@@ -10,7 +10,7 @@ import (

 	"testing"

 	containertypes "github.com/docker/docker/api/types/container"

-	"github.com/docker/docker/libnetwork/testutils"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/types"

 	"github.com/google/go-cmp/cmp/cmpopts"

 	"github.com/moby/sys/mount"

@@ -357,7 +357,7 @@ func TestIfaceAddrs(t *testing.T) {

 		},

 	} {

 		t.Run(tt.name, func(t *testing.T) {

-			defer testutils.SetupTestOSContext(t)()

+			defer netnsutils.SetupTestOSContext(t)()

 			createBridge(t, "test", tt.nws...)

new file mode 100644

@@ -0,0 +1,41 @@

+package netnsutils

+

+import "testing"

+

+// Logger is used to log non-fatal messages during tests.

+type Logger interface {

+	Logf(format string, args ...any)

+}

+

+var _ Logger = (*testing.T)(nil)

+

+// SetupTestOSContext joins the current goroutine to a new network namespace,

+// and returns its associated teardown function.

+//

+// Example usage:

+//

+//	defer SetupTestOSContext(t)()

+func SetupTestOSContext(t *testing.T) func() {

+	c := SetupTestOSContextEx(t)

+	return func() { c.Cleanup(t) }

+}

+

+// Go starts running fn in a new goroutine inside the test OS context.

+func (c *OSContext) Go(t *testing.T, fn func()) {

+	t.Helper()

+	errCh := make(chan error, 1)

+	go func() {

+		teardown, err := c.Set()

+		if err != nil {

+			errCh <- err

+			return

+		}

+		defer teardown(t)

+		close(errCh)

+		fn()

+	}()

+

+	if err := <-errCh; err != nil {

+		t.Fatalf("%+v", err)

+	}

+}

new file mode 100644

@@ -0,0 +1,168 @@

+//go:build linux || freebsd

+

+package netnsutils

+

+import (

+	"fmt"

+	"runtime"

+	"strconv"

+	"testing"

+

+	"github.com/docker/docker/libnetwork/ns"

+	"github.com/pkg/errors"

+	"github.com/vishvananda/netns"

+	"golang.org/x/sys/unix"

+)

+

+// OSContext is a handle to a test OS context.

+type OSContext struct {

+	origNS, newNS netns.NsHandle

+

+	tid    int

+	caller string // The file:line where SetupTestOSContextEx was called, for interpolating into error messages.

+}

+

+// SetupTestOSContextEx joins the current goroutine to a new network namespace.

+//

+// Compared to [SetupTestOSContext], this function allows goroutines to be

+// spawned which are associated with the same OS context via the returned

+// OSContext value.

+//

+// Example usage:

+//

+//	c := SetupTestOSContext(t)

+//	defer c.Cleanup(t)

+func SetupTestOSContextEx(t *testing.T) *OSContext {

+	runtime.LockOSThread()

+	origNS, err := netns.Get()

+	if err != nil {

+		runtime.UnlockOSThread()

+		t.Fatalf("Failed to open initial netns: %v", err)

+	}

+

+	c := OSContext{

+		tid:    unix.Gettid(),

+		origNS: origNS,

+	}

+	c.newNS, err = netns.New()

+	if err != nil {

+		// netns.New() is not atomic: it could have encountered an error

+		// after unsharing the current thread's network namespace.

+		c.restore(t)

+		t.Fatalf("Failed to enter netns: %v", err)

+	}

+

+	// Since we are switching to a new test namespace make

+	// sure to re-initialize initNs context

+	ns.Init()

+

+	nl := ns.NlHandle()

+	lo, err := nl.LinkByName("lo")

+	if err != nil {

+		c.restore(t)

+		t.Fatalf("Failed to get handle to loopback interface 'lo' in new netns: %v", err)

+	}

+	if err := nl.LinkSetUp(lo); err != nil {

+		c.restore(t)

+		t.Fatalf("Failed to enable loopback interface in new netns: %v", err)

+	}

+

+	_, file, line, ok := runtime.Caller(0)

+	if ok {

+		c.caller = file + ":" + strconv.Itoa(line)

+	}

+

+	return &c

+}

+

+// Cleanup tears down the OS context. It must be called from the same goroutine

+// as the [SetupTestOSContextEx] call which returned c.

+//

+// Explicit cleanup is required as (*testing.T).Cleanup() makes no guarantees

+// about which goroutine the cleanup functions are invoked on.

+func (c *OSContext) Cleanup(t *testing.T) {

+	t.Helper()

+	if unix.Gettid() != c.tid {

+		t.Fatalf("c.Cleanup() must be called from the same goroutine as SetupTestOSContextEx() (%s)", c.caller)

+	}

+	if err := c.newNS.Close(); err != nil {

+		t.Logf("Warning: netns closing failed (%v)", err)

+	}

+	c.restore(t)

+	ns.Init()

+}

+

+func (c *OSContext) restore(t *testing.T) {

+	t.Helper()

+	if err := netns.Set(c.origNS); err != nil {

+		t.Logf("Warning: failed to restore thread netns (%v)", err)

+	} else {

+		runtime.UnlockOSThread()

+	}

+

+	if err := c.origNS.Close(); err != nil {

+		t.Logf("Warning: netns closing failed (%v)", err)

+	}

+}

+

+// Set sets the OS context of the calling goroutine to c and returns a teardown

+// function to restore the calling goroutine's OS context and release resources.

+// The teardown function accepts an optional Logger argument.

+//

+// This is a lower-level interface which is less ergonomic than c.Go() but more

+// composable with other goroutine-spawning utilities such as [sync.WaitGroup]

+// or [golang.org/x/sync/errgroup.Group].

+//

+// Example usage:

+//

+//	func TestFoo(t *testing.T) {

+//		osctx := testutils.SetupTestOSContextEx(t)

+//		defer osctx.Cleanup(t)

+//		var eg errgroup.Group

+//		eg.Go(func() error {

+//			teardown, err := osctx.Set()

+//			if err != nil {

+//				return err

+//			}

+//			defer teardown(t)

+//			// ...

+//		})

+//		if err := eg.Wait(); err != nil {

+//			t.Fatalf("%+v", err)

+//		}

+//	}

+func (c *OSContext) Set() (func(Logger), error) {

+	runtime.LockOSThread()

+	orig, err := netns.Get()

+	if err != nil {

+		runtime.UnlockOSThread()

+		return nil, errors.Wrap(err, "failed to open initial netns for goroutine")

+	}

+	if err := errors.WithStack(netns.Set(c.newNS)); err != nil {

+		runtime.UnlockOSThread()

+		return nil, errors.Wrap(err, "failed to set goroutine network namespace")

+	}

+

+	tid := unix.Gettid()

+	_, file, line, callerOK := runtime.Caller(0)

+

+	return func(log Logger) {

+		if unix.Gettid() != tid {

+			msg := "teardown function must be called from the same goroutine as c.Set()"

+			if callerOK {

+				msg += fmt.Sprintf(" (%s:%d)", file, line)

+			}

+			panic(msg)

+		}

+

+		if err := netns.Set(orig); err != nil && log != nil {

+			log.Logf("Warning: failed to restore goroutine thread netns (%v)", err)

+		} else {

+			runtime.UnlockOSThread()

+		}

+

+		if err := orig.Close(); err != nil && log != nil {

+			log.Logf("Warning: netns closing failed (%v)", err)

+		}

+	}, nil

+}

new file mode 100644

@@ -0,0 +1,15 @@

+package netnsutils

+

+import "testing"

+

+type OSContext struct{}

+

+func SetupTestOSContextEx(*testing.T) *OSContext {

+	return nil

+}

+

+func (*OSContext) Cleanup(t *testing.T) {}

+

+func (*OSContext) Set() (func(Logger), error) {

+	return func(Logger) {}, nil

+}

new file mode 100644

@@ -0,0 +1,43 @@

+package netnsutils

+

+import (

+	"errors"

+	"syscall"

+	"testing"

+

+	"github.com/vishvananda/netns"

+	"golang.org/x/sys/unix"

+	"gotest.tools/v3/assert"

+)

+

+// AssertSocketSameNetNS makes a best-effort attempt to assert that conn is in

+// the same network namespace as the current goroutine's thread.

+func AssertSocketSameNetNS(t testing.TB, conn syscall.Conn) {

+	t.Helper()

+

+	sc, err := conn.SyscallConn()

+	assert.NilError(t, err)

+	sc.Control(func(fd uintptr) {

+		srvnsfd, err := unix.IoctlRetInt(int(fd), unix.SIOCGSKNS)

+		if err != nil {

+			if errors.Is(err, unix.EPERM) {

+				t.Log("Cannot determine socket's network namespace. Do we have CAP_NET_ADMIN?")

+				return

+			}

+			if errors.Is(err, unix.ENOSYS) {

+				t.Log("Cannot query socket's network namespace due to missing kernel support.")

+				return

+			}

+			t.Fatal(err)

+		}

+		srvns := netns.NsHandle(srvnsfd)

+		defer srvns.Close()

+

+		curns, err := netns.Get()

+		assert.NilError(t, err)

+		defer curns.Close()

+		if !srvns.Equal(curns) {

+			t.Fatalf("Socket is in network namespace %s, but test goroutine is in %s", srvns, curns)

+		}

+	})

+}

new file mode 100644

@@ -0,0 +1,11 @@

+//go:build !linux

+

+package netnsutils

+

+import (

+	"syscall"

+	"testing"

+)

+

+// AssertSocketSameNetNS is a no-op on platforms other than Linux.

+func AssertSocketSameNetNS(t testing.TB, conn syscall.Conn) {}

@@ -11,6 +11,7 @@ import (

 	"strconv"

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/driverapi"

 	"github.com/docker/docker/libnetwork/ipamutils"

 	"github.com/docker/docker/libnetwork/iptables"

@@ -18,7 +19,6 @@ import (

 	"github.com/docker/docker/libnetwork/netutils"

 	"github.com/docker/docker/libnetwork/options"

 	"github.com/docker/docker/libnetwork/portallocator"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/docker/docker/libnetwork/types"

 	"github.com/vishvananda/netlink"

 )

@@ -181,7 +181,7 @@ func getIPv4Data(t *testing.T, iface string) []driverapi.IPAMData {

 }

 func TestCreateFullOptions(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	config := &configuration{

@@ -235,7 +235,7 @@ func TestCreateFullOptions(t *testing.T) {

 }

 func TestCreateNoConfig(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	netconfig := &networkConfiguration{BridgeName: DefaultBridgeName}

@@ -248,7 +248,7 @@ func TestCreateNoConfig(t *testing.T) {

 }

 func TestCreateFullOptionsLabels(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	config := &configuration{

@@ -354,7 +354,7 @@ func TestCreateFullOptionsLabels(t *testing.T) {

 }

 func TestCreate(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

@@ -380,7 +380,7 @@ func TestCreate(t *testing.T) {

 }

 func TestCreateFail(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

@@ -398,7 +398,7 @@ func TestCreateFail(t *testing.T) {

 }

 func TestCreateMultipleNetworks(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

@@ -606,7 +606,7 @@ func TestQueryEndpointInfoHairpin(t *testing.T) {

 }

 func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	d.portAllocator = portallocator.NewInstance()

@@ -708,7 +708,7 @@ func getPortMapping() []types.PortBinding {

 }

 func TestLinkContainers(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	iptable := iptables.GetIptable(iptables.IPv4)

@@ -862,7 +862,7 @@ func TestLinkContainers(t *testing.T) {

 }

 func TestValidateConfig(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	// Test mtu

 	c := networkConfiguration{Mtu: -2}

@@ -933,7 +933,7 @@ func TestValidateConfig(t *testing.T) {

 }

 func TestSetDefaultGw(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

@@ -985,7 +985,7 @@ func TestSetDefaultGw(t *testing.T) {

 }

 func TestCleanupIptableRules(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	bridgeChain := []iptables.ChainInfo{

 		{Name: DockerChain, Table: iptables.Nat},

 		{Name: DockerChain, Table: iptables.Filter},

@@ -1015,7 +1015,7 @@ func TestCleanupIptableRules(t *testing.T) {

 }

 func TestCreateWithExistingBridge(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	if err := d.configure(nil); err != nil {

@@ -1085,7 +1085,7 @@ func TestCreateWithExistingBridge(t *testing.T) {

 }

 func TestCreateParallel(t *testing.T) {

-	c := testutils.SetupTestOSContextEx(t)

+	c := netnsutils.SetupTestOSContextEx(t)

 	defer c.Cleanup(t)

 	d := newDriver()

@@ -5,12 +5,12 @@ package bridge

 import (

 	"testing"

-	"github.com/docker/docker/libnetwork/testutils"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/vishvananda/netlink"

 )

 func TestInterfaceDefaultName(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -28,7 +28,7 @@ func TestInterfaceDefaultName(t *testing.T) {

 }

 func TestAddressesEmptyInterface(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -5,14 +5,14 @@ package bridge

 import (

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/driverapi"

 	"github.com/docker/docker/libnetwork/netlabel"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/vishvananda/netlink"

 )

 func TestLinkCreate(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	if err := d.configure(nil); err != nil {

@@ -107,7 +107,7 @@ func TestLinkCreate(t *testing.T) {

 }

 func TestLinkCreateTwo(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	if err := d.configure(nil); err != nil {

@@ -145,7 +145,7 @@ func TestLinkCreateTwo(t *testing.T) {

 }

 func TestLinkCreateNoEnableIPv6(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	if err := d.configure(nil); err != nil {

@@ -180,7 +180,7 @@ func TestLinkCreateNoEnableIPv6(t *testing.T) {

 }

 func TestLinkDelete(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	if err := d.configure(nil); err != nil {

@@ -5,14 +5,14 @@ package bridge

 import (

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/netlabel"

 	"github.com/docker/docker/libnetwork/ns"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/docker/docker/libnetwork/types"

 )

 func TestPortMappingConfig(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	d := newDriver()

 	config := &configuration{

@@ -91,7 +91,7 @@ func TestPortMappingConfig(t *testing.T) {

 }

 func TestPortMappingV6Config(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	if err := loopbackUp(); err != nil {

 		t.Fatalf("Could not bring loopback iface up: %v", err)

 	}

@@ -7,13 +7,13 @@ import (

 	"net"

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/netutils"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/vishvananda/netlink"

 )

 func TestSetupNewBridge(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -39,7 +39,7 @@ func TestSetupNewBridge(t *testing.T) {

 }

 func TestSetupNewNonDefaultBridge(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -61,7 +61,7 @@ func TestSetupNewNonDefaultBridge(t *testing.T) {

 }

 func TestSetupDeviceUp(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -86,7 +86,7 @@ func TestSetupDeviceUp(t *testing.T) {

 }

 func TestGenerateRandomMAC(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	mac1 := netutils.GenerateRandomMAC()

 	mac2 := netutils.GenerateRandomMAC()

@@ -6,9 +6,9 @@ import (

 	"net"

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/iptables"

 	"github.com/docker/docker/libnetwork/portmapper"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/vishvananda/netlink"

 )

@@ -18,7 +18,7 @@ const (

 func TestProgramIPTable(t *testing.T) {

 	// Create a test bridge with a basic bridge configuration (name + IPv4).

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -48,7 +48,7 @@ func TestProgramIPTable(t *testing.T) {

 func TestSetupIPChains(t *testing.T) {

 	// Create a test bridge with a basic bridge configuration (name + IPv4).

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -6,7 +6,7 @@ import (

 	"net"

 	"testing"

-	"github.com/docker/docker/libnetwork/testutils"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/vishvananda/netlink"

 )

@@ -23,7 +23,7 @@ func setupTestInterface(t *testing.T, nh *netlink.Handle) (*networkConfiguration

 }

 func TestSetupBridgeIPv4Fixed(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	ip, netw, err := net.ParseCIDR("192.168.1.1/24")

 	if err != nil {

@@ -61,7 +61,7 @@ func TestSetupBridgeIPv4Fixed(t *testing.T) {

 }

 func TestSetupGatewayIPv4(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -9,12 +9,12 @@ import (

 	"os"

 	"testing"

-	"github.com/docker/docker/libnetwork/testutils"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/vishvananda/netlink"

 )

 func TestSetupIPv6(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	nh, err := netlink.NewHandle()

 	if err != nil {

@@ -55,7 +55,7 @@ func TestSetupIPv6(t *testing.T) {

 }

 func TestSetupGatewayIPv6(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	_, nw, _ := net.ParseCIDR("2001:db8:ea9:9abc:ffff::/80")

 	gw := net.ParseIP("2001:db8:ea9:9abc:ffff::254")

@@ -6,7 +6,7 @@ import (

 	"net"

 	"testing"

-	"github.com/docker/docker/libnetwork/testutils"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/vishvananda/netlink"

 )

@@ -29,7 +29,7 @@ func setupVerifyTest(t *testing.T) *bridgeInterface {

 }

 func TestSetupVerify(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	addrv4 := net.IPv4(192, 168, 1, 1)

 	inf := setupVerifyTest(t)

@@ -46,7 +46,7 @@ func TestSetupVerify(t *testing.T) {

 }

 func TestSetupVerifyBad(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	addrv4 := net.IPv4(192, 168, 1, 1)

 	inf := setupVerifyTest(t)

@@ -64,7 +64,7 @@ func TestSetupVerifyBad(t *testing.T) {

 }

 func TestSetupVerifyMissing(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	addrv4 := net.IPv4(192, 168, 1, 1)

 	inf := setupVerifyTest(t)

@@ -77,7 +77,7 @@ func TestSetupVerifyMissing(t *testing.T) {

 }

 func TestSetupVerifyIPv6(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	addrv4 := net.IPv4(192, 168, 1, 1)

 	inf := setupVerifyTest(t)

@@ -98,7 +98,7 @@ func TestSetupVerifyIPv6(t *testing.T) {

 }

 func TestSetupVerifyIPv6Missing(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	addrv4 := net.IPv4(192, 168, 1, 1)

 	inf := setupVerifyTest(t)

@@ -6,13 +6,13 @@ import (

 	"os"

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/ipamapi"

 	"github.com/docker/docker/libnetwork/osl"

-	"github.com/docker/docker/libnetwork/testutils"

 )

 func TestHostsEntries(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	expectedHostsFile := `127.0.0.1	localhost

 ::1	localhost ip6-localhost ip6-loopback

@@ -5,11 +5,11 @@ import (

 	"strings"

 	"testing"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/config"

 	"github.com/docker/docker/libnetwork/iptables"

 	"github.com/docker/docker/libnetwork/netlabel"

 	"github.com/docker/docker/libnetwork/options"

-	"github.com/docker/docker/libnetwork/testutils"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

 )

@@ -51,7 +51,7 @@ func TestUserChain(t *testing.T) {

 	for _, tc := range tests {

 		tc := tc

 		t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) {

-			defer testutils.SetupTestOSContext(t)()

+			defer netnsutils.SetupTestOSContext(t)()

 			defer resetIptables(t)

 			c, err := New(config.OptionDriverConfig("bridge", map[string]any{

@@ -8,13 +8,13 @@ import (

 	"testing"

 	"time"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork/datastore"

 	"github.com/docker/docker/libnetwork/discoverapi"

 	"github.com/docker/docker/libnetwork/driverapi"

 	"github.com/docker/docker/libnetwork/ipamapi"

 	"github.com/docker/docker/libnetwork/netlabel"

 	"github.com/docker/docker/libnetwork/netutils"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/docker/docker/libnetwork/types"

 	"gotest.tools/v3/skip"

 )

@@ -311,7 +311,7 @@ func compareNwLists(a, b []*net.IPNet) bool {

 }

 func TestAuxAddresses(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	c, err := New()

 	if err != nil {

@@ -350,7 +350,7 @@ func TestAuxAddresses(t *testing.T) {

 func TestSRVServiceQuery(t *testing.T) {

 	skip.If(t, runtime.GOOS == "windows", "test only works on linux")

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	c, err := New()

 	if err != nil {

@@ -447,7 +447,7 @@ func TestSRVServiceQuery(t *testing.T) {

 func TestServiceVIPReuse(t *testing.T) {

 	skip.If(t, runtime.GOOS == "windows", "test only works on linux")

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	c, err := New()

 	if err != nil {

@@ -564,7 +564,7 @@ func TestServiceVIPReuse(t *testing.T) {

 func TestIpamReleaseOnNetDriverFailures(t *testing.T) {

 	skip.If(t, runtime.GOOS == "windows", "test only works on linux")

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	c, err := New(OptionBoltdbWithRandomDBFile(t))

 	if err != nil {

@@ -13,12 +13,12 @@ import (

 	"testing"

 	"github.com/containerd/containerd/log"

+	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/libnetwork"

 	"github.com/docker/docker/libnetwork/ipamapi"

 	"github.com/docker/docker/libnetwork/netlabel"

 	"github.com/docker/docker/libnetwork/options"

 	"github.com/docker/docker/libnetwork/osl"

-	"github.com/docker/docker/libnetwork/testutils"

 	"github.com/docker/docker/libnetwork/types"

 	"github.com/docker/docker/pkg/reexec"

 	"github.com/pkg/errors"

@@ -41,7 +41,7 @@ func makeTesthostNetwork(t *testing.T, c *libnetwork.Controller) *libnetwork.Net

 }

 func TestHost(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	sbx1, err := controller.NewSandbox("host_c1",

@@ -142,7 +142,7 @@ func TestHost(t *testing.T) {

 // Testing IPV6 from MAC address

 func TestBridgeIpv6FromMac(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	netOption := options.Generic{

@@ -217,7 +217,7 @@ func checkSandbox(t *testing.T, info libnetwork.EndpointInfo) {

 }

 func TestEndpointJoin(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	// Create network 1 and add 2 endpoint: ep11, ep12

@@ -392,7 +392,7 @@ func TestExternalKey(t *testing.T) {

 }

 func externalKeyTest(t *testing.T, reexec bool) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	n, err := createTestNetwork(controller, bridgeNetType, "testnetwork", options.Generic{

@@ -553,7 +553,7 @@ func reexecSetKey(key string, containerID string, controllerID string) error {

 }

 func TestEnableIPv6(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	tmpResolvConf := []byte("search pommesfrites.fr\nnameserver 12.34.56.78\nnameserver 2001:4860:4860::8888\n")

@@ -630,7 +630,7 @@ func TestEnableIPv6(t *testing.T) {

 }

 func TestResolvConfHost(t *testing.T) {

-	defer testutils.SetupTestOSContext(t)()

+	defer netnsutils.SetupTestOSContext(t)()

 	controller := newController(t)

 	tmpResolvConf := []byte("search localhost.net\nnameserver 127.0.0.1\nnameserver 2001:4860:4860::8888\n")

@@ -705,7 +705,7 @@ func TestResolvConfHost(t *testing.T) {

 }