@@ -1026,11 +1026,16 @@ func getEndpointPortMapInfo(ep *libnetwork.Endpoint) (nat.PortMap, error) {

 	if portMapping, ok := mapData.([]networktypes.PortBinding); ok {

 		for _, pp := range portMapping {

+			// Use an empty string for the host port if there's no port assigned.

 			natPort, err := nat.NewPort(pp.Proto.String(), strconv.Itoa(int(pp.Port)))

 			if err != nil {

 				return pm, err

 			}

-			natBndg := nat.PortBinding{HostIP: pp.HostIP.String(), HostPort: strconv.Itoa(int(pp.HostPort))}

+			var hp string

+			if pp.HostPort > 0 {

+				hp = strconv.Itoa(int(pp.HostPort))

+			}

+			natBndg := nat.PortBinding{HostIP: pp.HostIP.String(), HostPort: hp}

 			pm[natPort] = append(pm[natPort], natBndg)

 		}

 	}

@@ -2,6 +2,7 @@ package container

 import (

 	"maps"

+	"slices"

 	"strings"

 	"github.com/docker/docker/api/types/container"

@@ -71,6 +72,16 @@ func WithExposedPorts(ports ...string) func(*TestContainerConfig) {

 	}

 }

+// WithPortMap sets/replaces port mappings.

+func WithPortMap(pm nat.PortMap) func(*TestContainerConfig) {

+	return func(c *TestContainerConfig) {

+		c.HostConfig.PortBindings = nat.PortMap{}

+		for p, b := range pm {

+			c.HostConfig.PortBindings[p] = slices.Clone(b)

+		}

+	}

+}

+

 // WithTty sets the TTY mode of the container

 func WithTty(tty bool) func(*TestContainerConfig) {

 	return func(c *TestContainerConfig) {

@@ -13,9 +13,11 @@ import (

 	networktypes "github.com/docker/docker/api/types/network"

 	"github.com/docker/docker/integration/internal/container"

 	"github.com/docker/docker/integration/internal/network"

+	"github.com/docker/docker/libnetwork/drivers/bridge"

 	"github.com/docker/docker/libnetwork/netlabel"

 	"github.com/docker/docker/testutil"

 	"github.com/docker/docker/testutil/daemon"

+	"github.com/docker/go-connections/nat"

 	"github.com/google/go-cmp/cmp/cmpopts"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

@@ -920,3 +922,84 @@ func TestSetEndpointSysctl(t *testing.T) {

 		}

 	}

 }

+

+func TestDisableNAT(t *testing.T) {

+	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "bridge driver option doesn't apply to Windows")

+

+	ctx := setupTest(t)

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t)

+	defer d.Stop(t)

+

+	c := d.NewClientT(t)

+	defer c.Close()

+

+	testcases := []struct {

+		name       string

+		gwMode4    string

+		gwMode6    string

+		expPortMap nat.PortMap

+	}{

+		{

+			name: "defaults",

+			expPortMap: nat.PortMap{

+				"80/tcp": []nat.PortBinding{

+					{HostIP: "0.0.0.0", HostPort: "8080"},

+					{HostIP: "::", HostPort: "8080"},

+				},

+			},

+		},

+		{

+			name:    "nat4 routed6",

+			gwMode4: "nat",

+			gwMode6: "routed",

+			expPortMap: nat.PortMap{

+				"80/tcp": []nat.PortBinding{

+					{HostIP: "0.0.0.0", HostPort: "8080"},

+					{HostIP: "::", HostPort: ""},

+				},

+			},

+		},

+		{

+			name:    "nat6 routed4",

+			gwMode4: "routed",

+			gwMode6: "nat",

+			expPortMap: nat.PortMap{

+				"80/tcp": []nat.PortBinding{

+					{HostIP: "0.0.0.0", HostPort: ""},

+					{HostIP: "::", HostPort: "8080"},

+				},

+			},

+		},

+	}

+

+	for _, tc := range testcases {

+		t.Run(tc.name, func(t *testing.T) {

+			ctx := testutil.StartSpan(ctx, t)

+

+			const netName = "testnet"

+			nwOpts := []func(options *networktypes.CreateOptions){

+				network.WithIPv6(),

+				network.WithIPAM("fd2a:a2c3:4448::/64", "fd2a:a2c3:4448::1"),

+			}

+			if tc.gwMode4 != "" {

+				nwOpts = append(nwOpts, network.WithOption(bridge.IPv4GatewayMode, tc.gwMode4))

+			}

+			if tc.gwMode6 != "" {

+				nwOpts = append(nwOpts, network.WithOption(bridge.IPv6GatewayMode, tc.gwMode6))

+			}

+			network.CreateNoError(ctx, t, c, netName, nwOpts...)

+			defer network.RemoveNoError(ctx, t, c, netName)

+

+			id := container.Run(ctx, t, c,

+				container.WithNetworkMode(netName),

+				container.WithExposedPorts("80/tcp"),

+				container.WithPortMap(nat.PortMap{"80/tcp": {{HostPort: "8080"}}}),

+			)

+			defer c.ContainerRemove(ctx, id, containertypes.RemoveOptions{Force: true})

+

+			inspect := container.Inspect(ctx, t, c, id)

+			assert.Check(t, is.DeepEqual(inspect.NetworkSettings.Ports, tc.expPortMap))

+		})

+	}

+}

@@ -62,6 +62,8 @@ type networkConfiguration struct {

 	BridgeName           string

 	EnableIPv6           bool

 	EnableIPMasquerade   bool

+	GwModeIPv4           gwMode

+	GwModeIPv6           gwMode

 	EnableICC            bool

 	InhibitIPv4          bool

 	Mtu                  int

@@ -145,6 +147,14 @@ type driver struct {

 	sync.Mutex

 }

+type gwMode string

+

+const (

+	gwModeDefault gwMode = ""

+	gwModeNAT     gwMode = "nat"

+	gwModeRouted  gwMode = "routed"

+)

+

 // New constructs a new bridge driver

 func newDriver() *driver {

 	return &driver{

@@ -289,6 +299,14 @@ func (c *networkConfiguration) fromLabels(labels map[string]string) error {

 			if c.EnableIPMasquerade, err = strconv.ParseBool(value); err != nil {

 				return parseErr(label, value, err.Error())

 			}

+		case IPv4GatewayMode:

+			if c.GwModeIPv4, err = newGwMode(value); err != nil {

+				return parseErr(label, value, err.Error())

+			}

+		case IPv6GatewayMode:

+			if c.GwModeIPv6, err = newGwMode(value); err != nil {

+				return parseErr(label, value, err.Error())

+			}

 		case EnableICC:

 			if c.EnableICC, err = strconv.ParseBool(value); err != nil {

 				return parseErr(label, value, err.Error())

@@ -321,6 +339,20 @@ func (c *networkConfiguration) fromLabels(labels map[string]string) error {

 	return nil

 }

+func newGwMode(gwMode string) (gwMode, error) {

+	switch gwMode {

+	case "nat":

+		return gwModeNAT, nil

+	case "routed":

+		return gwModeRouted, nil

+	}

+	return gwModeDefault, fmt.Errorf("unknown gateway mode %s", gwMode)

+}

+

+func (m gwMode) natDisabled() bool {

+	return m == gwModeRouted

+}

+

 func parseErr(label, value, errString string) error {

 	return types.InvalidParameterErrorf("failed to parse %s value: %v (%s)", label, value, errString)

 }

@@ -367,6 +399,12 @@ func (n *bridgeNetwork) getNetworkBridgeName() string {

 	return config.BridgeName

 }

+func (n *bridgeNetwork) getNATDisabled() (ipv4, ipv6 bool) {

+	n.Lock()

+	defer n.Unlock()

+	return n.config.GwModeIPv4.natDisabled(), n.config.GwModeIPv6.natDisabled()

+}

+

 func (n *bridgeNetwork) userlandProxyPath() string {

 	n.Lock()

 	defer n.Unlock()

@@ -123,6 +123,8 @@ func (ncfg *networkConfiguration) MarshalJSON() ([]byte, error) {

 	nMap["BridgeName"] = ncfg.BridgeName

 	nMap["EnableIPv6"] = ncfg.EnableIPv6

 	nMap["EnableIPMasquerade"] = ncfg.EnableIPMasquerade

+	nMap["GwModeIPv4"] = ncfg.GwModeIPv4

+	nMap["GwModeIPv6"] = ncfg.GwModeIPv6

 	nMap["EnableICC"] = ncfg.EnableICC

 	nMap["InhibitIPv4"] = ncfg.InhibitIPv4

 	nMap["Mtu"] = ncfg.Mtu

@@ -190,6 +192,12 @@ func (ncfg *networkConfiguration) UnmarshalJSON(b []byte) error {

 	ncfg.BridgeName = nMap["BridgeName"].(string)

 	ncfg.EnableIPv6 = nMap["EnableIPv6"].(bool)

 	ncfg.EnableIPMasquerade = nMap["EnableIPMasquerade"].(bool)

+	if v, ok := nMap["GwModeIPv4"]; ok {

+		ncfg.GwModeIPv4, _ = newGwMode(v.(string))

+	}

+	if v, ok := nMap["GwModeIPv6"]; ok {

+		ncfg.GwModeIPv6, _ = newGwMode(v.(string))

+	}

 	ncfg.EnableICC = nMap["EnableICC"].(bool)

 	if v, ok := nMap["InhibitIPv4"]; ok {

 		ncfg.InhibitIPv4 = v.(bool)

@@ -7,6 +7,11 @@ const (

 	// EnableIPMasquerade label for bridge driver

 	EnableIPMasquerade = "com.docker.network.bridge.enable_ip_masquerade"

+	// IPv4GatewayMode label for bridge driver

+	IPv4GatewayMode = "com.docker.network.bridge.gateway_mode_ipv4"

+	// IPv6GatewayMode label for bridge driver

+	IPv6GatewayMode = "com.docker.network.bridge.gateway_mode_ipv6"

+

 	// EnableICC label

 	EnableICC = "com.docker.network.bridge.enable_icc"

@@ -20,6 +20,11 @@ type portBinding struct {

 	stopProxy func() error

 }

+type portBindingReq struct {

+	types.PortBinding

+	disableNAT bool

+}

+

 // addPortMappings takes cfg, the configuration for port mappings, selects host

 // ports when ranges are given, starts docker-proxy or its dummy to reserve

 // host ports, and sets up iptables NAT/forwarding rules as necessary. If

@@ -60,9 +65,10 @@ func (n *bridgeNetwork) addPortMappings(

 	}()

 	proxyPath := n.userlandProxyPath()

+	disableNAT4, disableNAT6 := n.getNATDisabled()

 	for _, c := range cfg {

-		toBind := make([]types.PortBinding, 0, 2)

-		if bindingIPv4, ok := configurePortBindingIPv4(c, containerIPv4, defHostIP); ok {

+		toBind := make([]portBindingReq, 0, 2)

+		if bindingIPv4, ok := configurePortBindingIPv4(disableNAT4, c, containerIPv4, defHostIP); ok {

 			toBind = append(toBind, bindingIPv4)

 		}

@@ -78,7 +84,7 @@ func (n *bridgeNetwork) addPortMappings(

 		if proxyPath != "" && (containerIPv6 == nil) {

 			containerIP = containerIPv4

 		}

-		if bindingIPv6, ok := configurePortBindingIPv6(c, containerIP, defHostIP); ok {

+		if bindingIPv6, ok := configurePortBindingIPv6(disableNAT6, c, containerIP, defHostIP); ok {

 			toBind = append(toBind, bindingIPv6)

 		}

@@ -100,19 +106,19 @@ func (n *bridgeNetwork) addPortMappings(

 // configurePortBindingIPv4 returns a new port binding with the HostIP field populated

 // if a binding is required, else nil.

-func configurePortBindingIPv4(bnd types.PortBinding, containerIPv4, defHostIP net.IP) (types.PortBinding, bool) {

+func configurePortBindingIPv4(disableNAT bool, bnd types.PortBinding, containerIPv4, defHostIP net.IP) (portBindingReq, bool) {

 	if len(containerIPv4) == 0 {

-		return types.PortBinding{}, false

+		return portBindingReq{}, false

 	}

 	if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil {

 		// The mapping is explicitly IPv6.

-		return types.PortBinding{}, false

+		return portBindingReq{}, false

 	}

 	// If there's no host address, use the default.

 	if len(bnd.HostIP) == 0 {

 		if defHostIP.To4() == nil {

 			// The default binding address is IPv6.

-			return types.PortBinding{}, false

+			return portBindingReq{}, false

 		}

 		bnd.HostIP = defHostIP

 	}

@@ -123,18 +129,21 @@ func configurePortBindingIPv4(bnd types.PortBinding, containerIPv4, defHostIP ne

 	if bnd.HostPortEnd == 0 {

 		bnd.HostPortEnd = bnd.HostPort

 	}

-	return bnd, true

+	return portBindingReq{

+		PortBinding: bnd,

+		disableNAT:  disableNAT,

+	}, true

 }

 // configurePortBindingIPv6 returns a new port binding with the HostIP field populated

 // if a binding is required, else nil.

-func configurePortBindingIPv6(bnd types.PortBinding, containerIP, defHostIP net.IP) (types.PortBinding, bool) {

+func configurePortBindingIPv6(disableNAT bool, bnd types.PortBinding, containerIP, defHostIP net.IP) (portBindingReq, bool) {

 	if containerIP == nil {

-		return types.PortBinding{}, false

+		return portBindingReq{}, false

 	}

 	if len(bnd.HostIP) > 0 && bnd.HostIP.To4() != nil {

 		// The mapping is explicitly IPv4.

-		return types.PortBinding{}, false

+		return portBindingReq{}, false

 	}

 	// If there's no host address, use the default.

@@ -142,7 +151,7 @@ func configurePortBindingIPv6(bnd types.PortBinding, containerIP, defHostIP net.

 		if defHostIP.Equal(net.IPv4zero) {

 			if !netutils.IsV6Listenable() {

 				// No implicit binding if the host has no IPv6 support.

-				return types.PortBinding{}, false

+				return portBindingReq{}, false

 			}

 			// Implicit binding to "::", no explicit HostIP and the default is 0.0.0.0

 			bnd.HostIP = net.IPv6zero

@@ -151,7 +160,7 @@ func configurePortBindingIPv6(bnd types.PortBinding, containerIP, defHostIP net.

 			bnd.HostIP = defHostIP

 		} else {

 			// The default binding IP is an IPv4 address, nothing to do here.

-			return types.PortBinding{}, false

+			return portBindingReq{}, false

 		}

 	}

 	bnd.IP = containerIP

@@ -159,13 +168,16 @@ func configurePortBindingIPv6(bnd types.PortBinding, containerIP, defHostIP net.

 	if bnd.HostPortEnd == 0 {

 		bnd.HostPortEnd = bnd.HostPort

 	}

-	return bnd, true

+	return portBindingReq{

+		PortBinding: bnd,

+		disableNAT:  disableNAT,

+	}, true

 }

 // bindHostPorts allocates ports and starts docker-proxy for the given cfg. The

 // caller is responsible for ensuring that all entries in cfg map the same proto,

 // container port, and host port range (their host addresses must differ).

-func bindHostPorts(cfg []types.PortBinding, proxyPath string) ([]portBinding, error) {

+func bindHostPorts(cfg []portBindingReq, proxyPath string) ([]portBinding, error) {

 	if len(cfg) == 0 {

 		return nil, nil

 	}

@@ -208,45 +220,60 @@ var startProxy = portmapper.StartProxy

 // already bound the port), all resources are released and an error is returned.

 // When ports are successfully reserved, a portBinding is returned for each

 // mapping.

+//

+// If NAT is disabled for any of the bindings, no host port reservation is

+// needed. These bindings are included in results, as the container port itself

+// needs to be opened in the firewall.

 func attemptBindHostPorts(

-	cfg []types.PortBinding,

+	cfg []portBindingReq,

 	proto string,

 	hostPortStart, hostPortEnd uint16,

 	proxyPath string,

 ) (_ []portBinding, retErr error) {

+	var err error

+	var port int

+

 	addrs := make([]net.IP, 0, len(cfg))

 	for _, c := range cfg {

-		addrs = append(addrs, c.HostIP)

-	}

-

-	pa := portallocator.Get()

-	port, err := pa.RequestPortsInRange(addrs, proto, int(hostPortStart), int(hostPortEnd))

-	if err != nil {

-		return nil, err

-	}

-	defer func() {

-		if retErr != nil {

-			for _, a := range addrs {

-				pa.ReleasePort(a, proto, port)

-			}

+		if !c.disableNAT {

+			addrs = append(addrs, c.HostIP)

 		}

-	}()

+	}

-	res := make([]portBinding, 0, len(cfg))

-	for _, c := range cfg {

-		pb := portBinding{PortBinding: c.GetCopy()}

-		pb.stopProxy, err = startProxy(c.Proto.String(), c.HostIP, port, c.IP, int(c.Port), proxyPath)

+	if len(addrs) > 0 {

+		pa := portallocator.Get()

+		port, err = pa.RequestPortsInRange(addrs, proto, int(hostPortStart), int(hostPortEnd))

 		if err != nil {

-			return nil, fmt.Errorf("failed to bind port %s:%d/%s: %w", c.HostIP, port, c.Proto, err)

+			return nil, err

 		}

 		defer func() {

 			if retErr != nil {

-				if err := pb.stopProxy(); err != nil {

-					log.G(context.TODO()).Warnf("Failed to stop userland proxy for port mapping %s: %s", pb, err)

+				for _, a := range addrs {

+					pa.ReleasePort(a, proto, port)

 				}

 			}

 		}()

-		pb.HostPort = uint16(port)

+	}

+

+	res := make([]portBinding, 0, len(cfg))

+	for _, c := range cfg {

+		pb := portBinding{PortBinding: c.GetCopy()}

+		if c.disableNAT {

+			pb.HostPort = 0

+		} else {

+			pb.stopProxy, err = startProxy(c.Proto.String(), c.HostIP, port, c.IP, int(c.Port), proxyPath)

+			if err != nil {

+				return nil, fmt.Errorf("failed to bind port %s:%d/%s: %w", c.HostIP, port, c.Proto, err)

+			}

+			defer func() {

+				if retErr != nil {

+					if err := pb.stopProxy(); err != nil {

+						log.G(context.TODO()).Warnf("Failed to stop userland proxy for port mapping %s: %s", pb, err)

+					}

+				}

+			}()

+			pb.HostPort = uint16(port)

+		}

 		pb.HostPortEnd = pb.HostPort

 		res = append(res, pb)

 	}

@@ -266,15 +293,20 @@ func (n *bridgeNetwork) releasePorts(ep *bridgeEndpoint) error {

 func (n *bridgeNetwork) releasePortBindings(pbs []portBinding) error {

 	var errs []error

 	for _, pb := range pbs {

-		errP := pb.stopProxy()

-		if errP != nil {

-			errP = fmt.Errorf("failed to stop docker-proxy for port mapping %s: %w", pb, errP)

+		var errP error

+		if pb.stopProxy != nil {

+			errP = pb.stopProxy()

+			if errP != nil {

+				errP = fmt.Errorf("failed to stop docker-proxy for port mapping %s: %w", pb, errP)

+			}

 		}

 		errN := n.setPerPortIptables(pb, false)

 		if errN != nil {

 			errN = fmt.Errorf("failed to remove iptables rules for port mapping %s: %w", pb, errN)

 		}

-		portallocator.Get().ReleasePort(pb.HostIP, pb.Proto.String(), int(pb.HostPort))

+		if pb.HostPort > 0 {

+			portallocator.Get().ReleasePort(pb.HostIP, pb.Proto.String(), int(pb.HostPort))

+		}

 		errs = append(errs, errP, errN)

 	}

 	return errors.Join(errs...)

@@ -309,6 +341,10 @@ func (n *bridgeNetwork) setPerPortIptables(b portBinding, enable bool) error {

 }

 func setPerPortNAT(b portBinding, ipv iptables.IPVersion, proxyPath string, bridgeName string, enable bool) error {

+	if b.HostPort == 0 {

+		// NAT is disabled.

+		return nil

+	}

 	// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we

 	// want "0.0.0.0/0". "0/0" is correctly interpreted as "any

 	// value" by both iptables and ip6tables.

@@ -181,18 +181,22 @@ func loopbackUp() error {

 }

 func TestBindHostPortsError(t *testing.T) {

-	cfg := []types.PortBinding{

+	cfg := []portBindingReq{

 		{

-			Proto:       types.TCP,

-			Port:        80,

-			HostPort:    8080,

-			HostPortEnd: 8080,

+			PortBinding: types.PortBinding{

+				Proto:       types.TCP,

+				Port:        80,

+				HostPort:    8080,

+				HostPortEnd: 8080,

+			},

 		},

 		{

-			Proto:       types.TCP,

-			Port:        80,

-			HostPort:    8080,

-			HostPortEnd: 8081,

+			PortBinding: types.PortBinding{

+				Proto:       types.TCP,

+				Port:        80,

+				HostPort:    8080,

+				HostPortEnd: 8081,

+			},

 		},

 	}

 	pbs, err := bindHostPorts(cfg, "")

@@ -218,6 +222,8 @@ func TestAddPortMappings(t *testing.T) {

 		name         string

 		epAddrV4     *net.IPNet

 		epAddrV6     *net.IPNet

+		gwMode4      gwMode

+		gwMode6      gwMode

 		cfg          []types.PortBinding

 		defHostIP    net.IP

 		proxyPath    string

@@ -258,6 +264,18 @@ func TestAddPortMappings(t *testing.T) {

 			},

 		},

 		{

+			name:     "nat explicitly enabled",

+			epAddrV4: ctrIP4,

+			epAddrV6: ctrIP6,

+			cfg:      []types.PortBinding{{Proto: types.TCP, Port: 80, HostPort: 8080}},

+			gwMode4:  gwModeNAT,

+			gwMode6:  gwModeNAT,

+			expPBs: []types.PortBinding{

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero, HostPort: 8080, HostPortEnd: 8080},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero, HostPort: 8080, HostPortEnd: 8080},

+			},

+		},

+		{

 			name:         "specific host port in-use",

 			epAddrV4:     ctrIP4,

 			epAddrV6:     ctrIP6,

@@ -430,6 +448,55 @@ func TestAddPortMappings(t *testing.T) {

 				"failed to stop docker-proxy for port mapping tcp/172.19.0.2:22/0.0.0.0:2222: can't stop now\n" +

 				"failed to stop docker-proxy for port mapping tcp/fdf8:b88e:bb5c:3483::2:22/:::2222: can't stop now",

 		},

+		{

+			name:     "disable nat6",

+			epAddrV4: ctrIP4,

+			epAddrV6: ctrIP6,

+			cfg: []types.PortBinding{

+				{Proto: types.TCP, Port: 22},

+				{Proto: types.TCP, Port: 80},

+			},

+			gwMode6: gwModeRouted,

+			expPBs: []types.PortBinding{

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 22, HostIP: net.IPv4zero, HostPort: firstEphemPort},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 22, HostIP: net.IPv6zero},

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero, HostPort: firstEphemPort + 1},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero},

+			},

+		},

+		{

+			name:     "disable nat4",

+			epAddrV4: ctrIP4,

+			epAddrV6: ctrIP6,

+			cfg: []types.PortBinding{

+				{Proto: types.TCP, Port: 22},

+				{Proto: types.TCP, Port: 80},

+			},

+			gwMode4: gwModeRouted,

+			expPBs: []types.PortBinding{

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 22, HostIP: net.IPv4zero},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 22, HostIP: net.IPv6zero, HostPort: firstEphemPort},

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero, HostPort: firstEphemPort + 1},

+			},

+		},

+		{

+			name:     "disable nat",

+			epAddrV4: ctrIP4,

+			epAddrV6: ctrIP6,

+			cfg: []types.PortBinding{

+				{Proto: types.TCP, Port: 22},

+				{Proto: types.TCP, Port: 80},

+			},

+			gwMode4: gwModeRouted,

+			gwMode6: gwModeRouted,

+			expPBs: []types.PortBinding{

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 22, HostIP: net.IPv4zero},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 22, HostIP: net.IPv6zero},

+				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero},

+				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero},

+			},

+		},

 	}

 	for _, tc := range testcases {

@@ -470,6 +537,8 @@ func TestAddPortMappings(t *testing.T) {

 				config: &networkConfiguration{

 					BridgeName: "dummybridge",

 					EnableIPv6: tc.epAddrV6 != nil,

+					GwModeIPv4: tc.gwMode4,

+					GwModeIPv6: tc.gwMode6,

 				},

 				driver: newDriver(),

 			}

@@ -497,14 +566,17 @@ func TestAddPortMappings(t *testing.T) {

 			// Check the iptables rules.

 			for _, expPB := range tc.expPBs {

+				var disableNAT bool

 				var addrM, addrD, addrH string

 				var ipv iptables.IPVersion

 				if expPB.IP.To4() == nil {

+					disableNAT = tc.gwMode6.natDisabled()

 					ipv = iptables.IPv6

 					addrM = ctrIP6.IP.String() + "/128"

 					addrD = "[" + ctrIP6.IP.String() + "]"

 					addrH = expPB.HostIP.String() + "/128"

 				} else {

+					disableNAT = tc.gwMode4.natDisabled()

 					ipv = iptables.IPv4

 					addrM = ctrIP4.IP.String() + "/32"

 					addrD = ctrIP4.IP.String()

@@ -518,7 +590,11 @@ func TestAddPortMappings(t *testing.T) {

 				masqRule := fmt.Sprintf("-s %s -d %s -p %s -m %s --dport %d -j MASQUERADE",

 					addrM, addrM, expPB.Proto, expPB.Proto, expPB.Port)

 				ir := iptRule{ipv: ipv, table: iptables.Nat, chain: "POSTROUTING", args: strings.Split(masqRule, " ")}

-				assert.Check(t, ir.Exists(), fmt.Sprintf("expected rule %s", ir))

+				if disableNAT {

+					assert.Check(t, !ir.Exists(), fmt.Sprintf("unexpected rule %s", ir))

+				} else {

+					assert.Check(t, ir.Exists(), fmt.Sprintf("expected rule %s", ir))

+				}

 				// Check the DNAT rule.

 				dnatRule := ""

@@ -529,7 +605,11 @@ func TestAddPortMappings(t *testing.T) {

 				dnatRule += fmt.Sprintf("-d %s -p %s -m %s --dport %d -j DNAT --to-destination %s:%d",

 					addrH, expPB.Proto, expPB.Proto, expPB.HostPort, addrD, expPB.Port)

 				ir = iptRule{ipv: ipv, table: iptables.Nat, chain: "DOCKER", args: strings.Split(dnatRule, " ")}

-				assert.Check(t, ir.Exists(), fmt.Sprintf("expected rule %s", ir))

+				if disableNAT {

+					assert.Check(t, !ir.Exists(), fmt.Sprintf("unexpected rule %s", ir))

+				} else {

+					assert.Check(t, ir.Exists(), fmt.Sprintf("expected rule %s", ir))

+				}

 				// Check that the container's port is open.

 				filterRule := fmt.Sprintf("-d %s ! -i dummybridge -o dummybridge -p %s -m %s --dport %d -j ACCEPT",

@@ -549,6 +629,10 @@ func TestAddPortMappings(t *testing.T) {

 			// Check a docker-proxy was started and stopped for each expected port binding.

 			expProxies := map[proxyCall]bool{}

 			for _, expPB := range tc.expPBs {

+				is4 := expPB.HostIP.To4() != nil

+				if (is4 && tc.gwMode4.natDisabled()) || (!is4 && tc.gwMode6.natDisabled()) {

+					continue

+				}

 				p := newProxyCall(expPB.Proto.String(),

 					expPB.HostIP, int(expPB.HostPort),

 					expPB.IP, int(expPB.Port), tc.proxyPath)

@@ -255,8 +255,10 @@ func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguratio

 		hpNatArgs []string

 	)

 	hostIP := config.HostIPv4

+	nat := !config.GwModeIPv4.natDisabled()

 	if ipVer == iptables.IPv6 {

 		hostIP = config.HostIPv6

+		nat = !config.GwModeIPv6.natDisabled()

 	}

 	// If hostIP is set, the user wants IPv4/IPv6 SNAT with the given address.

 	if hostIP != nil {

@@ -273,15 +275,14 @@ func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguratio

 	hpNatRule := iptRule{ipv: ipVer, table: iptables.Nat, chain: "POSTROUTING", args: hpNatArgs}

 	// Set NAT.

-	if config.EnableIPMasquerade {

+	if nat && config.EnableIPMasquerade {

 		if err := programChainRule(natRule, "NAT", enable); err != nil {

 			return err

 		}

-	}

-

-	if config.EnableIPMasquerade && !hairpin {

-		if err := programChainRule(skipDNAT, "SKIP DNAT", enable); err != nil {

-			return err

+		if !hairpin {

+			if err := programChainRule(skipDNAT, "SKIP DNAT", enable); err != nil {

+				return err

+			}

 		}

 	}