@@ -2,7 +2,6 @@ package libnetwork

 import (

 	"fmt"

-	"strings"

 	"testing"

 	"github.com/docker/docker/internal/testutils/netnsutils"

@@ -12,6 +11,7 @@ import (

 	"github.com/docker/docker/libnetwork/options"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

+	"gotest.tools/v3/golden"

 )

 const (

@@ -24,32 +24,25 @@ func TestUserChain(t *testing.T) {

 	iptable6 := iptables.GetIptable(iptables.IPv6)

 	tests := []struct {

-		iptables  bool

-		insert    bool // insert other rules to FORWARD

-		fwdChain  []string

-		userChain []string

+		iptables bool

+		append   bool // append other rules to FORWARD

 	}{

 		{

 			iptables: false,

-			insert:   false,

-			fwdChain: []string{"-P FORWARD ACCEPT"},

+			append:   false,

 		},

 		{

-			iptables:  true,

-			insert:    false,

-			fwdChain:  []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"},

-			userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},

+			iptables: true,

+			append:   false,

 		},

 		{

-			iptables:  true,

-			insert:    true,

-			fwdChain:  []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"},

-			userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},

+			iptables: true,

+			append:   true,

 		},

 	}

 	for _, tc := range tests {

-		t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) {

+		t.Run(fmt.Sprintf("iptables=%v,append=%v", tc.iptables, tc.append), func(t *testing.T) {

 			defer netnsutils.SetupTestOSContext(t)()

 			defer resetIptables(t)

@@ -64,25 +57,32 @@ func TestUserChain(t *testing.T) {

 			assert.NilError(t, err)

 			defer c.Stop()

-			// init. condition, FORWARD chain empty DOCKER-USER not exist

-			assert.Check(t, is.DeepEqual(getRules(t, iptable4, fwdChainName), []string{"-P FORWARD ACCEPT"}))

-			assert.Check(t, is.DeepEqual(getRules(t, iptable6, fwdChainName), []string{"-P FORWARD ACCEPT"}))

+			// init. condition

+			golden.Assert(t, getRules(t, iptable4, fwdChainName),

+				fmt.Sprintf("TestUserChain_iptables-%v_append-%v_fwdinit4", tc.iptables, tc.append))

+			golden.Assert(t, getRules(t, iptable6, fwdChainName),

+				fmt.Sprintf("TestUserChain_iptables-%v_append-%v_fwdinit6", tc.iptables, tc.append))

-			if tc.insert {

-				_, err = iptable4.Raw("-A", fwdChainName, "-j", "DROP")

+			if tc.append {

+				_, err := iptable4.Raw("-A", fwdChainName, "-j", "DROP")

 				assert.Check(t, err)

 				_, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP")

 				assert.Check(t, err)

 			}

 			arrangeUserFilterRule()

-			assert.Check(t, is.DeepEqual(getRules(t, iptable4, fwdChainName), tc.fwdChain))

-			assert.Check(t, is.DeepEqual(getRules(t, iptable6, fwdChainName), tc.fwdChain))

-			if tc.userChain != nil {

-				assert.Check(t, is.DeepEqual(getRules(t, iptable4, usrChainName), tc.userChain))

-				assert.Check(t, is.DeepEqual(getRules(t, iptable6, usrChainName), tc.userChain))

+			golden.Assert(t, getRules(t, iptable4, fwdChainName),

+				fmt.Sprintf("TestUserChain_iptables-%v_append-%v_fwdafter4", tc.iptables, tc.append))

+			golden.Assert(t, getRules(t, iptable6, fwdChainName),

+				fmt.Sprintf("TestUserChain_iptables-%v_append-%v_fwdafter6", tc.iptables, tc.append))

+

+			if tc.iptables {

+				golden.Assert(t, getRules(t, iptable4, usrChainName),

+					fmt.Sprintf("TestUserChain_iptables-%v_append-%v_usrafter4", tc.iptables, tc.append))

+				golden.Assert(t, getRules(t, iptable6, usrChainName),

+					fmt.Sprintf("TestUserChain_iptables-%v_append-%v_usrafter6", tc.iptables, tc.append))

 			} else {

-				_, err = iptable4.Raw("-S", usrChainName)

+				_, err := iptable4.Raw("-S", usrChainName)

 				assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv4 chain %v: created unexpectedly", usrChainName)

 				_, err = iptable6.Raw("-S", usrChainName)

 				assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv6 chain %v: created unexpectedly", usrChainName)

@@ -91,16 +91,11 @@ func TestUserChain(t *testing.T) {

 	}

 }

-func getRules(t *testing.T, iptable *iptables.IPTable, chain string) []string {

+func getRules(t *testing.T, iptable *iptables.IPTable, chain string) string {

 	t.Helper()

 	output, err := iptable.Raw("-S", chain)

 	assert.NilError(t, err, "chain %s: failed to get rules", chain)

-

-	rules := strings.Split(string(output), "\n")

-	if len(rules) > 0 {

-		rules = rules[:len(rules)-1]

-	}

-	return rules

+	return string(output)

 }

 func resetIptables(t *testing.T) {

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1,2 @@

+-P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

new file mode 100644

@@ -0,0 +1,2 @@

+-P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1,2 @@

+-N DOCKER-USER

+-A DOCKER-USER -j RETURN

new file mode 100644

@@ -0,0 +1,2 @@

+-N DOCKER-USER

+-A DOCKER-USER -j RETURN

new file mode 100644

@@ -0,0 +1,3 @@

+-P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

+-A FORWARD -j DROP

new file mode 100644

@@ -0,0 +1,3 @@

+-P FORWARD ACCEPT

+-A FORWARD -j DOCKER-USER

+-A FORWARD -j DROP

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1 @@

+-P FORWARD ACCEPT

new file mode 100644

@@ -0,0 +1,2 @@

+-N DOCKER-USER

+-A DOCKER-USER -j RETURN

new file mode 100644

@@ -0,0 +1,2 @@

+-N DOCKER-USER

+-A DOCKER-USER -j RETURN