@@ -5,6 +5,7 @@ package iptables

 import (

 	"context"

 	"fmt"

+	"os"

 	"strings"

 	"sync"

 	"sync/atomic"

@@ -64,6 +65,14 @@ func FirewalldReloadedAt() time.Time {

 func firewalldInit() error {

 	var err error

+	// DOCKER_TEST_NO_FIREWALLD is used by integration tests to disable firewalld integration to make sure that the

+	// daemon started by the 'test-integration' script won't recreate iptables / nftables rules upon receiving the

+	// firewalld reload signal, otherwise it'll race against the daemon-under-test started by networking integration

+	// tests. This is an internal implementation detail and users shall never rely on this.

+	if disable := os.Getenv("DOCKER_TEST_NO_FIREWALLD"); disable != "" {

+		return nil

+	}

+

 	if connection, err = newConnection(); err != nil {

 		return fmt.Errorf("Failed to connect to D-Bus system bus: %v", err)

 	}

@@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then

 	(

 		echo "Starting dockerd"

 		[ -n "$TESTDEBUG" ] && set -x

+		if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then

+			# Networking integration tests start their own daemon to have fine control over the configuration of the

+			# daemon-under-test. Two daemons running with firewalld integration enabled would race against each other

+			# when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly

+			# from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's

+			# only used to load frozen images.

+			export DOCKER_TEST_NO_FIREWALLD="true"

+		fi

 		exec \

 			${dockerd} --debug \

 			--host "$DOCKER_HOST" \

@@ -369,7 +369,13 @@ func TestFilterForwardPolicy(t *testing.T) {

 // address is reserved for a gateway, because it won't be used).

 func TestPointToPoint(t *testing.T) {

 	ctx := setupTest(t)

-	apiClient := testEnv.APIClient()

+

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t)

+	t.Cleanup(func() { d.Stop(t) })

+

+	apiClient := d.NewClientT(t)

+	t.Cleanup(func() { apiClient.Close() })

 	testcases := []struct {

 		name   string

@@ -423,7 +429,13 @@ func TestIsolated(t *testing.T) {

 	skip.If(t, testEnv.IsRootless, "can't inspect bridge addrs in rootless netns")

 	ctx := setupTest(t)

-	apiClient := testEnv.APIClient()

+

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t)

+	t.Cleanup(func() { d.Stop(t) })

+

+	apiClient := d.NewClientT(t)

+	t.Cleanup(func() { apiClient.Close() })

 	const netName = "testisol"

 	const bridgeName = "br-" + netName

@@ -6,6 +6,7 @@ import (

 	"github.com/moby/moby/client"

 	"github.com/moby/moby/v2/integration/internal/testutils/networking"

+	"github.com/moby/moby/v2/testutil/daemon"

 	"github.com/moby/moby/v2/testutil/request"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

@@ -15,7 +16,13 @@ const defaultFirewallBackend = "iptables"

 func TestInfoFirewallBackend(t *testing.T) {

 	ctx := setupTest(t)

-	c := testEnv.APIClient()

+

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t)

+	t.Cleanup(func() { d.Stop(t) })

+

+	c := d.NewClientT(t)

+	t.Cleanup(func() { c.Close() })

 	expDriver := defaultFirewallBackend

 	if val := os.Getenv("DOCKER_FIREWALL_BACKEND"); val != "" {