@@ -854,10 +854,6 @@ func (daemon *Daemon) initNetworkController(cfg *config.Config, activeSandboxes

 		return err

 	}

-	if err := daemon.netController.SetupUserChains(); err != nil {

-		log.G(context.TODO()).WithError(err).Warnf("initNetworkController")

-	}

-

 	// Set HostGatewayIP to the default bridge's IP if it is empty

 	setHostGatewayIP(daemon.netController, cfg)

 	return nil

@@ -168,7 +168,7 @@ func New(cfgOptions ...config.Option) (*Controller, error) {

 		return nil, err

 	}

-	setupArrangeUserFilterRule(c)

+	c.setupUserChains()

 	return c, nil

 }

@@ -700,30 +700,9 @@ addToStore:

 		}

 	}

-	if c.isSwarmNode() {

-		c.mu.Lock()

-		arrangeIngressFilterRule()

-		c.mu.Unlock()

-	}

-

-	if err := c.SetupUserChains(); err != nil {

-		log.G(context.TODO()).WithError(err).Warnf("Controller.NewNetwork %s:", name)

-	}

-

 	return nw, nil

 }

-// Sets up the DOCKER-USER chain for each iptables version (IPv4, IPv6) that's

-// enabled in the controller's configuration.

-func (c *Controller) SetupUserChains() error {

-	for _, ipVersion := range c.enabledIptablesVersions() {

-		if err := setupUserChain(ipVersion); err != nil {

-			return err

-		}

-	}

-	return nil

-}

-

 var joinCluster NetworkWalker = func(nw *Network) bool {

 	if nw.configOnly {

 		return false

@@ -2,6 +2,7 @@ package libnetwork

 import (

 	"context"

+	"errors"

 	"fmt"

 	"github.com/containerd/log"

@@ -10,24 +11,24 @@ import (

 const userChain = "DOCKER-USER"

-var ctrl *Controller

-

-func setupArrangeUserFilterRule(c *Controller) {

-	ctrl = c

-	iptables.OnReloaded(arrangeUserFilterRule)

-}

-

-// arrangeUserFilterRule sets up the DOCKER-USER chain for each iptables version

-// (IPv4, IPv6) that's enabled in the controller's configuration.

-func arrangeUserFilterRule() {

-	if ctrl == nil {

-		return

-	}

-	for _, ipVersion := range ctrl.enabledIptablesVersions() {

-		if err := setupUserChain(ipVersion); err != nil {

-			log.G(context.TODO()).WithError(err).Warn("arrangeUserFilterRule")

+// Sets up the DOCKER-USER chain for each iptables version (IPv4, IPv6) that's

+// enabled in the controller's configuration.

+func (c *Controller) setupUserChains() {

+	setup := func() error {

+		var errs []error

+		for _, ipVersion := range c.enabledIptablesVersions() {

+			errs = append(errs, setupUserChain(ipVersion))

 		}

+		return errors.Join(errs...)

+	}

+	if err := setup(); err != nil {

+		log.G(context.Background()).WithError(err).Warn("configuring " + userChain)

 	}

+	iptables.OnReloaded(func() {

+		if err := setup(); err != nil {

+			log.G(context.Background()).WithError(err).Warn("configuring " + userChain + " on firewall reload")

+		}

+	})

 }

 // setupUserChain sets up the DOCKER-USER chain for the given [iptables.IPVersion].

@@ -69,7 +69,7 @@ func TestUserChain(t *testing.T) {

 				_, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP")

 				assert.Check(t, err)

 			}

-			arrangeUserFilterRule()

+			c.setupUserChains()

 			golden.Assert(t, getRules(t, iptable4, fwdChainName),

 				fmt.Sprintf("TestUserChain_iptables-%v_append-%v_fwdafter4", tc.iptables, tc.append))

@@ -2,6 +2,4 @@

 package libnetwork

-func setupArrangeUserFilterRule(c *Controller) {}

-func arrangeUserFilterRule()                   {}

-func setupUserChain(ipVersion any) error       { return nil }

+func (c *Controller) setupUserChains() {}

@@ -363,7 +363,10 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 			if err := iptable.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {

 				return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err)

 			}

-			arrangeUserFilterRule()

+			// The jump to DOCKER-USER needs to be before the jump to DOCKER-INGRESS.

+			if err := setupUserChain(iptables.IPv4); err != nil {

+				log.G(context.TODO()).Warnf("Failed to restore "+userChain+" after creating "+ingressChain+": %v", err)

+			}

 		}

 		oifName, err := findOIFName(gwIP)

@@ -452,26 +455,6 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro

 	return nil

 }

-// In the filter table FORWARD chain the first rule should be to jump to

-// DOCKER-USER so the user is able to filter packet first.

-// The second rule should be jump to INGRESS-CHAIN.

-// This chain has the rules to allow access to the published ports for swarm tasks

-// from local bridge networks and docker_gwbridge (ie:taks on other swarm networks)

-func arrangeIngressFilterRule() {

-	// TODO IPv6 support

-	iptable := iptables.GetIptable(iptables.IPv4)

-	if iptable.ExistChain(ingressChain, iptables.Filter) {

-		if iptable.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) {

-			if err := iptable.RawCombinedOutput("-D", "FORWARD", "-j", ingressChain); err != nil {

-				log.G(context.TODO()).Warnf("failed to delete jump rule to ingressChain in filter table: %v", err)

-			}

-		}

-		if err := iptable.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {

-			log.G(context.TODO()).Warnf("failed to add jump rule to ingressChain in filter table: %v", err)

-		}

-	}

-}

-

 func findOIFName(ip net.IP) (string, error) {

 	nlh := ns.NlHandle()

@@ -1,4 +1,5 @@

 -P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

 -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 -A FORWARD -j DOCKER-ISOLATION-STAGE-1

 -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER

@@ -1,4 +1,5 @@

 -P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

 -A FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 -A FORWARD -j DOCKER-ISOLATION-STAGE-1

 -A FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER

@@ -1,4 +1,5 @@

 -P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

 -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 -A FORWARD -j DOCKER-ISOLATION-STAGE-1

 -A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER

@@ -1,4 +1,5 @@

 -P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

 -A FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 -A FORWARD -j DOCKER-ISOLATION-STAGE-1

 -A FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER