@@ -734,6 +734,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {

 func testLiveRestoreUserChainsSetup(t *testing.T) {

 	skip.If(t, testEnv.IsRootless(), "rootless daemon uses it's own network namespace")

+	skip.If(t, testEnv.FirewallBackendDriver() == "nftables", "nftables enabled, skipping iptables test")

 	t.Parallel()

 	ctx := testutil.StartSpan(baseContext, t)

@@ -306,17 +306,30 @@ func TestFilterForwardPolicy(t *testing.T) {

 			)

 			host := l3.Hosts[hostname]

-			getFwdPolicy := func(cmd string) string {

+			getFwdPolicy := func(usingNftables bool, fam string) string {

 				t.Helper()

-				out := host.MustRun(t, cmd, "-S", "FORWARD")

-				if strings.HasPrefix(out, "-P FORWARD ACCEPT") {

-					return "ACCEPT"

-				}

-				if strings.HasPrefix(out, "-P FORWARD DROP") {

-					return "DROP"

+				if usingNftables {

+					out := host.MustRun(t, "nft", "list chain "+fam+" docker-bridges filter-FORWARD")

+					if strings.Contains(out, "policy accept") {

+						return "ACCEPT"

+					}

+					if strings.Contains(out, "policy drop") {

+						return "DROP"

+					}

+					t.Fatalf("Failed to determine nftables filter-FORWARD policy: %s", out)

+					return ""

+				} else {

+					cmd := fam + "tables"

+					out := host.MustRun(t, cmd, "-S", "FORWARD")

+					if strings.HasPrefix(out, "-P FORWARD ACCEPT") {

+						return "ACCEPT"

+					}

+					if strings.HasPrefix(out, "-P FORWARD DROP") {

+						return "DROP"

+					}

+					t.Fatalf("Failed to determine %s FORWARD policy: %s", cmd, out)

+					return ""

 				}

-				t.Fatalf("Failed to determine %s FORWARD policy: %s", cmd, out)

-				return ""

 			}

 			type sysctls struct{ v4, v6def, v6all string }

@@ -342,21 +355,22 @@ func TestFilterForwardPolicy(t *testing.T) {

 				d.StartWithBusybox(ctx, t, tc.daemonArgs...)

 				t.Cleanup(func() { d.Stop(t) })

 			})

+			usingNftables := d.FirewallBackendDriver(t) == "nftables"

 			c := d.NewClientT(t)

 			t.Cleanup(func() { c.Close() })

 			// If necessary, the IPv4 policy should have been updated when the default bridge network was created.

-			assert.Check(t, is.Equal(getFwdPolicy("iptables"), tc.expPolicy))

+			assert.Check(t, is.Equal(getFwdPolicy(usingNftables, "ip"), tc.expPolicy))

 			// IPv6 policy should not have been updated yet.

-			assert.Check(t, is.Equal(getFwdPolicy("ip6tables"), "ACCEPT"))

+			assert.Check(t, is.Equal(getFwdPolicy(usingNftables, "ip6"), "ACCEPT"))

 			assert.Check(t, is.Equal(getSysctls(), sysctls{tc.expForwarding, tc.initForwarding, tc.initForwarding}))

 			// If necessary, creating an IPv6 network should update the sysctls and policy.

 			const netName = "testnetffp"

 			network.CreateNoError(ctx, t, c, netName, network.WithIPv6())

 			t.Cleanup(func() { network.RemoveNoError(ctx, t, c, netName) })

-			assert.Check(t, is.Equal(getFwdPolicy("iptables"), tc.expPolicy))

-			assert.Check(t, is.Equal(getFwdPolicy("ip6tables"), tc.expPolicy))

+			assert.Check(t, is.Equal(getFwdPolicy(usingNftables, "ip"), tc.expPolicy))

+			assert.Check(t, is.Equal(getFwdPolicy(usingNftables, "ip6"), tc.expPolicy))

 			assert.Check(t, is.Equal(getSysctls(), sysctls{tc.expForwarding, tc.expForwarding, tc.expForwarding}))

 		})

 	}

@@ -217,6 +217,7 @@ var iptCmds = map[iptCmdType][]string{

 func TestBridgeIptablesDoc(t *testing.T) {

 	skip.If(t, networking.FirewalldRunning(), "can't document iptables rules, running under firewalld")

 	skip.If(t, testEnv.IsRootless)

+	skip.If(t, testEnv.FirewallBackendDriver() == "nftables")

 	ctx := setupTest(t)

 	// Get the full path for "bundles/TestBridgeIptablesDoc".

@@ -93,7 +93,14 @@ func TestHostIPv4BridgeLabel(t *testing.T) {

 	assert.NilError(t, err)

 	assert.Assert(t, len(out.IPAM.Config) > 0)

 	// Make sure the SNAT rule exists

-	testutil.RunCommand(ctx, "iptables", "-t", "nat", "-C", "POSTROUTING", "-s", out.IPAM.Config[0].Subnet, "!", "-o", bridgeName, "-j", "SNAT", "--to-source", ipv4SNATAddr).Assert(t, icmd.Success)

+	if testEnv.FirewallBackendDriver() == "nftables" {

+		chain := testutil.RunCommand(ctx, "nft", "--stateless", "list", "chain", "ip", "docker-bridges", "nat-postrouting-out__hostIPv4Bridge").Combined()

+		exp := fmt.Sprintf(`oifname != "hostIPv4Bridge" ip saddr %s counter snat to %s comment "SNAT"`,

+			out.IPAM.Config[0].Subnet, ipv4SNATAddr)

+		assert.Check(t, is.Contains(chain, exp))

+	} else {

+		testutil.RunCommand(ctx, "iptables", "-t", "nat", "-C", "POSTROUTING", "-s", out.IPAM.Config[0].Subnet, "!", "-o", bridgeName, "-j", "SNAT", "--to-source", ipv4SNATAddr).Assert(t, icmd.Success)

+	}

 }

 func TestDefaultNetworkOpts(t *testing.T) {

@@ -510,23 +510,26 @@ func TestRoutedAccessToPublishedPort(t *testing.T) {

 	ctx := setupTest(t)

 	testcases := []struct {

-		name          string

-		userlandProxy bool

-		skipINC       bool

-		expResponse   bool

+		name                string

+		userlandProxy       bool

+		skipINC             bool

+		expResponseIptables bool

+		expResponseNftables bool

 	}{

 		{

-			name:          "proxy=true/skipICC=false",

-			userlandProxy: true,

-			expResponse:   true,

+			name:                "proxy=true/skipINC=false",

+			userlandProxy:       true,

+			expResponseIptables: true,

+			expResponseNftables: true,

 		},

 		{

-			name: "proxy=false/skipICC=false",

+			name:                "proxy=false/skipINC=false",

+			expResponseNftables: true,

 		},

 		{

-			name:        "proxy=false/skipICC=true",

-			skipINC:     true,

-			expResponse: true,

+			name:                "proxy=false/skipINC=true",

+			skipINC:             true,

+			expResponseIptables: true,

 		},

 	}

@@ -535,6 +538,10 @@ func TestRoutedAccessToPublishedPort(t *testing.T) {

 			d := daemon.New(t)

 			d.StartWithBusybox(ctx, t, "--ipv6", "--userland-proxy="+strconv.FormatBool(tc.userlandProxy))

 			defer d.Stop(t)

+			usingNftables := d.FirewallBackendDriver(t) == "nftables"

+			if usingNftables && tc.skipINC {

+				t.Skip("Skipping iptables skip-INC test, using nftables")

+			}

 			c := d.NewClientT(t)

 			defer c.Close()

@@ -603,7 +610,7 @@ func TestRoutedAccessToPublishedPort(t *testing.T) {

 						container.WithNetworkMode(routedNetName),

 						container.WithCmd("wget", "-O-", "-T3", url),

 					)

-					if tc.expResponse {

+					if (usingNftables && tc.expResponseNftables) || (!usingNftables && tc.expResponseIptables) {

 						// 404 Not Found means the server responded, but it's got nothing to serve.

 						assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url)

 					} else {

@@ -1032,16 +1039,23 @@ func TestNoIP6Tables(t *testing.T) {

 			id := container.Run(ctx, t, c, container.WithNetworkMode(netName))

 			defer c.ContainerRemove(ctx, id, containertypes.RemoveOptions{Force: true})

-			res, err := exec.Command("/usr/sbin/ip6tables-save").CombinedOutput()

+			var cmd *exec.Cmd

+			if d.FirewallBackendDriver(t) == "nftables" {

+				cmd = exec.Command("nft", "list", "table", "ip6", "docker-bridges")

+			} else {

+				cmd = exec.Command("/usr/sbin/ip6tables-save")

+			}

+			res, err := cmd.CombinedOutput()

 			assert.NilError(t, err)

+			dump := string(res)

 			if tc.expIPTables {

-				assert.Check(t, is.Contains(string(res), subnet))

-				assert.Check(t, is.Contains(string(res), bridgeName))

+				assert.Check(t, is.Contains(dump, subnet))

+				assert.Check(t, is.Contains(dump, bridgeName))

 			} else {

-				assert.Check(t, !strings.Contains(string(res), subnet),

-					fmt.Sprintf("Didn't expect to find '%s' in '%s'", subnet, string(res)))

-				assert.Check(t, !strings.Contains(string(res), bridgeName),

-					fmt.Sprintf("Didn't expect to find '%s' in '%s'", bridgeName, string(res)))

+				assert.Check(t, !strings.Contains(dump, subnet),

+					fmt.Sprintf("Didn't expect to find '%s' in '%s'", subnet, dump))

+				assert.Check(t, !strings.Contains(dump, bridgeName),

+					fmt.Sprintf("Didn't expect to find '%s' in '%s'", bridgeName, dump))

 			}

 		})

 	}

@@ -1690,6 +1704,8 @@ func TestNetworkInspectGateway(t *testing.T) {

 func TestDropInForwardChain(t *testing.T) {

 	skip.If(t, networking.FirewalldRunning(), "can't use firewalld in host netns to add rules in L3Segment")

 	skip.If(t, testEnv.IsRootless, "rootless has its own netns")

+	skip.If(t, !strings.Contains(testEnv.FirewallBackendDriver(), "iptables"),

+		"test is iptables specific, and iptables isn't in use")

 	// Run the test in its own netns, to avoid interfering with iptables on the test host.

 	const l3SegHost = "difc"

@@ -1228,6 +1228,8 @@ func getContainerStdout(t *testing.T, ctx context.Context, c *client.Client, ctr

 // See https://github.com/moby/moby/issues/49557

 func TestSkipRawRules(t *testing.T) {

 	skip.If(t, networking.FirewalldRunning(), "can't use firewalld in host netns to add rules in L3Segment")

+	skip.If(t, !strings.Contains(testEnv.FirewallBackendDriver(), "iptables"),

+		"test is iptables specific, and iptables isn't in use")

 	skip.If(t, testEnv.IsRootless, "can't use L3Segment, or check iptables rules")

 	testcases := []struct {

@@ -184,6 +184,7 @@ func TestSwarmScopedNetFromConfig(t *testing.T) {

 func TestDockerIngressChainPosition(t *testing.T) {

 	skip.If(t, testEnv.IsRemoteDaemon)

 	skip.If(t, testEnv.IsRootless, "rootless mode doesn't support Swarm-mode")

+	skip.If(t, testEnv.FirewallBackendDriver() == "nftables")

 	skip.If(t, networking.FirewalldRunning(), "can't use firewalld in host netns to add rules in L3Segment")

 	ctx := setupTest(t)

@@ -232,3 +232,12 @@ func (e *Execution) GitHubActions() bool {

 func (e *Execution) NotAmd64() bool {

 	return e.DaemonVersion.Arch != "amd64"

 }

+

+// FirewallBackendDriver returns the value of FirewallBackend.Driver from

+// system Info if set, else the empty string.

+func (e *Execution) FirewallBackendDriver() string {

+	if e.DaemonInfo.FirewallBackend == nil {

+		return ""

+	}

+	return e.DaemonInfo.FirewallBackend.Driver

+}