tweaking

docker/tpotinit/Dockerfile

@@ -45,4 +45,5 @@ WORKDIR /opt/tpot
 #HEALTHCHECK --interval=5s --timeout=30s --retries=3 CMD pgrep -f autoheal || exit 1
 HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1
 STOPSIGNAL SIGTERM
+# Using ENTRYPOINT so we can catch SIGTERM for cleanup
 ENTRYPOINT ["/opt/tpot/entrypoint.sh"]

docker/tpotinit/dist/bin/rules.sh

@@ -57,11 +57,11 @@ fi
 ### Setting up iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
   then
-    iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
-    iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
+    iptables -w -t mangle -A PREROUTING -s 127.0.0.1 -j ACCEPT
+    iptables -w -t mangle -A PREROUTING -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      iptables -w -t mangle -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
     done
     # No need for NFQ forwarding, such rules are set up by glutton
 fi
@@ -84,11 +84,11 @@ fi
 ### Removing iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
   then
-    iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
-    iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
+    iptables -w -t mangle -D PREROUTING -s 127.0.0.1 -j ACCEPT
+    iptables -w -t mangle -D PREROUTING -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      iptables -w -t mangle -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
     done
     # No need for removing NFQ forwarding, such rules are removed by glutton
 fi

docker/tpotinit/dist/entrypoint.sh

@@ -17,6 +17,7 @@ cleanup() {
       echo
   fi
   kill -TERM "$PID"
+  rm -f /tmp/success
   echo "# Cleanup done."
   echo
 }