@@ -30,7 +30,6 @@ import (

 	"github.com/docker/docker/integration-cli/cli"

 	"github.com/docker/docker/integration-cli/cli/build"

 	"github.com/docker/docker/integration-cli/daemon"

-	"github.com/docker/docker/libnetwork/drivers/bridge"

 	"github.com/docker/docker/opts"

 	"github.com/docker/docker/testutil"

 	testdaemon "github.com/docker/docker/testutil/daemon"

@@ -222,66 +221,6 @@ func (s *DockerDaemonSuite) TestDaemonStartBridgeWithoutIPAssociation(c *testing

 	}

 }

-func (s *DockerDaemonSuite) TestDaemonIptablesClean(c *testing.T) {

-	s.d.StartWithBusybox(testutil.GetContext(c), c)

-

-	if out, err := s.d.Cmd("run", "-d", "--name", "top", "-p", "80", "busybox:latest", "top"); err != nil {

-		c.Fatalf("Could not run top: %s, %v", out, err)

-	}

-

-	ipTablesSearchString := "tcp dpt:80"

-

-	// get output from iptables with container running

-	verifyIPTablesContains(c, ipTablesSearchString)

-

-	s.d.Stop(c)

-

-	// get output from iptables after restart

-	verifyIPTablesDoesNotContains(c, ipTablesSearchString)

-}

-

-func (s *DockerDaemonSuite) TestDaemonIptablesCreate(c *testing.T) {

-	s.d.StartWithBusybox(testutil.GetContext(c), c)

-

-	if out, err := s.d.Cmd("run", "-d", "--name", "top", "--restart=always", "-p", "80", "busybox:latest", "top"); err != nil {

-		c.Fatalf("Could not run top: %s, %v", out, err)

-	}

-

-	// get output from iptables with container running

-	ipTablesSearchString := "tcp dpt:80"

-	verifyIPTablesContains(c, ipTablesSearchString)

-

-	s.d.Restart(c)

-

-	// make sure the container is not running

-	runningOut, err := s.d.Cmd("inspect", "--format={{.State.Running}}", "top")

-	if err != nil {

-		c.Fatalf("Could not inspect on container: %s, %v", runningOut, err)

-	}

-	if strings.TrimSpace(runningOut) != "true" {

-		c.Fatalf("Container should have been restarted after daemon restart. Status running should have been true but was: %q", strings.TrimSpace(runningOut))

-	}

-

-	// get output from iptables after restart

-	verifyIPTablesContains(c, ipTablesSearchString)

-}

-

-func verifyIPTablesContains(c *testing.T, ipTablesSearchString string) {

-	result := icmd.RunCommand("iptables", "-nvL")

-	result.Assert(c, icmd.Success)

-	if !strings.Contains(result.Combined(), ipTablesSearchString) {

-		c.Fatalf("iptables output should have contained %q, but was %q", ipTablesSearchString, result.Combined())

-	}

-}

-

-func verifyIPTablesDoesNotContains(c *testing.T, ipTablesSearchString string) {

-	result := icmd.RunCommand("iptables", "-nvL")

-	result.Assert(c, icmd.Success)

-	if strings.Contains(result.Combined(), ipTablesSearchString) {

-		c.Fatalf("iptables output should not have contained %q, but was %q", ipTablesSearchString, result.Combined())

-	}

-}

-

 // TestDaemonIPv6FixedCIDR checks that when the daemon is started with --ipv6=true and a fixed CIDR

 // that running containers are given a link-local and global IPv6 address

 func (s *DockerDaemonSuite) TestDaemonIPv6FixedCIDR(c *testing.T) {

@@ -421,38 +360,6 @@ func (s *DockerDaemonSuite) TestDaemonExitOnFailure(c *testing.T) {

 	}

 }

-func (s *DockerDaemonSuite) TestDaemonBridgeExternal(c *testing.T) {

-	d := s.d

-	err := d.StartWithError("--bridge", "nosuchbridge")

-	assert.ErrorContains(c, err, "", `--bridge option with an invalid bridge should cause the daemon to fail`)

-	defer d.Restart(c)

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	bridgeName := "ext-bridge1"

-	bridgeIP := "192.169.1.1/24"

-	_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName)

-

-	ipTablesSearchString := bridgeIPNet.String()

-	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{

-		Out: ipTablesSearchString,

-	})

-

-	out, err := d.Cmd("run", "-d", "--name", "ExtContainer", "busybox", "top")

-	assert.NilError(c, err, out)

-

-	containerIP := d.FindContainerIP(c, "ExtContainer")

-	ip := net.ParseIP(containerIP)

-	assert.Assert(c, bridgeIPNet.Contains(ip), "Container IP-Address must be in the same subnet range : %s", containerIP)

-}

-

 func (s *DockerDaemonSuite) TestDaemonBridgeNone(c *testing.T) {

 	// start with bridge none

 	d := s.d

@@ -483,317 +390,6 @@ func deleteInterface(c *testing.T, ifName string) {

 	icmd.RunCommand("iptables", "--flush").Assert(c, icmd.Success)

 }

-func (s *DockerDaemonSuite) TestDaemonBridgeIP(c *testing.T) {

-	// TestDaemonBridgeIP Steps

-	// 1. Delete the existing docker0 Bridge

-	// 2. Set --bip daemon configuration and start the new Docker Daemon

-	// 3. Check if the bip config has taken effect using ifconfig and iptables commands

-	// 4. Launch a Container and make sure the IP-Address is in the expected subnet

-	// 5. Delete the docker0 Bridge

-	// 6. Restart the Docker Daemon (via deferred action)

-	//    This Restart takes care of bringing docker0 interface back to auto-assigned IP

-

-	defaultNetworkBridge := "docker0"

-	deleteInterface(c, defaultNetworkBridge)

-

-	d := s.d

-

-	bridgeIP := "192.169.1.1/24"

-	ip, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIP)

-	defer d.Restart(c)

-

-	ifconfigSearchString := ip.String()

-	icmd.RunCommand("ifconfig", defaultNetworkBridge).Assert(c, icmd.Expected{

-		Out: ifconfigSearchString,

-	})

-

-	ipTablesSearchString := bridgeIPNet.String()

-	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{

-		Out: ipTablesSearchString,

-	})

-

-	out, err := d.Cmd("run", "-d", "--name", "test", "busybox", "top")

-	assert.NilError(c, err, out)

-

-	containerIP := d.FindContainerIP(c, "test")

-	ip = net.ParseIP(containerIP)

-	assert.Equal(c, bridgeIPNet.Contains(ip), true, fmt.Sprintf("Container IP-Address must be in the same subnet range : %s", containerIP))

-	deleteInterface(c, defaultNetworkBridge)

-}

-

-func (s *DockerDaemonSuite) TestDaemonRestartWithBridgeIPChange(c *testing.T) {

-	s.d.Start(c)

-	defer s.d.Restart(c)

-	s.d.Stop(c)

-

-	// now we will change the docker0's IP and then try starting the daemon

-	bridgeIP := "192.169.100.1/24"

-	_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)

-

-	icmd.RunCommand("ifconfig", "docker0", bridgeIP).Assert(c, icmd.Success)

-

-	s.d.Start(c, "--bip", bridgeIP)

-

-	// check if the iptables contains new bridgeIP MASQUERADE rule

-	ipTablesSearchString := bridgeIPNet.String()

-	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{

-		Out: ipTablesSearchString,

-	})

-}

-

-func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr(c *testing.T) {

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	bridgeName := "ext-bridge2"

-	bridgeIP := "192.169.1.1/24"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	args := []string{"--bridge", bridgeName, "--fixed-cidr", "192.169.1.0/30"}

-	d.StartWithBusybox(testutil.GetContext(c), c, args...)

-	defer d.Restart(c)

-

-	for i := 0; i < 4; i++ {

-		cName := "Container" + strconv.Itoa(i)

-		out, err := d.Cmd("run", "-d", "--name", cName, "busybox", "top")

-		if err != nil {

-			assert.Assert(c, strings.Contains(out, "no available IPv4 addresses"), "Could not run a Container : %s %s", err.Error(), out)

-		}

-	}

-}

-

-func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr2(c *testing.T) {

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	bridgeName := "ext-bridge3"

-	bridgeIP := "10.2.2.1/16"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIP, "--fixed-cidr", "10.2.2.0/24")

-	defer s.d.Restart(c)

-

-	out, err := d.Cmd("run", "-d", "--name", "bb", "busybox", "top")

-	assert.NilError(c, err, out)

-	defer d.Cmd("stop", "bb")

-

-	out, err = d.Cmd("exec", "bb", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")

-	assert.NilError(c, err)

-	assert.Equal(c, out, "10.2.2.0\n")

-

-	out, err = d.Cmd("run", "--rm", "busybox", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")

-	assert.NilError(c, err, out)

-	assert.Equal(c, out, "10.2.2.2\n")

-}

-

-func (s *DockerDaemonSuite) TestDaemonBridgeFixedCIDREqualBridgeNetwork(c *testing.T) {

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	bridgeName := "ext-bridge4"

-	bridgeIP := "172.27.42.1/16"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--fixed-cidr", bridgeIP)

-	defer s.d.Restart(c)

-

-	out, err := d.Cmd("run", "-d", "busybox", "top")

-	assert.NilError(c, err, out)

-	cid1 := strings.TrimSpace(out)

-	defer d.Cmd("stop", cid1)

-}

-

-func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Implicit(c *testing.T) {

-	defaultNetworkBridge := "docker0"

-	deleteInterface(c, defaultNetworkBridge)

-

-	d := s.d

-

-	bridgeIP := "192.169.1.1"

-	bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIPNet)

-	defer d.Restart(c)

-

-	expectedMessage := fmt.Sprintf("default via %s dev", bridgeIP)

-	out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")

-	assert.NilError(c, err, out)

-	assert.Equal(c, strings.Contains(out, expectedMessage), true, fmt.Sprintf("Implicit default gateway should be bridge IP %s, but default route was '%s'", bridgeIP, strings.TrimSpace(out)))

-	deleteInterface(c, defaultNetworkBridge)

-}

-

-func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Explicit(c *testing.T) {

-	defaultNetworkBridge := "docker0"

-	deleteInterface(c, defaultNetworkBridge)

-

-	d := s.d

-

-	bridgeIP := "192.169.1.1"

-	bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)

-	gatewayIP := "192.169.1.254"

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIPNet, "--default-gateway", gatewayIP)

-	defer d.Restart(c)

-

-	expectedMessage := fmt.Sprintf("default via %s dev", gatewayIP)

-	out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")

-	assert.NilError(c, err, out)

-	assert.Equal(c, strings.Contains(out, expectedMessage), true, fmt.Sprintf("Explicit default gateway should be %s, but default route was '%s'", gatewayIP, strings.TrimSpace(out)))

-	deleteInterface(c, defaultNetworkBridge)

-}

-

-func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4ExplicitOutsideContainerSubnet(c *testing.T) {

-	defaultNetworkBridge := "docker0"

-	deleteInterface(c, defaultNetworkBridge)

-

-	// Program a custom default gateway outside of the container subnet, daemon should accept it and start

-	s.d.StartWithBusybox(testutil.GetContext(c), c, "--bip", "172.16.0.10/16", "--fixed-cidr", "172.16.1.0/24", "--default-gateway", "172.16.0.254")

-

-	deleteInterface(c, defaultNetworkBridge)

-	s.d.Restart(c)

-}

-

-func (s *DockerDaemonSuite) TestDaemonIP(c *testing.T) {

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	ipStr := "192.170.1.1/24"

-	ip, _, _ := net.ParseCIDR(ipStr)

-	args := []string{"--ip", ip.String()}

-	d.StartWithBusybox(testutil.GetContext(c), c, args...)

-	defer d.Restart(c)

-

-	out, err := d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")

-	assert.Assert(c, err != nil, "Running a container must fail with an invalid --ip option")

-	assert.Check(c, is.Contains(out, "failed to bind host port for 192.170.1.1"))

-

-	ifName := "dummy"

-	createInterface(c, "dummy", ifName, ipStr)

-	defer deleteInterface(c, ifName)

-

-	_, err = d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")

-	assert.NilError(c, err, out)

-

-	result := icmd.RunCommand("iptables", "-t", "nat", "-nvL")

-	result.Assert(c, icmd.Success)

-	regex := fmt.Sprintf("DNAT.*%s.*dpt:8000", ip.String())

-	matched, _ := regexp.MatchString(regex, result.Combined())

-	assert.Equal(c, matched, true, fmt.Sprintf("iptables output should have contained %q, but was %q", regex, result.Combined()))

-}

-

-func (s *DockerDaemonSuite) TestDaemonICCPing(c *testing.T) {

-	testRequires(c, bridgeNfIptables)

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	const bridgeName = "ext-bridge5"

-	const bridgeIP = "192.169.1.1/24"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")

-	defer d.Restart(c)

-

-	result := icmd.RunCommand("sh", "-c", "iptables -vL "+bridge.DockerForwardChain+" | grep DROP")

-	result.Assert(c, icmd.Success)

-

-	// strip whitespace and newlines to verify we only found a single DROP

-	out := strings.TrimSpace(result.Stdout())

-	assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")

-

-	// Column headers are stripped because of grep-ing, but should be:

-	//

-	//    pkts bytes target     prot opt in          out          source    destination

-	//       0     0 DROP       all  --  ext-bridge5 ext-bridge5  anywhere  anywhere

-	//

-	//nolint:dupword

-	cols := strings.Fields(out)

-

-	expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}

-	assert.DeepEqual(c, cols, expected)

-

-	// Pinging another container must fail with --icc=false

-	pingContainers(c, d, true)

-

-	const cidr = "192.171.1.1/24"

-	ip, _, _ := net.ParseCIDR(cidr)

-	const ifName = "icc-dummy"

-

-	createInterface(c, "dummy", ifName, cidr)

-	defer deleteInterface(c, ifName)

-

-	// But, Pinging external or a Host interface must succeed

-	pingCmd := fmt.Sprintf("ping -c 1 %s -W 1", ip.String())

-	runArgs := []string{"run", "--rm", "busybox", "sh", "-c", pingCmd}

-	out, err := d.Cmd(runArgs...)

-	assert.NilError(c, err, out)

-}

-

-func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {

-	d := s.d

-

-	// make sure the default docker0 bridge doesn't interfere with the test,

-	// which may happen if it was created with the same IP range.

-	deleteInterface(c, "docker0")

-

-	const bridgeName = "ext-bridge6"

-	const bridgeIP = "192.169.1.1/24"

-

-	createInterface(c, "bridge", bridgeName, bridgeIP)

-	defer deleteInterface(c, bridgeName)

-

-	d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")

-	defer d.Restart(c)

-

-	result := icmd.RunCommand("sh", "-c", "iptables -vL "+bridge.DockerForwardChain+" | grep DROP")

-	result.Assert(c, icmd.Success)

-

-	// strip whitespace and newlines to verify we only found a single DROP

-	out := strings.TrimSpace(result.Stdout())

-	assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")

-

-	// Column headers are stripped because of grep-ing, but should be:

-	//

-	//    pkts bytes target     prot opt in          out          source    destination

-	//       0     0 DROP       all  --  ext-bridge6 ext-bridge6  anywhere  anywhere

-	//

-	//nolint:dupword

-	cols := strings.Fields(out)

-

-	expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}

-	assert.DeepEqual(c, cols, expected)

-

-	out, err := d.Cmd("run", "-d", "--expose", "4567", "--name", "icc1", "busybox", "nc", "-l", "-p", "4567")

-	assert.NilError(c, err, out)

-

-	out, err = d.Cmd("run", "--link", "icc1:icc1", "busybox", "nc", "icc1", "4567")

-	assert.NilError(c, err, out)

-}

-

 func (s *DockerDaemonSuite) TestDaemonUlimitDefaults(c *testing.T) {

 	s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-ulimit", "nofile=42:42", "--default-ulimit", "nproc=1024:1024")

@@ -1170,30 +766,6 @@ func (s *DockerDaemonSuite) TestHTTPSInfoRogueServerCert(c *testing.T) {

 	}

 }

-func pingContainers(c *testing.T, d *daemon.Daemon, expectFailure bool) {

-	var dargs []string

-	if d != nil {

-		dargs = []string{"--host", d.Sock()}

-	}

-

-	args := append(dargs, "run", "-d", "--name", "container1", "busybox", "top")

-	cli.DockerCmd(c, args...)

-

-	args = append(dargs, "run", "--rm", "--link", "container1:alias1", "busybox", "sh", "-c")

-	pingCmd := "ping -c 1 %s -W 1"

-	args = append(args, fmt.Sprintf(pingCmd, "alias1"))

-	_, _, err := dockerCmdWithError(args...)

-

-	if expectFailure {

-		assert.ErrorContains(c, err, "")

-	} else {

-		assert.NilError(c, err)

-	}

-

-	args = append(dargs, "rm", "-f", "container1")

-	cli.DockerCmd(c, args...)

-}

-

 func (s *DockerDaemonSuite) TestDaemonRestartWithSocketAsVolume(c *testing.T) {

 	s.d.StartWithBusybox(testutil.GetContext(c), c)

@@ -2018,22 +2018,6 @@ func (s *DockerCLIRunSuite) TestRunWithInvalidMacAddress(c *testing.T) {

 	}

 }

-func (s *DockerCLIRunSuite) TestRunDeallocatePortOnMissingIptablesRule(c *testing.T) {

-	// TODO Windows. Network settings are not propagated back to inspect.

-	testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)

-

-	out := cli.DockerCmd(c, "run", "-d", "-p", "23:23", "busybox", "top").Combined()

-

-	id := strings.TrimSpace(out)

-	ip := inspectField(c, id, "NetworkSettings.Networks.bridge.IPAddress")

-	icmd.RunCommand("iptables", "-D", "DOCKER", "-d", fmt.Sprintf("%s/32", ip),

-		"!", "-i", "docker0", "-o", "docker0", "-p", "tcp", "-m", "tcp", "--dport", "23", "-j", "ACCEPT").Assert(c, icmd.Success)

-

-	cli.DockerCmd(c, "rm", "-fv", id)

-

-	cli.DockerCmd(c, "run", "-d", "-p", "23:23", "busybox", "top")

-}

-

 func (s *DockerCLIRunSuite) TestRunPortInUse(c *testing.T) {

 	// TODO Windows. The duplicate NAT message returned by Windows will be

 	// changing as is currently completely undecipherable. Does need modifying

@@ -64,11 +64,6 @@ func seccompEnabled() bool {

 	return sysInfo.Seccomp

 }

-func bridgeNfIptables() bool {

-	content, err := os.ReadFile("/proc/sys/net/bridge/bridge-nf-call-iptables")

-	return err == nil && strings.TrimSpace(string(content)) == "1"

-}

-

 func onlyCgroupsv2() bool {

 	// Only check for unified, cgroup v1 tests can run under other modes

 	return cgroups.Mode() == cgroups.Unified

@@ -3,6 +3,7 @@ package bridge

 import (

 	"context"

 	"fmt"

+	"net"

 	"net/netip"

 	"strings"

 	"testing"

@@ -754,3 +755,59 @@ func TestRemoveLegacyLink(t *testing.T) {

 	res = ctr.ExecT(ctx, t, c, clientId, []string{"wget", "-T3", "http://" + svrAddr})

 	assert.Check(t, is.Contains(res.Stderr(), "download timed out"))

 }

+

+// TestPortMappingRestore check that port mappings are restored when a container

+// is restarted after a daemon restart.

+//

+// Replacement for integration-cli test DockerDaemonSuite/TestDaemonIptablesCreate

+func TestPortMappingRestore(t *testing.T) {

+	skip.If(t, testEnv.IsRootless(), "fails before and after restart")

+

+	ctx := setupTest(t)

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t)

+	defer d.Stop(t)

+	c := d.NewClientT(t)

+

+	const svrName = "svr"

+	cid := ctr.Run(ctx, t, c,

+		ctr.WithExposedPorts("80/tcp"),

+		ctr.WithPortMap(nat.PortMap{"80/tcp": {}}),

+		ctr.WithName(svrName),

+		ctr.WithRestartPolicy(containertypes.RestartPolicyUnlessStopped),

+		ctr.WithCmd("httpd", "-f"),

+	)

+	defer func() { ctr.Remove(ctx, t, c, cid, containertypes.RemoveOptions{Force: true}) }()

+

+	check := func() {

+		t.Helper()

+		insp := ctr.Inspect(ctx, t, c, cid)

+		assert.Check(t, is.Equal(insp.State.Running, true))

+		if assert.Check(t, is.Contains(insp.NetworkSettings.Ports, nat.Port("80/tcp"))) &&

+			assert.Check(t, is.Len(insp.NetworkSettings.Ports["80/tcp"], 2)) {

+			hostPort := insp.NetworkSettings.Ports["80/tcp"][0].HostPort

+			res := ctr.RunAttach(ctx, t, c,

+				ctr.WithExtraHost("thehost:host-gateway"),

+				ctr.WithCmd("wget", "-T3", "http://"+net.JoinHostPort("thehost", hostPort)),

+			)

+			// 404 means the http request worked, but the http server had nothing to serve.

+			assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"))

+		}

+	}

+

+	check()

+	d.Restart(t)

+	check()

+}

+

+// TestNoSuchExternalBridge checks that the daemon won't start if it's given a "--bridge"

+// that doesn't exist.

+//

+// Replacement for part of DockerDaemonSuite/TestDaemonBridgeExternal

+func TestNoSuchExternalBridge(t *testing.T) {

+	_ = setupTest(t)

+	d := daemon.New(t)

+	defer d.Stop(t)

+	err := d.StartWithError("--bridge", "nosuchbridge")

+	assert.Check(t, err != nil, "Expected daemon startup to fail")

+}