# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# log_driver
# bip
# blocked_interfaces
# extra_iptables_args
# device

config globals 'globals'
#	option alt_config_file '/etc/docker/daemon.json'
	option data_root '/opt/docker/'
#	option log_driver 'local'
	option log_level 'warn'
	option iptables '1'
#	list hosts 'unix:///var/run/docker.sock'
#	option bip '172.18.0.1/24'
#	option fixed_cidr '172.17.0.0/16'
#	option fixed_cidr_v6 'fc00:1::/80'
#	option ipv6 '1'
#	option ip '::ffff:0.0.0.0'
#	list dns '172.17.0.1'
#	list registry_mirrors 'https://<my-docker-mirror-host>'
#	list registry_mirrors 'https://hub.docker.com'

# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
# naively translates iptables rules. For the best compatibility replace the following dependencies:
# `firewall4` -> `firewall`
# `iptables-nft` -> `iptables-legacy`
# `ip6tables-nft` -> `ip6tables-legacy`

# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
# See https://docs.docker.com/network/iptables/ for more details.

# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
config firewall 'firewall'
	option device 'docker0'
	list blocked_interfaces 'wan'
#	option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections