Docker on TOS 6.1 - allow access to service running in a container from internet

I am curious what would be the best way to achieve the subj.

Let say I am running container like this

docker run --rm -d -p 8080:80 nginx:1.23.3-alpine-slim

I want to keep in place the solution preventing docker to by-pass firewall in /etc/cofig/dockerd so I don’t expose anything accidentally

config firewall 'firewall'
        option device 'docker0'
        list blocked_interfaces 'wan'
        option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections

After starting dockerd these firewall rules (among others) are added

-A FORWARD -j DOCKER-USER # first rule for FORWARD chain
...
-A DOCKER-USER -i eth2 -o docker0 -m conntrack ! --ctstate RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN

With this setup I haven’t found a way how to enable traffic from the internet to the container using configuration in /etc/config/firewall
Is this really impossible? Or did I miss something?


I have found a way how to achieve what I need by manually adding a rule into the firewall

iptables -I DOCKER-USER -i eth2 -o docker0 -d 172.17.0.2 -p tcp -m tcp --dport 80 -j RETURN

Would this be the right approach?