docker firewall "fails open" when DOCKER-USER chain already exists

[khimaros]

when docker is launched, if the DOCKER-USER chain already exists, the jump DOCKER-USER rule is not inserted into the FORWARD chain, which results in the firewall "failing open".

this is potentially very hazardous from a security perspective. all that is required for this to happen is for a iptables/nftables "save" to contain the DOCKER-USER chain, and for the restore service to start before docker is started.

the culprit code is here:

libnetwork/firewall_linux.go

Line 33 in b350742

logrus.Warnf("Failed to create %s chain: %v", userChain, err)

one potential fix is to insert the jump even if the chain already exists, though in this case it may also be important to also always insert the return to the DOCKER-USER chain as well if it isn't already there.