@@ -329,6 +329,21 @@ func (n *bridgeNetwork) registerIptCleanFunc(clean iptableCleanFunc) {

 	n.iptCleanFuncs = append(n.iptCleanFuncs, clean)

 }

+func (n *bridgeNetwork) iptablesEnabled(version iptables.IPVersion) (bool, error) {

+	n.Lock()

+	defer n.Unlock()

+	if n.driver == nil {

+		return false, types.InvalidParameterErrorf("no driver found")

+	}

+

+	n.driver.Lock()

+	defer n.driver.Unlock()

+	if version == iptables.IPv6 {

+		return n.driver.config.EnableIP6Tables, nil

+	}

+	return n.driver.config.EnableIPTables, nil

+}

+

 func (n *bridgeNetwork) getDriverChains(version iptables.IPVersion) (*iptables.ChainInfo, *iptables.ChainInfo, *iptables.ChainInfo, *iptables.ChainInfo, error) {

 	n.Lock()

 	defer n.Unlock()

@@ -5,6 +5,7 @@ import (

 	"errors"

 	"fmt"

 	"net"

+	"strconv"

 	"github.com/containerd/log"

 	"github.com/docker/docker/libnetwork/iptables"

@@ -291,24 +292,96 @@ func (n *bridgeNetwork) setPerPortIptables(b portBinding, enable bool) error {

 		v = iptables.IPv6

 	}

-	natChain, _, _, _, err := n.getDriverChains(v)

-	if err != nil || natChain == nil {

+	if enabled, err := n.iptablesEnabled(v); err != nil || !enabled {

 		// Nothing to do, iptables/ip6tables is not enabled.

 		return nil

 	}

-	action := iptables.Delete

-	if enable {

-		action = iptables.Insert

-	}

-	return natChain.Forward(

-		action,

-		b.HostIP,

-		int(b.HostPort),

-		b.Proto.String(),

-		b.IP.String(),

-		int(b.Port),

-		n.getNetworkBridgeName(),

-	)

+

+	bridgeName := n.getNetworkBridgeName()

+	proxyPath := n.userlandProxyPath()

+	if err := setPerPortNAT(b, v, proxyPath, bridgeName, enable); err != nil {

+		return err

+	}

+	if err := setPerPortForwarding(b, v, bridgeName, enable); err != nil {

+		return err

+	}

+	return nil

+}

+

+func setPerPortNAT(b portBinding, ipv iptables.IPVersion, proxyPath string, bridgeName string, enable bool) error {

+	// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we

+	// want "0.0.0.0/0". "0/0" is correctly interpreted as "any

+	// value" by both iptables and ip6tables.

+	hostIP := "0/0"

+	if !b.HostIP.IsUnspecified() {

+		hostIP = b.HostIP.String()

+	}

+	args := []string{

+		"-p", b.Proto.String(),

+		"-d", hostIP,

+		"--dport", strconv.Itoa(int(b.HostPort)),

+		"-j", "DNAT",

+		"--to-destination", net.JoinHostPort(b.IP.String(), strconv.Itoa(int(b.Port))),

+	}

+	hairpinMode := proxyPath == ""

+	if !hairpinMode {

+		args = append(args, "!", "-i", bridgeName)

+	}

+	rule := iptRule{ipv: ipv, table: iptables.Nat, chain: DockerChain, args: args}

+	if err := programChainRule(rule, "DNAT", enable); err != nil {

+		return err

+	}

+

+	args = []string{

+		"-p", b.Proto.String(),

+		"-s", b.IP.String(),

+		"-d", b.IP.String(),

+		"--dport", strconv.Itoa(int(b.Port)),

+		"-j", "MASQUERADE",

+	}

+	rule = iptRule{ipv: ipv, table: iptables.Nat, chain: "POSTROUTING", args: args}

+	if err := programChainRule(rule, "MASQUERADE", enable); err != nil {

+		return err

+	}

+

+	return nil

+}

+

+func setPerPortForwarding(b portBinding, ipv iptables.IPVersion, bridgeName string, enable bool) error {

+	args := []string{

+		"!", "-i", bridgeName,

+		"-o", bridgeName,

+		"-p", b.Proto.String(),

+		"-d", b.IP.String(),

+		"--dport", strconv.Itoa(int(b.Port)),

+		"-j", "ACCEPT",

+	}

+	rule := iptRule{ipv: ipv, table: iptables.Filter, chain: DockerChain, args: args}

+	if err := programChainRule(rule, "MASQUERADE", enable); err != nil {

+		return err

+	}

+

+	if b.Proto == types.SCTP {

+		// Linux kernel v4.9 and below enables NETIF_F_SCTP_CRC for veth by

+		// the following commit.

+		// This introduces a problem when combined with a physical NIC without

+		// NETIF_F_SCTP_CRC. As for a workaround, here we add an iptables entry

+		// to fill the checksum.

+		//

+		// https://github.com/torvalds/linux/commit/c80fafbbb59ef9924962f83aac85531039395b18

+		args = []string{

+			"-p", b.Proto.String(),

+			"--sport", strconv.Itoa(int(b.Port)),

+			"-j", "CHECKSUM",

+			"--checksum-fill",

+		}

+		rule := iptRule{ipv: ipv, table: iptables.Mangle, chain: "POSTROUTING", args: args}

+		if err := programChainRule(rule, "MASQUERADE", enable); err != nil {

+			return err

+		}

+	}

+

+	return nil

 }

 func (n *bridgeNetwork) reapplyPerPortIptables4() {

@@ -41,11 +41,9 @@ func setupIPChains(config configuration, version iptables.IPVersion) (natChain *

 		return nil, nil, nil, nil, errors.New("cannot create new chains, ip6tables is disabled")

 	}

-	hairpinMode := !config.EnableUserlandProxy

-

 	iptable := iptables.GetIptable(version)

-	natChain, err := iptable.NewChain(DockerChain, iptables.Nat, hairpinMode)

+	natChain, err := iptable.NewChain(DockerChain, iptables.Nat)

 	if err != nil {

 		return nil, nil, nil, nil, fmt.Errorf("failed to create NAT chain %s: %v", DockerChain, err)

 	}

@@ -57,7 +55,7 @@ func setupIPChains(config configuration, version iptables.IPVersion) (natChain *

 		}

 	}()

-	filterChain, err = iptable.NewChain(DockerChain, iptables.Filter, false)

+	filterChain, err = iptable.NewChain(DockerChain, iptables.Filter)

 	if err != nil {

 		return nil, nil, nil, nil, fmt.Errorf("failed to create FILTER chain %s: %v", DockerChain, err)

 	}

@@ -69,7 +67,7 @@ func setupIPChains(config configuration, version iptables.IPVersion) (natChain *

 		}

 	}()

-	isolationChain1, err = iptable.NewChain(IsolationChain1, iptables.Filter, false)

+	isolationChain1, err = iptable.NewChain(IsolationChain1, iptables.Filter)

 	if err != nil {

 		return nil, nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err)

 	}

@@ -81,7 +79,7 @@ func setupIPChains(config configuration, version iptables.IPVersion) (natChain *

 		}

 	}()

-	isolationChain2, err = iptable.NewChain(IsolationChain2, iptables.Filter, false)

+	isolationChain2, err = iptable.NewChain(IsolationChain2, iptables.Filter)

 	if err != nil {

 		return nil, nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err)

 	}

@@ -41,7 +41,7 @@ func arrangeUserFilterRule() {

 // that are beyond the daemon's control.

 func setupUserChain(ipVersion iptables.IPVersion) error {

 	ipt := iptables.GetIptable(ipVersion)

-	if _, err := ipt.NewChain(userChain, iptables.Filter, false); err != nil {

+	if _, err := ipt.NewChain(userChain, iptables.Filter); err != nil {

 		return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err)

 	}

 	if err := ipt.AddReturnRule(userChain); err != nil {

@@ -34,7 +34,7 @@ func TestFirewalldInit(t *testing.T) {

 func TestReloaded(t *testing.T) {

 	iptable := GetIptable(IPv4)

-	fwdChain, err := iptable.NewChain("FWD", Filter, false)

+	fwdChain, err := iptable.NewChain("FWD", Filter)

 	if err != nil {

 		t.Fatal(err)

 	}

@@ -78,10 +78,9 @@ type IPTable struct {

 // ChainInfo defines the iptables chain.

 type ChainInfo struct {

-	Name        string

-	Table       Table

-	HairpinMode bool

-	IPVersion   IPVersion

+	Name      string

+	Table     Table

+	IPVersion IPVersion

 }

 // ChainError is returned to represent errors during ip table operation.

@@ -173,7 +172,7 @@ func GetIptable(version IPVersion) *IPTable {

 }

 // NewChain adds a new chain to ip table.

-func (iptable IPTable) NewChain(name string, table Table, hairpinMode bool) (*ChainInfo, error) {

+func (iptable IPTable) NewChain(name string, table Table) (*ChainInfo, error) {

 	if name == "" {

 		return nil, fmt.Errorf("could not create chain: chain name is empty")

 	}

@@ -189,10 +188,9 @@ func (iptable IPTable) NewChain(name string, table Table, hairpinMode bool) (*Ch

 		}

 	}

 	return &ChainInfo{

-		Name:        name,

-		Table:       table,

-		HairpinMode: hairpinMode,

-		IPVersion:   iptable.ipVersion,

+		Name:      name,

+		Table:     table,

+		IPVersion: iptable.ipVersion,

 	}, nil

 }

@@ -310,78 +308,6 @@ func (iptable IPTable) RemoveExistingChain(name string, table Table) error {

 	return c.Remove()

 }

-// Forward adds forwarding rule to 'filter' table and corresponding nat rule to 'nat' table.

-func (c *ChainInfo) Forward(action Action, ip net.IP, port int, proto, destAddr string, destPort int, bridgeName string) error {

-	iptable := GetIptable(c.IPVersion)

-	daddr := ip.String()

-	if ip.IsUnspecified() {

-		// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we

-		// want "0.0.0.0/0". "0/0" is correctly interpreted as "any

-		// value" by both iptables and ip6tables.

-		daddr = "0/0"

-	}

-

-	args := []string{

-		"-p", proto,

-		"-d", daddr,

-		"--dport", strconv.Itoa(port),

-		"-j", "DNAT",

-		"--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort)),

-	}

-

-	if !c.HairpinMode {

-		args = append(args, "!", "-i", bridgeName)

-	}

-	if err := iptable.ProgramRule(Nat, c.Name, action, args); err != nil {

-		return err

-	}

-

-	args = []string{

-		"!", "-i", bridgeName,

-		"-o", bridgeName,

-		"-p", proto,

-		"-d", destAddr,

-		"--dport", strconv.Itoa(destPort),

-		"-j", "ACCEPT",

-	}

-	if err := iptable.ProgramRule(Filter, c.Name, action, args); err != nil {

-		return err

-	}

-

-	args = []string{

-		"-p", proto,

-		"-s", destAddr,

-		"-d", destAddr,

-		"--dport", strconv.Itoa(destPort),

-		"-j", "MASQUERADE",

-	}

-

-	if err := iptable.ProgramRule(Nat, "POSTROUTING", action, args); err != nil {

-		return err

-	}

-

-	if proto == "sctp" {

-		// Linux kernel v4.9 and below enables NETIF_F_SCTP_CRC for veth by

-		// the following commit.

-		// This introduces a problem when combined with a physical NIC without

-		// NETIF_F_SCTP_CRC. As for a workaround, here we add an iptables entry

-		// to fill the checksum.

-		//

-		// https://github.com/torvalds/linux/commit/c80fafbbb59ef9924962f83aac85531039395b18

-		args = []string{

-			"-p", proto,

-			"--sport", strconv.Itoa(destPort),

-			"-j", "CHECKSUM",

-			"--checksum-fill",

-		}

-		if err := iptable.ProgramRule(Mangle, "POSTROUTING", action, args); err != nil {

-			return err

-		}

-	}

-

-	return nil

-}

-

 // Link adds reciprocal ACCEPT rule for two supplied IP addresses.

 // Traffic is allowed from ip1 to ip2 and vice-versa

 func (c *ChainInfo) Link(action Action, ip1, ip2 net.IP, port int, proto string, bridgeName string) error {

@@ -21,7 +21,7 @@ func createNewChain(t *testing.T) (*IPTable, *ChainInfo, *ChainInfo) {

 	t.Helper()

 	iptable := GetIptable(IPv4)

-	natChain, err := iptable.NewChain(chainName, Nat, false)

+	natChain, err := iptable.NewChain(chainName, Nat)

 	if err != nil {

 		t.Fatal(err)

 	}

@@ -30,7 +30,7 @@ func createNewChain(t *testing.T) (*IPTable, *ChainInfo, *ChainInfo) {

 		t.Fatal(err)

 	}

-	filterChain, err := iptable.NewChain(chainName, Filter, false)

+	filterChain, err := iptable.NewChain(chainName, Filter)

 	if err != nil {

 		t.Fatal(err)

 	}

@@ -46,59 +46,6 @@ func TestNewChain(t *testing.T) {

 	createNewChain(t)

 }

-func TestForward(t *testing.T) {

-	iptable, natChain, filterChain := createNewChain(t)

-

-	ip := net.ParseIP("192.168.1.1")

-	port := 1234

-	dstAddr := "172.17.0.1"

-	dstPort := 4321

-	proto := "tcp"

-

-	err := natChain.Forward(Insert, ip, port, proto, dstAddr, dstPort, bridgeName)

-	if err != nil {

-		t.Fatal(err)

-	}

-

-	dnatRule := []string{

-		"-d", ip.String(),

-		"-p", proto,

-		"--dport", strconv.Itoa(port),

-		"-j", "DNAT",

-		"--to-destination", dstAddr + ":" + strconv.Itoa(dstPort),

-		"!", "-i", bridgeName,

-	}

-

-	if !iptable.Exists(natChain.Table, natChain.Name, dnatRule...) {

-		t.Fatal("DNAT rule does not exist")

-	}

-

-	filterRule := []string{

-		"!", "-i", bridgeName,

-		"-o", bridgeName,

-		"-d", dstAddr,

-		"-p", proto,

-		"--dport", strconv.Itoa(dstPort),

-		"-j", "ACCEPT",

-	}

-

-	if !iptable.Exists(filterChain.Table, filterChain.Name, filterRule...) {

-		t.Fatal("filter rule does not exist")

-	}

-

-	masqRule := []string{

-		"-d", dstAddr,

-		"-s", dstAddr,

-		"-p", proto,

-		"--dport", strconv.Itoa(dstPort),

-		"-j", "MASQUERADE",

-	}

-

-	if !iptable.Exists(natChain.Table, "POSTROUTING", masqRule...) {

-		t.Fatal("MASQUERADE rule does not exist")

-	}

-}

-

 func TestLink(t *testing.T) {

 	iptable, _, filterChain := createNewChain(t)

 	ip1 := net.ParseIP("192.168.1.1")

@@ -210,7 +157,7 @@ func RunConcurrencyTest(t *testing.T, allowXlock bool) {

 	group := new(errgroup.Group)

 	for i := 0; i < 10; i++ {

 		group.Go(func() error {

-			return natChain.Forward(Append, ip, port, proto, dstAddr, dstPort, "lo")

+			return addSomeRules(natChain, ip, port, proto, dstAddr, dstPort)

 		})

 	}

 	if err := group.Wait(); err != nil {

@@ -218,6 +165,50 @@ func RunConcurrencyTest(t *testing.T, allowXlock bool) {

 	}

 }

+// addSomeRules adds arbitrary iptable rules. RunConcurrencyTest previously used

+// iptables.Forward to create rules, that function has been removed. To preserve

+// the test, this function creates similar rules.

+func addSomeRules(c *ChainInfo, ip net.IP, port int, proto, destAddr string, destPort int) error {

+	iptable := GetIptable(c.IPVersion)

+	daddr := ip.String()

+

+	args := []string{

+		"-p", proto,

+		"-d", daddr,

+		"--dport", strconv.Itoa(port),

+		"-j", "DNAT",

+		"--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort)),

+	}

+	if err := iptable.ProgramRule(Nat, c.Name, Append, args); err != nil {

+		return err

+	}

+

+	args = []string{

+		"!", "-i", "lo",

+		"-o", "lo",

+		"-p", proto,

+		"-d", destAddr,

+		"--dport", strconv.Itoa(destPort),

+		"-j", "ACCEPT",

+	}

+	if err := iptable.ProgramRule(Filter, c.Name, Append, args); err != nil {

+		return err

+	}

+

+	args = []string{

+		"-p", proto,

+		"-s", destAddr,

+		"-d", destAddr,

+		"--dport", strconv.Itoa(destPort),

+		"-j", "MASQUERADE",

+	}

+	if err := iptable.ProgramRule(Nat, "POSTROUTING", Append, args); err != nil {

+		return err

+	}

+

+	return nil

+}

+

 func TestCleanup(t *testing.T) {

 	iptable, _, filterChain := createNewChain(t)

@@ -256,7 +247,7 @@ func TestExistsRaw(t *testing.T) {

 	iptable := GetIptable(IPv4)

-	_, err := iptable.NewChain(testChain1, Filter, false)

+	_, err := iptable.NewChain(testChain1, Filter)

 	if err != nil {

 		t.Fatal(err)

 	}

@@ -264,7 +255,7 @@ func TestExistsRaw(t *testing.T) {

 		iptable.RemoveExistingChain(testChain1, Filter)

 	}()

-	_, err = iptable.NewChain(testChain2, Filter, false)

+	_, err = iptable.NewChain(testChain2, Filter)

 	if err != nil {

 		t.Fatal(err)

 	}