moby
diff --git a/‎integration/network/bridge/iptablesdoc/generated/new-daemon.md‎
Lines changed: 7 additions & 6 deletions b/‎integration/network/bridge/iptablesdoc/generated/new-daemon.md‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-internal.md‎
Lines changed: 4 additions & 4 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-internal.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md‎
Lines changed: 7 additions & 7 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md‎
Lines changed: 6 additions & 6 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md‎
Lines changed: 7 additions & 7 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md‎
Lines changed: 7 additions & 7 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap.md‎
Lines changed: 9 additions & 11 deletions b/‎integration/network/bridge/iptablesdoc/generated/usernet-portmap.md‎
Lines changed: 9 additions & 11 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/templates/new-daemon.md‎
Lines changed: 4 additions & 3 deletions b/‎integration/network/bridge/iptablesdoc/templates/new-daemon.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎integration/network/bridge/iptablesdoc/templates/usernet-portmap-noicc.md‎
Lines changed: 1 addition & 1 deletion b/‎integration/network/bridge/iptablesdoc/templates/usernet-portmap-noicc.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎integration/network/bridge/iptablesdoc/templates/usernet-portmap.md‎
Lines changed: 2 additions & 4 deletions b/‎integration/network/bridge/iptablesdoc/templates/usernet-portmap.md‎
Lines changed: 2 additions & 4 deletions
@@ -14,8 +14,8 @@ Table `filter`:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    6        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -51,8 +51,8 @@ Table `filter`:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
     -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
@@ -86,11 +86,12 @@ The FORWARD chain rules are numbered in the output above, they are:
      matching against the `docker-ext-bridge-v[46]` set. Added when the network is
      created, in [setupIPTables][13].
      The DOCKER chain implements per-port/protocol filtering for each container.
-  5. ACCEPT any packet leaving a network, also set up when the network is created, in
-     [setupIPTablesInternal][14].
-  6. ACCEPT packets flowing between containers within a network, because by default
+  5. ACCEPT packets flowing between containers within a network, because by default
      container isolation is disabled. Also set up when the network is created, in
      [setIcc][15].
+  6. ACCEPT any packet leaving a network, also set up when the network is created, in
+     [setupIPTablesInternal][14].
+
 
 [10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50
 [11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232
 
@@ -19,9 +19,9 @@ The filter table is updated as follows:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
     6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -59,9 +59,9 @@ The filter table is updated as follows:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER-ISOLATION-STAGE-1 ! -s 192.0.2.0/24 -o bridge1 -j DROP
     -A DOCKER-ISOLATION-STAGE-1 ! -d 192.0.2.0/24 -i bridge1 -j DROP
 
@@ -19,10 +19,10 @@ The filter table is:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    6        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    8        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    8        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -61,10 +61,10 @@ The filter table is:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
+    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER ! -i bridge1 -o bridge1 -j ACCEPT
     -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
 
@@ -19,10 +19,10 @@ The filter table is:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
     6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
-    8        0     0 DROP       0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 DROP       0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    8        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -62,10 +62,10 @@ The filter table is:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i bridge1 -o bridge1 -j DROP
+    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
     -A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER ! -i bridge1 -o bridge1 -j DROP
@@ -80,7 +80,7 @@ The filter table is:
 
 By comparison with [ICC=true][1]:
 
-  - Rule 8 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
+  - Rule 7 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
     - Added in [setIcc][2]
 
 [1]: usernet-portmap.md
 
@@ -22,10 +22,10 @@ The filter table is the same as with the userland proxy enabled.
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    6        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    8        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    8        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -62,10 +62,10 @@ The filter table is the same as with the userland proxy enabled.
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
+    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
     -A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER ! -i bridge1 -o bridge1 -j DROP
 
@@ -19,10 +19,10 @@ The filter table is:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    6        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    8        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    8        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -65,10 +65,10 @@ The filter table is:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
+    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
     -A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER -o bridge1 -p icmp -j ACCEPT
 
@@ -18,10 +18,10 @@ The filter table is updated as follows:
     2        0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
     3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            match-set docker-ext-bridges-v4 dst
-    5        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    6        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
-    7        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    8        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    5        0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
+    6        0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
+    7        0     0 ACCEPT     0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
+    8        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
 
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -61,10 +61,10 @@ The filter table is updated as follows:
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A FORWARD -j DOCKER-ISOLATION-STAGE-1
     -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
-    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
-    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
     -A FORWARD -i docker0 -o docker0 -j ACCEPT
+    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+    -A FORWARD -i bridge1 -o bridge1 -j ACCEPT
+    -A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
     -A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
     -A DOCKER ! -i docker0 -o docker0 -j DROP
     -A DOCKER ! -i bridge1 -o bridge1 -j DROP
@@ -79,10 +79,8 @@ The filter table is updated as follows:
 
 Note that:
 
- - In the FORWARD chain, rules 5-6 for the new network have been inserted at
-   the top of the chain, pushing the equivalent docker0 rules down to positions
-   7-8. (Rules 5-6 were inserted at the top of the chain, then rules 1-4 were
-   shuffled back to the top by deleting/recreating, as described above.)
+ - In the FORWARD chain, rules 6-7 for the new network have been appended to
+   the end of the chain.
  - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have
    also been inserted for the new bridge.
  - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed
 
@@ -39,11 +39,12 @@ The FORWARD chain rules are numbered in the output above, they are:
      matching against the `docker-ext-bridge-v[46]` set. Added when the network is
      created, in [setupIPTables][13].
      The DOCKER chain implements per-port/protocol filtering for each container.
-  5. ACCEPT any packet leaving a network, also set up when the network is created, in
-     [setupIPTablesInternal][14].
-  6. ACCEPT packets flowing between containers within a network, because by default
+  5. ACCEPT packets flowing between containers within a network, because by default
      container isolation is disabled. Also set up when the network is created, in
      [setIcc][15].
+  6. ACCEPT any packet leaving a network, also set up when the network is created, in
+     [setupIPTablesInternal][14].
+
 
 [10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50
 [11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232
 
@@ -21,7 +21,7 @@ The filter table is:
 
 By comparison with [ICC=true][1]:
 
-  - Rule 8 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
+  - Rule 7 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
     - Added in [setIcc][2]
 
 [1]: usernet-portmap.md
 
@@ -20,10 +20,8 @@ The filter table is updated as follows:
 
 Note that:
 
- - In the FORWARD chain, rules 5-6 for the new network have been inserted at
-   the top of the chain, pushing the equivalent docker0 rules down to positions
-   7-8. (Rules 5-6 were inserted at the top of the chain, then rules 1-4 were
-   shuffled back to the top by deleting/recreating, as described above.)
+ - In the FORWARD chain, rules 6-7 for the new network have been appended to
+   the end of the chain.
  - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have
    also been inserted for the new bridge.
  - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed