-	if err != nil {

-		return nil, err

-	}

-	syscall.Unlink(file.Name())

-	if err != nil {

-		return nil, err

-	}

-	return file, nil

-}

-

-func journalError(s string) error {

-	s = "journal error: " + s

-	fmt.Fprintln(os.Stderr, s)

-	return errors.New(s)

-}

new file mode 100644

@@ -0,0 +1 @@

+*

@@ -2,6 +2,7 @@

 *.o

 *.a

 *.so

+bin/

 # Folders

 integration-tmp/

@@ -33,4 +34,4 @@ cmd/dnet/dnet

 .project

 .settings/

-libnetwork-build.created

+libnetworkbuild.created

new file mode 100644

@@ -0,0 +1,8 @@

+FROM golang:1.4-cross

+RUN apt-get update && apt-get -y install iptables

+RUN go get github.com/tools/godep \

+		github.com/golang/lint/golint \

+		golang.org/x/tools/cmd/vet \

+		golang.org/x/tools/cmd/goimports \

+		golang.org/x/tools/cmd/cover\

+		github.com/mattn/goveralls

@@ -1,42 +1,46 @@

-.PHONY: all all-local build build-local check check-code check-format run-tests check-local integration-tests install-deps coveralls circle-ci start-services clean

+.PHONY: all all-local build build-local clean cross cross-local check check-code check-format run-tests integration-tests check-local coveralls circle-ci-cross circle-ci-build circle-ci-check circle-ci

 SHELL=/bin/bash

 build_image=libnetworkbuild

 dockerargs = --privileged -v $(shell pwd):/go/src/github.com/docker/libnetwork -w /go/src/github.com/docker/libnetwork

 container_env = -e "INSIDECONTAINER=-incontainer=true"

-docker = docker run --rm -it ${dockerargs} ${container_env} ${build_image}

+docker = docker run --rm -it ${dockerargs} $$EXTRA_ARGS ${container_env} ${build_image}

 ciargs = -e "COVERALLS_TOKEN=$$COVERALLS_TOKEN" -e "INSIDECONTAINER=-incontainer=true"

-cidocker = docker run ${ciargs} ${dockerargs} golang:1.4

-

-all: ${build_image}.created build check integration-tests clean

-

-integration-tests: ./cmd/dnet/dnet

-	@./test/integration/dnet/run-integration-tests.sh

-

-./cmd/dnet/dnet:

-	make build

-

-clean:

-	@if [ -e ./cmd/dnet/dnet ]; then \

-		echo "Removing dnet binary"; \

-		rm -rf ./cmd/dnet/dnet; \

-	fi

-

-all-local: check-local build-local

+cidocker = docker run ${dockerargs} ${ciargs} ${container_env} ${build_image}

+CROSS_PLATFORMS = linux/amd64 linux/386 linux/arm windows/amd64 windows/386

 ${build_image}.created:

-	docker run --name=libnetworkbuild -v $(shell pwd):/go/src/github.com/docker/libnetwork -w /go/src/github.com/docker/libnetwork golang:1.4 make install-deps

-	docker commit libnetworkbuild ${build_image}

-	docker rm libnetworkbuild

+	docker build -f Dockerfile.build -t ${build_image} .

 	touch ${build_image}.created

+all: ${build_image}.created build check integration-tests clean

+

+all-local: build-local check-local integration-tests-local clean

+

 build: ${build_image}.created

 	@echo "Building code... "

 	@${docker} ./wrapmake.sh build-local

 	@echo "Done building code"

 build-local:

-	@$(shell which godep) go build  ./...

-	@$(shell which godep) go build -o ./cmd/dnet/dnet ./cmd/dnet

+	@mkdir -p "bin"

+	$(shell which godep) go build -o "bin/dnet" ./cmd/dnet

+

+clean:

+	@if [ -d bin ]; then \

+		echo "Removing dnet binaries"; \

+		rm -rf bin; \

+	fi

+

+cross: ${build_image}.created

+	@mkdir -p "bin"

+	@for platform in ${CROSS_PLATFORMS}; do \

+	        EXTRA_ARGS="-e GOOS=$${platform%/*} -e GOARCH=$${platform##*/}" ; \

+		echo "$${platform}..." ; \

+	        ${docker} make cross-local ; \

+	done

+

+cross-local:

+	$(shell which godep) go build -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet

 check: ${build_image}.created

 	@${docker} ./wrapmake.sh check-local

@@ -71,27 +75,31 @@ run-tests:

 	done

 	@echo "Done running tests"

-check-local:	check-format check-code start-services run-tests

+check-local:	check-format check-code run-tests

+

+integration-tests: ./bin/dnet

+	@./test/integration/dnet/run-integration-tests.sh

-install-deps:

-	apt-get update && apt-get -y install iptables zookeeperd

-	git clone https://github.com/golang/tools /go/src/golang.org/x/tools

-	go install golang.org/x/tools/cmd/vet

-	go install golang.org/x/tools/cmd/goimports

-	go install golang.org/x/tools/cmd/cover

-	go get github.com/tools/godep

-	go get github.com/golang/lint/golint

-	go get github.com/mattn/goveralls

+./bin/dnet:

+	make build

 coveralls:

 	-@goveralls -service circleci -coverprofile=coverage.coverprofile -repotoken $$COVERALLS_TOKEN

 # CircleCI's Docker fails when cleaning up using the --rm flag

-# The following target is a workaround for this

+# The following targets are a workaround for this

+circle-ci-cross: ${build_image}.created

+	@mkdir -p "bin"

+	@for platform in ${CROSS_PLATFORMS}; do \

+	        EXTRA_ARGS="-e GOOS=$${platform%/*} -e GOARCH=$${platform##*/}" ; \

+		echo "$${platform}..." ; \

+	        ${cidocker} make cross-local ; \

+	done

+

+circle-ci-check: ${build_image}.created

+	@${cidocker} make check-local coveralls

-circle-ci:

-	@${cidocker} make install-deps build-local check-local coveralls

-	make integration-tests

+circle-ci-build: ${build_image}.created

+	@${cidocker} make build-local

-start-services:

-	service zookeeper start

+circle-ci: circle-ci-check circle-ci-build integration-tests

@@ -552,7 +552,7 @@ func pushReservation(bytePos, bitPos uint64, head *sequence, release bool) *sequ

 		}

 		removeCurrentIfEmpty(&newHead, newSequence, current)

 		mergeSequences(previous)

-	} else if precBlocks == current.count-2 { // Last in sequence (B)

+	} else if precBlocks == current.count { // Last in sequence (B)

 		newSequence.next = current.next

 		current.next = newSequence

 		mergeSequences(current)

@@ -1,12 +1,18 @@

 machine:

-    services:

-        - docker

+  services:

+    - docker

 dependencies:

-    override:

-        - echo "Nothing to install"

+  override:

+    - sudo apt-get update; sudo apt-get install -y iptables zookeeperd

+    - go get golang.org/x/tools/cmd/vet

+    - go get golang.org/x/tools/cmd/goimports

+    - go get golang.org/x/tools/cmd/cover

+    - go get github.com/tools/godep

+    - go get github.com/golang/lint/golint

+    - go get github.com/mattn/goveralls

 test:

-    override:

-        - make circle-ci

+  override:

+    - make circle-ci

@@ -41,6 +41,9 @@ const (

 	DefaultGatewayV6AuxKey = "DefaultGatewayIPv6"

 )

+type iptableCleanFunc func() error

+type iptablesCleanFuncs []iptableCleanFunc

+

 // configuration info for the "bridge" driver.

 type configuration struct {

 	EnableIPForwarding  bool

@@ -92,12 +95,13 @@ type bridgeEndpoint struct {

 }

 type bridgeNetwork struct {

-	id         string

-	bridge     *bridgeInterface // The bridge's L3 interface

-	config     *networkConfiguration

-	endpoints  map[string]*bridgeEndpoint // key: endpoint id

-	portMapper *portmapper.PortMapper

-	driver     *driver // The network's driver

+	id            string

+	bridge        *bridgeInterface // The bridge's L3 interface

+	config        *networkConfiguration

+	endpoints     map[string]*bridgeEndpoint // key: endpoint id

+	portMapper    *portmapper.PortMapper

+	driver        *driver // The network's driver

+	iptCleanFuncs iptablesCleanFuncs

 	sync.Mutex

 }

@@ -236,6 +240,10 @@ func parseErr(label, value, errString string) error {

 	return types.BadRequestErrorf("failed to parse %s value: %v (%s)", label, value, errString)

 }

+func (n *bridgeNetwork) registerIptCleanFunc(clean iptableCleanFunc) {

+	n.iptCleanFuncs = append(n.iptCleanFuncs, clean)

+}

+

 func (n *bridgeNetwork) getDriverChains() (*iptables.ChainInfo, *iptables.ChainInfo, error) {

 	n.Lock()

 	defer n.Unlock()

@@ -604,6 +612,10 @@ func (d *driver) createNetwork(config *networkConfiguration) error {

 			}

 			return err

 		}

+		network.registerIptCleanFunc(func() error {

+			nwList := d.getNetworks()

+			return network.isolateNetwork(nwList, false)

+		})

 		return nil

 	}

@@ -722,22 +734,6 @@ func (d *driver) DeleteNetwork(nid string) error {

 		return err

 	}

-	// In case of failures after this point, restore the network isolation rules

-	nwList := d.getNetworks()

-	defer func() {

-		if err != nil {

-			if err := n.isolateNetwork(nwList, true); err != nil {

-				logrus.Warnf("Failed on restoring the inter-network iptables rules on cleanup: %v", err)

-			}

-		}

-	}()

-

-	// Remove inter-network communication rules.

-	err = n.isolateNetwork(nwList, false)

-	if err != nil {

-		return err

-	}

-

 	// We only delete the bridge when it's not the default bridge. This is keep the backward compatible behavior.

 	if !config.DefaultBridge {

 		if err := netlink.LinkDel(n.bridge.Link); err != nil {

@@ -745,6 +741,12 @@ func (d *driver) DeleteNetwork(nid string) error {

 		}

 	}

+	// clean all relevant iptables rules

+	for _, cleanFunc := range n.iptCleanFuncs {

+		if errClean := cleanFunc(); errClean != nil {

+			logrus.Warnf("Failed to clean iptables rules for bridge network: %v", errClean)

+		}

+	}

 	return d.storeDelete(config)

 }

@@ -68,21 +68,27 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt

 	if err = setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {

 		return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())

 	}

+	n.registerIptCleanFunc(func() error {

+		return setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)

+	})

 	natChain, filterChain, err := n.getDriverChains()

 	if err != nil {

 		return fmt.Errorf("Failed to setup IP tables, cannot acquire chain info %s", err.Error())

 	}

-	err = iptables.ProgramChain(natChain, config.BridgeName, hairpinMode)

+	err = iptables.ProgramChain(natChain, config.BridgeName, hairpinMode, true)

 	if err != nil {

 		return fmt.Errorf("Failed to program NAT chain: %s", err.Error())

 	}

-	err = iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode)

+	err = iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, true)

 	if err != nil {

 		return fmt.Errorf("Failed to program FILTER chain: %s", err.Error())

 	}

+	n.registerIptCleanFunc(func() error {

+		return iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, false)

+	})

 	n.portMapper.SetIptablesChain(filterChain, n.getNetworkBridgeName())

@@ -159,7 +159,11 @@ func (ep *endpoint) Info() EndpointInfo {

 		return ep

 	}

-	return sb.getEndpoint(ep.ID())

+	if epi := sb.getEndpoint(ep.ID()); epi != nil {

+		return epi

+	}

+

+	return nil

 }

 func (ep *endpoint) DriverInfo() (map[string]interface{}, error) {

@@ -27,7 +27,7 @@ const (

 // Conn is a connection to firewalld dbus endpoint.

 type Conn struct {

 	sysconn *dbus.Conn

-	sysobj  *dbus.Object

+	sysobj  dbus.BusObject

 	signal  chan *dbus.Signal

 }

@@ -95,7 +95,7 @@ func NewChain(name string, table Table, hairpinMode bool) (*ChainInfo, error) {

 }

 // ProgramChain is used to add rules to a chain

-func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode bool) error {

+func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) error {

 	if c.Name == "" {

 		return fmt.Errorf("Could not program chain, missing chain name.")

 	}

@@ -106,10 +106,14 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode bool) error {

 			"-m", "addrtype",

 			"--dst-type", "LOCAL",

 			"-j", c.Name}

-		if !Exists(Nat, "PREROUTING", preroute...) {

+		if !Exists(Nat, "PREROUTING", preroute...) && enable {

 			if err := c.Prerouting(Append, preroute...); err != nil {

 				return fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)

 			}

+		} else if Exists(Nat, "PREROUTING", preroute...) && !enable {

+			if err := c.Prerouting(Delete, preroute...); err != nil {

+				return fmt.Errorf("Failed to remove docker in PREROUTING chain: %s", err)

+			}

 		}

 		output := []string{

 			"-m", "addrtype",

@@ -118,10 +122,14 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode bool) error {

 		if !hairpinMode {

 			output = append(output, "!", "--dst", "127.0.0.0/8")

 		}

-		if !Exists(Nat, "OUTPUT", output...) {

+		if !Exists(Nat, "OUTPUT", output...) && enable {

 			if err := c.Output(Append, output...); err != nil {

 				return fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)

 			}

+		} else if Exists(Nat, "OUTPUT", output...) && !enable {

+			if err := c.Output(Delete, output...); err != nil {

+				return fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)

+			}

 		}

 	case Filter:

 		if bridgeName == "" {

@@ -131,13 +139,21 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode bool) error {

 		link := []string{

 			"-o", bridgeName,

 			"-j", c.Name}

-		if !Exists(Filter, "FORWARD", link...) {

+		if !Exists(Filter, "FORWARD", link...) && enable {

 			insert := append([]string{string(Insert), "FORWARD"}, link...)

 			if output, err := Raw(insert...); err != nil {