Purges docker rules

[Wildcarde]

Puppet ends up removing docker rules due to the purge issued in the check for firewall pre/post check turning this (iptables -S output):

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -m comment --comment "002 accept established related rules" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - 1" -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - Building" -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m multiport --dports 80 -m comment --comment "080 nginx http request - Wired" -j ACCEPT
-A INPUT -m comment --comment "99999 drop remaining inputs" -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m comment --comment "99999 drop remaining forwards" -j DROP

into this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -m comment --comment "002 accept established related rules" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - 1" -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - Building" -j ACCEPT

Off hand I'm not sure how to fix this yet but it breaks some of the usability here pretty badly (in this admittedly very specific usecase).