@@ -1458,9 +1458,10 @@ func (daemon *Daemon) networkOptions(conf *config.Config, pg plugingetter.Plugin

 		nwconfig.OptionLabels(conf.Labels),

 		nwconfig.OptionNetworkControlPlaneMTU(conf.NetworkControlPlaneMTU),

 		nwconfig.OptionFirewallBackend(conf.FirewallBackend),

-		driverOptions(conf),

 	}

+	options = append(options, networkPlatformOptions(conf)...)

+

 	defaultAddressPools := ipamutils.GetLocalScopeDefaultNetworks()

 	if len(conf.NetworkConfig.DefaultAddressPools.Value()) > 0 {

 		defaultAddressPools = conf.NetworkConfig.DefaultAddressPools.Value()

@@ -924,20 +924,23 @@ func setHostGatewayIP(controller *libnetwork.Controller, config *config.Config)

 	}

 }

-func driverOptions(config *config.Config) nwconfig.Option {

-	return nwconfig.OptionDriverConfig("bridge", options.Generic{

-		netlabel.GenericData: options.Generic{

-			"EnableIPForwarding":       config.BridgeConfig.EnableIPForward,

-			"DisableFilterForwardDrop": config.BridgeConfig.DisableFilterForwardDrop,

-			"EnableIPTables":           config.BridgeConfig.EnableIPTables,

-			"EnableIP6Tables":          config.BridgeConfig.EnableIP6Tables,

-			"EnableUserlandProxy":      config.EnableUserlandProxy,

-			"UserlandProxyPath":        config.UserlandProxyPath,

-			"Hairpin":                  !config.EnableUserlandProxy || config.UserlandProxyPath == "",

-			"AllowDirectRouting":       config.BridgeConfig.AllowDirectRouting,

-			"Rootless":                 config.Rootless,

-		},

-	})

+// networkPlatformOptions returns a slice of platform-specific libnetwork

+// options.

+func networkPlatformOptions(conf *config.Config) []nwconfig.Option {

+	return []nwconfig.Option{

+		nwconfig.OptionRootless(conf.Rootless),

+		nwconfig.OptionUserlandProxy(conf.EnableUserlandProxy, conf.UserlandProxyPath),

+		nwconfig.OptionDriverConfig("bridge", options.Generic{

+			netlabel.GenericData: options.Generic{

+				"EnableIPForwarding":       conf.BridgeConfig.EnableIPForward,

+				"DisableFilterForwardDrop": conf.BridgeConfig.DisableFilterForwardDrop,

+				"EnableIPTables":           conf.BridgeConfig.EnableIPTables,

+				"EnableIP6Tables":          conf.BridgeConfig.EnableIP6Tables,

+				"Hairpin":                  !conf.EnableUserlandProxy || conf.UserlandProxyPath == "",

+				"AllowDirectRouting":       conf.BridgeConfig.AllowDirectRouting,

+			},

+		}),

+	}

 }

 type defBrOptsV4 struct {

@@ -523,7 +523,7 @@ func (daemon *Daemon) conditionalUnmountOnCleanup(container *container.Container

 	return daemon.Unmount(container)

 }

-func driverOptions(_ *config.Config) nwconfig.Option {

+func networkPlatformOptions(_ *config.Config) []nwconfig.Option {

 	return nil

 }

@@ -43,6 +43,9 @@ type Config struct {

 	ActiveSandboxes        map[string]any

 	PluginGetter           plugingetter.PluginGetter

 	FirewallBackend        string

+	Rootless               bool

+	EnableUserlandProxy    bool

+	UserlandProxyPath      string

 }

 // New creates a new Config and initializes it with the given Options.

@@ -162,3 +165,20 @@ func OptionFirewallBackend(val string) Option {

 		c.FirewallBackend = val

 	}

 }

+

+// OptionRootless returns an option setter that indicates whether the daemon is

+// running in rootless mode.

+func OptionRootless(rootless bool) Option {

+	return func(c *Config) {

+		c.Rootless = rootless

+	}

+}

+

+// OptionUserlandProxy returns an option setter that indicates whether the

+// userland proxy is enabled, and sets the path to the proxy binary.

+func OptionUserlandProxy(enabled bool, proxyPath string) Option {

+	return func(c *Config) {

+		c.EnableUserlandProxy = enabled

+		c.UserlandProxyPath = proxyPath

+	}

+}

@@ -24,7 +24,6 @@ import (

 	"github.com/docker/docker/daemon/libnetwork/drvregistry"

 	"github.com/docker/docker/daemon/libnetwork/internal/netiputil"

 	"github.com/docker/docker/daemon/libnetwork/internal/nftables"

-	"github.com/docker/docker/daemon/libnetwork/internal/rlkclient"

 	"github.com/docker/docker/daemon/libnetwork/iptables"

 	"github.com/docker/docker/daemon/libnetwork/netlabel"

 	"github.com/docker/docker/daemon/libnetwork/netutils"

@@ -51,7 +50,6 @@ const (

 	vethPrefix                 = "veth"

 	vethLen                    = len(vethPrefix) + 7

 	defaultContainerVethPrefix = "eth"

-	maxAllocatePortAttempts    = 10

 )

 const (

@@ -74,13 +72,10 @@ type configuration struct {

 	DisableFilterForwardDrop bool

 	EnableIPTables           bool

 	EnableIP6Tables          bool

-	EnableUserlandProxy      bool

-	UserlandProxyPath        string

 	// Hairpin indicates whether packets sent from a container to a host port

 	// published by another container on the same bridge network should be

 	// hairpinned.

 	Hairpin            bool

-	Rootless           bool

 	AllowDirectRouting bool

 }

@@ -161,25 +156,14 @@ type bridgeNetwork struct {

 	sync.Mutex

 }

-type portDriverClient interface {

-	ChildHostIP(hostIP netip.Addr) netip.Addr

-	AddPort(ctx context.Context, proto string, hostIP, childIP netip.Addr, hostPort int) (func() error, error)

-}

-

-// Allow unit tests to supply a dummy RootlessKit port driver client.

-var newPortDriverClient = func(ctx context.Context) (portDriverClient, error) {

-	return rlkclient.NewPortDriverClient(ctx)

-}

-

 type driver struct {

-	config           configuration

-	networks         map[string]*bridgeNetwork

-	store            *datastore.Store

-	nlh              nlwrap.Handle

-	portDriverClient portDriverClient

-	configNetwork    sync.Mutex

-	firewaller       firewaller.Firewaller

-	portmappers      *drvregistry.PortMappers

+	config        configuration

+	networks      map[string]*bridgeNetwork

+	store         *datastore.Store

+	nlh           nlwrap.Handle

+	configNetwork sync.Mutex

+	firewaller    firewaller.Firewaller

+	portmappers   *drvregistry.PortMappers

 	sync.Mutex

 }

@@ -476,15 +460,6 @@ func (n *bridgeNetwork) gwMode(v firewaller.IPVersion) gwMode {

 	return n.config.GwModeIPv6

 }

-func (n *bridgeNetwork) userlandProxyPath() string {

-	n.Lock()

-	defer n.Unlock()

-	if n.driver == nil {

-		return ""

-	}

-	return n.driver.userlandProxyPath()

-}

-

 func (n *bridgeNetwork) hairpin() bool {

 	n.Lock()

 	defer n.Unlock()

@@ -494,13 +469,13 @@ func (n *bridgeNetwork) hairpin() bool {

 	return n.driver.config.Hairpin

 }

-func (n *bridgeNetwork) getPortDriverClient() portDriverClient {

+func (n *bridgeNetwork) portMappers() *drvregistry.PortMappers {

 	n.Lock()

 	defer n.Unlock()

 	if n.driver == nil {

 		return nil

 	}

-	return n.driver.getPortDriverClient()

+	return n.driver.portmappers

 }

 func (n *bridgeNetwork) getEndpoint(eid string) (*bridgeEndpoint, error) {

@@ -546,17 +521,7 @@ func (d *driver) configure(option map[string]interface{}) error {

 		return err

 	}

-	var pdc portDriverClient

-	if config.Rootless {

-		var err error

-		pdc, err = newPortDriverClient(context.TODO())

-		if err != nil {

-			return err

-		}

-	}

-

 	d.Lock()

-	d.portDriverClient = pdc

 	d.config = config

 	d.Unlock()

@@ -604,22 +569,6 @@ func (d *driver) getNetwork(id string) (*bridgeNetwork, error) {

 	return nil, types.NotFoundErrorf("network not found: %s", id)

 }

-func (d *driver) userlandProxyPath() string {

-	d.Lock()

-	defer d.Unlock()

-

-	if d.config.EnableUserlandProxy {

-		return d.config.UserlandProxyPath

-	}

-	return ""

-}

-

-func (d *driver) getPortDriverClient() portDriverClient {

-	d.Lock()

-	defer d.Unlock()

-	return d.portDriverClient

-}

-

 func parseNetworkGenericOptions(data interface{}) (*networkConfiguration, error) {

 	var (

 		err    error

@@ -1639,7 +1588,7 @@ func (ep *bridgeEndpoint) trimPortBindings(ctx context.Context, n *bridgeNetwork

 		return nil, nil

 	}

-	if err := releasePortBindings(toDrop, n.firewallerNetwork); err != nil {

+	if err := n.unmapPBs(ctx, toDrop); err != nil {

 		log.G(ctx).WithFields(log.Fields{

 			"error": err,

 			"gw4":   pbmReq.ipv4,

@@ -8,7 +8,6 @@ import (

 	"maps"

 	"net"

 	"net/netip"

-	"os/exec"

 	"slices"

 	"strconv"

 	"testing"

@@ -796,21 +795,16 @@ func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {

 	defer netnsutils.SetupTestOSContext(t)()

 	useStubFirewaller(t)

-	d := newDriver(storeutils.NewTempStore(t), &drvregistry.PortMappers{})

+	pms := drvregistry.PortMappers{}

+	pm := &stubPortMapper{}

+	err := pms.Register("nat", pm)

+	assert.NilError(t, err)

+

+	d := newDriver(storeutils.NewTempStore(t), &pms)

 	portallocator.Get().ReleaseAll()

-	var proxyBinary string

-	var err error

-	if ulPxyEnabled {

-		proxyBinary, err = exec.LookPath("docker-proxy")

-		if err != nil {

-			t.Fatalf("failed to lookup userland-proxy binary: %v", err)

-		}

-	}

 	config := &configuration{

-		EnableIPTables:      true,

-		EnableUserlandProxy: ulPxyEnabled,

-		UserlandProxyPath:   proxyBinary,

+		EnableIPTables: true,

 	}

 	genericOption := make(map[string]interface{})

 	genericOption[netlabel.GenericData] = config

@@ -865,15 +859,15 @@ func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {

 	if !ok {

 		t.Fatal("Endpoint operational data does not contain port mapping data")

 	}

-	pm, ok := pmd.([]types.PortBinding)

+	pbs, ok := pmd.([]types.PortBinding)

 	if !ok {

 		t.Fatal("Unexpected format for port mapping in endpoint operational data")

 	}

-	if len(ep.portMapping) != len(pm) {

+	if len(ep.portMapping) != len(pbs) {

 		t.Fatal("Incomplete data for port mapping in endpoint operational data")

 	}

 	for i, pb := range ep.portMapping {

-		if !comparePortBinding(&pb.PortBinding, &pm[i]) {

+		if !comparePortBinding(&pb.PortBinding, &pbs[i]) {

 			t.Fatal("Unexpected data for port mapping in endpoint operational data")

 		}

 	}

@@ -8,25 +8,15 @@ import (

 	"errors"

 	"fmt"

 	"net"

-	"net/netip"

-	"os"

 	"slices"

-	"strconv"

-	"syscall"

 	"github.com/containerd/log"

-	"github.com/docker/docker/daemon/libnetwork/drivers/bridge/internal/firewaller"

-	"github.com/docker/docker/daemon/libnetwork/internal/rlkclient"

 	"github.com/docker/docker/daemon/libnetwork/netutils"

-	"github.com/docker/docker/daemon/libnetwork/portallocator"

-	"github.com/docker/docker/daemon/libnetwork/portmapper"

 	"github.com/docker/docker/daemon/libnetwork/portmapperapi"

 	"github.com/docker/docker/daemon/libnetwork/types"

+	"github.com/docker/docker/internal/sliceutil"

 )

-// Allow unit tests to supply a dummy StartProxy.

-var startProxy = portmapper.StartProxy

-

 // addPortMappings takes cfg, the configuration for port mappings, selects host

 // ports when ranges are given, binds host ports to check they're available and

 // reserve them, starts docker-proxy if required, and sets up iptables

@@ -50,20 +40,23 @@ func (n *bridgeNetwork) addPortMappings(

 		defHostIP = addr4

 	}

+	pms := n.portMappers()

+

 	bindings := make([]portmapperapi.PortBinding, 0, len(cfg)*2)

 	defer func() {

 		if retErr != nil {

-			if err := releasePortBindings(bindings, n.firewallerNetwork); err != nil {

-				log.G(ctx).Warnf("Release port bindings: %s", err.Error())

+			if err := n.unmapPBs(ctx, bindings); err != nil {

+				log.G(ctx).WithFields(log.Fields{

+					"bindings": bindings,

+					"error":    err,

+					"origErr":  retErr,

+				}).Warn("Failed to unmap port bindings after error")

 			}

 		}

 	}()

 	bindingReqs := n.sortAndNormPBs(ctx, ep, cfg, defHostIP, pbmReq)

-	proxyPath := n.userlandProxyPath()

-	pdc := n.getPortDriverClient()

-

 	// toBind accumulates port bindings that should be allocated the same host port

 	// (if required by NAT config). If the host address is unspecified, and defHostIP

 	// is 0.0.0.0, one iteration of the loop may generate bindings for v4 and v6. If

@@ -76,52 +69,30 @@ func (n *bridgeNetwork) addPortMappings(

 	var toBind []portmapperapi.PortBindingReq

 	for i, c := range bindingReqs {

 		toBind = append(toBind, c)

-		if i < len(bindingReqs)-1 && c.DisableNAT == bindingReqs[i+1].DisableNAT && needSamePort(c, bindingReqs[i+1]) {

+		if i < len(bindingReqs)-1 && c.Mapper == bindingReqs[i+1].Mapper && needSamePort(c, bindingReqs[i+1]) {

 			// This port binding matches the next, apart from host IP. So, continue

 			// collecting bindings, then allocate the same host port for all addresses.

 			continue

 		}

-		var newB []portmapperapi.PortBinding

-		var err error

-		if c.DisableNAT {

-			newB, err = setupForwardedPorts(ctx, toBind, n.firewallerNetwork)

-		} else {

-			newB, err = bindHostPorts(ctx, toBind, proxyPath, pdc, n.firewallerNetwork)

+		pm, err := pms.Get(c.Mapper)

+		if err != nil {

+			return nil, err

 		}

+

+		newB, err := pm.MapPorts(ctx, toBind, n.firewallerNetwork)

 		if err != nil {

 			return nil, err

 		}

-		bindings = append(bindings, newB...)

+		bindings = append(bindings, sliceutil.Map(newB, func(b portmapperapi.PortBinding) portmapperapi.PortBinding {

+			b.Mapper = c.Mapper

+			return b

+		})...)

 		// Reset toBind now the ports are bound.

 		toBind = toBind[:0]

 	}

-	// Start userland proxy processes.

-	if proxyPath != "" {

-		for i := range bindings {

-			if bindings[i].BoundSocket == nil || bindings[i].RootlesskitUnsupported || bindings[i].StopProxy != nil {

-				continue

-			}

-			var err error

-			bindings[i].StopProxy, err = startProxy(

-				bindings[i].ChildPortBinding(), proxyPath, bindings[i].BoundSocket,

-			)

-			if err != nil {

-				return nil, fmt.Errorf("failed to start userland proxy for port mapping %s: %w",

-					bindings[i].PortBinding, err)

-			}

-			if err := bindings[i].BoundSocket.Close(); err != nil {

-				log.G(ctx).WithFields(log.Fields{

-					"error":   err,

-					"mapping": bindings[i].PortBinding,

-				}).Warnf("failed to close proxy socket")

-			}

-			bindings[i].BoundSocket = nil

-		}

-	}

-

 	return bindings, nil

 }

@@ -283,7 +254,10 @@ func configurePortBindingIPv4(

 	// Unmap the addresses if they're IPv4-mapped IPv6.

 	bnd.HostIP = bnd.HostIP.To4()

 	bnd.IP = containerIPv4.To4()

-	bnd.DisableNAT = disableNAT

+	bnd.Mapper = "nat"

+	if disableNAT {

+		bnd.Mapper = "routed"

+	}

 	return bnd, true

 }

@@ -340,234 +314,11 @@ func configurePortBindingIPv6(

 	}

 	bnd.IP = containerIP

-	bnd.DisableNAT = disableNAT

-	return bnd, true

-}

-

-func setChildHostIP(pdc portDriverClient, req portmapperapi.PortBindingReq) portmapperapi.PortBindingReq {

-	if pdc == nil {

-		req.ChildHostIP = req.HostIP

-		return req

-	}

-	hip, _ := netip.AddrFromSlice(req.HostIP)

-	req.ChildHostIP = pdc.ChildHostIP(hip).AsSlice()

-	return req

-}

-

-// setupForwardedPorts sets up firewall rules to allow direct remote access to

-// the container's ports in cfg.

-func setupForwardedPorts(ctx context.Context, cfg []portmapperapi.PortBindingReq, fwn firewaller.Network) ([]portmapperapi.PortBinding, error) {

-	if len(cfg) == 0 {

-		return nil, nil

-	}

-

-	res := make([]portmapperapi.PortBinding, 0, len(cfg))

-	bindings := make([]types.PortBinding, 0, len(cfg))

-	for _, c := range cfg {

-		pb := portmapperapi.PortBinding{PortBinding: c.GetCopy()}

-		if pb.HostPort != 0 || pb.HostPortEnd != 0 {

-			log.G(ctx).WithFields(log.Fields{"mapping": pb}).Infof(

-				"Host port ignored, because NAT is disabled")

-			pb.HostPort = 0

-			pb.HostPortEnd = 0

-		}

-		res = append(res, pb)

-		bindings = append(bindings, pb.PortBinding)

-	}

-

-	if err := fwn.AddPorts(ctx, bindings); err != nil {

-		return nil, err

-	}

-

-	return res, nil

-}

-

-// bindHostPorts allocates and binds host ports for the given cfg. The

-// caller is responsible for ensuring that all entries in cfg map the same proto,

-// container port, and host port range (their host addresses must differ).

-func bindHostPorts(

-	ctx context.Context,

-	cfg []portmapperapi.PortBindingReq,

-	proxyPath string,

-	pdc portDriverClient,

-	fwn firewaller.Network,

-) ([]portmapperapi.PortBinding, error) {

-	if len(cfg) == 0 {

-		return nil, nil

-	}

-	// Ensure that all of cfg's entries have the same proto and ports.

-	proto, port, hostPort, hostPortEnd := cfg[0].Proto, cfg[0].Port, cfg[0].HostPort, cfg[0].HostPortEnd

-	for _, c := range cfg[1:] {

-		if c.Proto != proto || c.Port != port || c.HostPort != hostPort || c.HostPortEnd != hostPortEnd {

-			return nil, types.InternalErrorf("port binding mismatch %d/%s:%d-%d, %d/%s:%d-%d",

-				port, proto, hostPort, hostPortEnd,

-				port, c.Proto, c.HostPort, c.HostPortEnd)

-		}

-	}

-

-	// Try up to maxAllocatePortAttempts times to get a port that's not already allocated.

-	var err error

-	for i := 0; i < maxAllocatePortAttempts; i++ {

-		var b []portmapperapi.PortBinding

-		b, err = attemptBindHostPorts(ctx, cfg, proto, hostPort, hostPortEnd, proxyPath, pdc, fwn)

-		if err == nil {

-			return b, nil

-		}

-		// There is no point in immediately retrying to map an explicitly chosen port.

-		if hostPort != 0 && hostPort == hostPortEnd {

-			log.G(ctx).WithError(err).Warnf("Failed to allocate and map port")

-			break

-		}

-		log.G(ctx).WithFields(log.Fields{

-			"error":   err,

-			"attempt": i + 1,

-		}).Warn("Failed to allocate and map port")

-	}

-	return nil, err

-}

-

-// attemptBindHostPorts allocates host ports for each NAT port mapping, and

-// reserves those ports by binding them.

-//

-// If the allocator doesn't have an available port in the required range, or the

-// port can't be bound (perhaps because another process has already bound it),

-// all resources are released and an error is returned. When ports are

-// successfully reserved, a PortBinding is returned for each mapping.

-func attemptBindHostPorts(

-	ctx context.Context,

-	cfg []portmapperapi.PortBindingReq,

-	proto types.Protocol,

-	hostPortStart, hostPortEnd uint16,

-	proxyPath string,

-	pdc portDriverClient,

-	fwn firewaller.Network,

-) (_ []portmapperapi.PortBinding, retErr error) {

-	var err error

-	var port int

-

-	addrs := make([]net.IP, 0, len(cfg))

-	for i := range cfg {

-		cfg[i] = setChildHostIP(pdc, cfg[i])

-		addrs = append(addrs, cfg[i].ChildHostIP)

-	}

-

-	pa := portallocator.NewOSAllocator()

-	port, socks, err := pa.RequestPortsInRange(addrs, proto, int(hostPortStart), int(hostPortEnd))

-	if err != nil {

-		return nil, err

-	}

-	defer func() {

-		if retErr != nil {

-			pa.ReleasePorts(addrs, proto, port)

-		}

-	}()

-

-	if len(socks) != len(cfg) {

-		for _, sock := range socks {

-			if err := sock.Close(); err != nil {

-				log.G(ctx).WithError(err).Warn("Failed to close socket")

-			}

-		}

-		return nil, types.InternalErrorf("port allocator returned %d sockets for %d port bindings", len(socks), len(cfg))

+	bnd.Mapper = "nat"

+	if disableNAT {

+		bnd.Mapper = "routed"

 	}

-

-	res := make([]portmapperapi.PortBinding, 0, len(cfg))

-	defer func() {

-		if retErr != nil {

-			if err := releasePortBindings(res, fwn); err != nil {

-				log.G(ctx).WithError(err).Warn("Failed to release port bindings")

-			}

-		}

-	}()

-

-	for i := range cfg {

-		pb := portmapperapi.PortBinding{

-			PortBinding: cfg[i].PortBinding.GetCopy(),

-			BoundSocket: socks[i],

-			ChildHostIP: cfg[i].ChildHostIP,

-		}

-		pb.PortBinding.HostPort = uint16(port)

-		pb.PortBinding.HostPortEnd = pb.HostPort

-		res = append(res, pb)

-	}

-

-	if err := configPortDriver(ctx, res, pdc); err != nil {

-		return nil, err

-	}

-	if err := fwn.AddPorts(ctx, mergeChildHostIPs(res)); err != nil {

-		return nil, err

-	}

-	// Now the firewall rules are set up, it's safe to listen on the socket. (Listening

-	// earlier could result in dropped connections if the proxy becomes unreachable due

-	// to NAT rules sending packets directly to the container.)

-	//

-	// If not starting the proxy, nothing will ever accept a connection on the

-	// socket. Listen here anyway because SO_REUSEADDR is set, so bind() won't notice

-	// the problem if a port's bound to both INADDR_ANY and a specific address. (Also

-	// so the binding shows up in "netstat -at".)

-	if err := listenBoundPorts(res, proxyPath); err != nil {

-		return nil, err

-	}

-	return res, nil

-}

-

-// configPortDriver passes the port binding's details to rootlesskit, and updates the

-// port binding with callbacks to remove the rootlesskit config (or marks the binding as

-// unsupported by rootlesskit).

-func configPortDriver(ctx context.Context, pbs []portmapperapi.PortBinding, pdc portDriverClient) error {

-	for i := range pbs {

-		b := pbs[i]

-		if pdc != nil && b.HostPort != 0 {

-			var err error

-			hip, ok := netip.AddrFromSlice(b.HostIP)

-			if !ok {

-				return fmt.Errorf("invalid host IP address in %s", b)

-			}

-			chip, ok := netip.AddrFromSlice(b.ChildHostIP)

-			if !ok {

-				return fmt.Errorf("invalid child host IP address %s in %s", b.ChildHostIP, b)

-			}

-			pbs[i].PortDriverRemove, err = pdc.AddPort(ctx, b.Proto.String(), hip, chip, int(b.HostPort))

-			if err != nil {

-				var pErr *rlkclient.ProtocolUnsupportedError

-				if errors.As(err, &pErr) {

-					log.G(ctx).WithFields(log.Fields{

-						"error": pErr,

-					}).Warnf("discarding request for %q", net.JoinHostPort(hip.String(), strconv.Itoa(int(b.HostPort))))

-					pbs[i].RootlesskitUnsupported = true

-					continue

-				}

-				return err

-			}

-		}

-	}

-	return nil

-}

-

-func listenBoundPorts(pbs []portmapperapi.PortBinding, proxyPath string) error {

-	for i := range pbs {

-		if pbs[i].BoundSocket == nil || pbs[i].RootlesskitUnsupported || pbs[i].Proto == types.UDP {

-			continue

-		}

-		rc, err := pbs[i].BoundSocket.SyscallConn()

-		if err != nil {

-			return fmt.Errorf("raw conn not available on %s socket: %w", pbs[i].Proto, err)

-		}

-		if errC := rc.Control(func(fd uintptr) {

-			somaxconn := 0

-			// SCTP sockets do not support somaxconn=0

-			if proxyPath != "" || pbs[i].Proto == types.SCTP {

-				somaxconn = -1 // silently capped to "/proc/sys/net/core/somaxconn"

-			}

-			err = syscall.Listen(int(fd), somaxconn)

-		}); errC != nil {

-			return fmt.Errorf("failed to Control %s socket: %w", pbs[i].Proto, err)

-		}

-		if err != nil {

-			return fmt.Errorf("failed to listen on %s socket: %w", pbs[i].Proto, err)

-		}

-	}

-	return nil

+	return bnd, true

 }

 // releasePorts attempts to release all port bindings, does not stop on failure

@@ -578,36 +329,25 @@ func (n *bridgeNetwork) releasePorts(ep *bridgeEndpoint) error {

 	ep.portBindingState = portBindingMode{}

 	n.Unlock()

-	return releasePortBindings(pbs, n.firewallerNetwork)

+	return n.unmapPBs(context.TODO(), pbs)

 }

-func releasePortBindings(pbs []portmapperapi.PortBinding, fwn firewaller.Network) error {

+func (n *bridgeNetwork) unmapPBs(ctx context.Context, bindings []portmapperapi.PortBinding) error {

+	pms := n.portMappers()

+

 	var errs []error

-	for _, pb := range pbs {

-		if pb.BoundSocket != nil {

-			if err := pb.BoundSocket.Close(); err != nil {

-				errs = append(errs, fmt.Errorf("failed to close socket for port mapping %s: %w", pb, err))

-			}

-		}

-		if pb.PortDriverRemove != nil {

-			if err := pb.PortDriverRemove(); err != nil {

-				errs = append(errs, err)

-			}

-		}

-		if pb.StopProxy != nil {

-			if err := pb.StopProxy(); err != nil && !errors.Is(err, os.ErrProcessDone) {

-				errs = append(errs, fmt.Errorf("failed to stop userland proxy for port mapping %s: %w", pb, err))

-			}

+	for _, b := range bindings {

+		pm, err := pms.Get(b.Mapper)

+		if err != nil {

+			errs = append(errs, fmt.Errorf("unmapping port binding %s: %w", b.PortBinding, err))

+			continue

 		}

-	}

-	if err := fwn.DelPorts(context.TODO(), mergeChildHostIPs(pbs)); err != nil {

-		errs = append(errs, err)

-	}

-	for _, pb := range pbs {

-		if pb.HostPort > 0 {

-			portallocator.Get().ReleasePort(pb.ChildHostIP, pb.Proto.String(), int(pb.HostPort))

+

+		if err := pm.UnmapPorts(ctx, []portmapperapi.PortBinding{b}, n.firewallerNetwork); err != nil {

+			errs = append(errs, fmt.Errorf("unmapping port binding %s: %w", b.PortBinding, err))

 		}

 	}

+

 	return errors.Join(errs...)

 }

@@ -1,3 +1,6 @@

+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:

+//go:build go1.23

+

 package bridge

 import (

@@ -7,6 +10,7 @@ import (

 	"net"

 	"net/netip"

 	"os"

+	"slices"

 	"strconv"

 	"strings"

 	"syscall"

@@ -19,7 +23,10 @@ import (

 	"github.com/docker/docker/daemon/libnetwork/ns"

 	"github.com/docker/docker/daemon/libnetwork/portallocator"

 	"github.com/docker/docker/daemon/libnetwork/portmapperapi"

+	"github.com/docker/docker/daemon/libnetwork/portmappers/nat"

+	"github.com/docker/docker/daemon/libnetwork/portmappers/routed"

 	"github.com/docker/docker/daemon/libnetwork/types"

+	"github.com/docker/docker/internal/sliceutil"

 	"github.com/docker/docker/internal/testutils/netnsutils"

 	"github.com/docker/docker/internal/testutils/storeutils"

 	"github.com/sirupsen/logrus"

@@ -32,7 +39,12 @@ func TestPortMappingConfig(t *testing.T) {

 	defer netnsutils.SetupTestOSContext(t)()

 	useStubFirewaller(t)

-	d := newDriver(storeutils.NewTempStore(t), &drvregistry.PortMappers{})

+	pms := drvregistry.PortMappers{}

+	pm := &stubPortMapper{}

+	err := pms.Register("nat", pm)

+	assert.NilError(t, err)

+

+	d := newDriver(storeutils.NewTempStore(t), &pms)

 	config := &configuration{

 		EnableIPTables: true,

@@ -61,7 +73,7 @@ func TestPortMappingConfig(t *testing.T) {

 	}

 	ipdList4 := getIPv4Data(t)

-	err := d.CreateNetwork(context.Background(), "dummy", netOptions, nil, ipdList4, getIPv6Data(t))

+	err = d.CreateNetwork(context.Background(), "dummy", netOptions, nil, ipdList4, getIPv6Data(t))

 	if err != nil {

 		t.Fatalf("Failed to create bridge: %v", err)

 	}

@@ -117,7 +129,12 @@ func TestPortMappingV6Config(t *testing.T) {

 		t.Fatalf("Could not bring loopback iface up: %v", err)

 	}

-	d := newDriver(storeutils.NewTempStore(t), &drvregistry.PortMappers{})

+	pms := drvregistry.PortMappers{}

+	pm := &stubPortMapper{}

+	err := pms.Register("nat", pm)

+	assert.NilError(t, err)

+

+	d := newDriver(storeutils.NewTempStore(t), &pms)

 	config := &configuration{

 		EnableIPTables:  true,

@@ -147,7 +164,7 @@ func TestPortMappingV6Config(t *testing.T) {

 	ipdList4 := getIPv4Data(t)

 	ipdList6 := getIPv6Data(t)

-	err := d.CreateNetwork(context.Background(), "dummy", netOptions, nil, ipdList4, ipdList6)

+	err = d.CreateNetwork(context.Background(), "dummy", netOptions, nil, ipdList4, ipdList6)

 	if err != nil {

 		t.Fatalf("Failed to create bridge: %v", err)

 	}

@@ -196,30 +213,6 @@ func loopbackUp() error {

 	return nlHandle.LinkSetUp(iface)

 }

-func TestBindHostPortsError(t *testing.T) {

-	cfg := []portmapperapi.PortBindingReq{

-		{

-			PortBinding: types.PortBinding{

-				Proto:       types.TCP,

-				Port:        80,

-				HostPort:    8080,

-				HostPortEnd: 8080,

-			},

-		},

-		{

-			PortBinding: types.PortBinding{

-				Proto:       types.TCP,

-				Port:        80,

-				HostPort:    8080,

-				HostPortEnd: 8081,

-			},

-		},

-	}

-	pbs, err := bindHostPorts(context.Background(), cfg, "", nil, nil)

-	assert.Check(t, is.Error(err, "port binding mismatch 80/tcp:8080-8080, 80/tcp:8080-8081"))

-	assert.Check(t, is.Nil(pbs))

-}

-

 func newIPNet(t *testing.T, cidr string) *net.IPNet {

 	t.Helper()

 	ip, ipNet, err := net.ParseCIDR(cidr)

@@ -242,7 +235,7 @@ func TestAddPortMappings(t *testing.T) {

 		gwMode6      gwMode

 		cfg          []portmapperapi.PortBindingReq

 		defHostIP    net.IP

-		proxyPath    string

+		enableProxy  bool

 		hairpin      bool

 		busyPortIPv4 int

 		rootless     bool

@@ -267,7 +260,7 @@ func TestAddPortMappings(t *testing.T) {

 				{PortBinding: types.PortBinding{Proto: types.TCP, Port: 22}},

 				{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80}},

 			},

-			proxyPath: "/dummy/path/to/proxy",

+			enableProxy: true,

 			expPBs: []types.PortBinding{

 				{Proto: types.TCP, IP: ctrIP4.IP, Port: 22, HostIP: net.IPv4zero, HostPort: firstEphemPort},

 				{Proto: types.TCP, IP: ctrIP6.IP, Port: 22, HostIP: net.IPv6zero, HostPort: firstEphemPort},

@@ -276,24 +269,24 @@ func TestAddPortMappings(t *testing.T) {

 			},

 		},

 		{

-			name:      "specific host port",

-			epAddrV4:  ctrIP4,

-			epAddrV6:  ctrIP6,

-			cfg:       []portmapperapi.PortBindingReq{{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80, HostPort: 8080}}},

-			proxyPath: "/dummy/path/to/proxy",

+			name:        "specific host port",

+			epAddrV4:    ctrIP4,

+			epAddrV6:    ctrIP6,

+			cfg:         []portmapperapi.PortBindingReq{{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80, HostPort: 8080}}},

+			enableProxy: true,

 			expPBs: []types.PortBinding{

 				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero, HostPort: 8080, HostPortEnd: 8080},

 				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero, HostPort: 8080, HostPortEnd: 8080},

 			},

 		},

 		{

-			name:      "nat explicitly enabled",

-			epAddrV4:  ctrIP4,

-			epAddrV6:  ctrIP6,

-			cfg:       []portmapperapi.PortBindingReq{{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80, HostPort: 8080}}},

-			gwMode4:   gwModeNAT,

-			gwMode6:   gwModeNAT,

-			proxyPath: "/dummy/path/to/proxy",

+			name:        "nat explicitly enabled",

+			epAddrV4:    ctrIP4,

+			epAddrV6:    ctrIP6,

+			cfg:         []portmapperapi.PortBindingReq{{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80, HostPort: 8080}}},

+			gwMode4:     gwModeNAT,

+			gwMode6:     gwModeNAT,

+			enableProxy: true,

 			expPBs: []types.PortBinding{

 				{Proto: types.TCP, IP: ctrIP4.IP, Port: 80, HostIP: net.IPv4zero, HostPort: 8080, HostPortEnd: 8080},

 				{Proto: types.TCP, IP: ctrIP6.IP, Port: 80, HostIP: net.IPv6zero, HostPort: 8080, HostPortEnd: 8080},

@@ -304,27 +297,27 @@ func TestAddPortMappings(t *testing.T) {

 			epAddrV4:     ctrIP4,

 			epAddrV6:     ctrIP6,

 			cfg:          []portmapperapi.PortBindingReq{{PortBinding: types.PortBinding{Proto: types.TCP, Port: 80, HostPort: 8080}}},

-			proxyPath:    "/dummy/path/to/proxy",

+			enableProxy:  true,

 			busyPortIPv4: 8080,

 			expErr:       "failed to bind host port 0.0.0.0:8080/tcp: address already in use",

 		},

 		{

-			name:      "ipv4 mapped container address with specific host port",

-			epAddrV4:  ctrIP4Mapped,

-			epAddrV6:  ctrIP6,