Drop DOCKER-ISOLATION rules

The Inter-Network Communication rules in the iptables chains
DOCKER-ISOLATION-STAGE-1 / DOCKER-ISOLATION-STAGE-2 (which are
called from filter-FORWARD) currently:
- Block access from containers in one bridge network, to ports
  published to host addresses by containers in other bridge
  networks, when the userland-proxy is disabled.
  - But, that access is allowed when the proxy is enabled.
- Block access to all ports on container addresses in gateway
  mode "nat-unprotected" networks.
  - But, those ports can be accessed from anywhere else, including
    other hosts. Just not other bridge networks.
- Allow access from containers in "nat" bridge networks to published
  ports on container addresses in "routed" networks. But, to do that,
  extra INC rules are added for the routed network.

The INC rules are no longer needed to block access from containers
in one network to unpublished ports on container addresses in
other networks. Direct routing to containers in NAT networks is
blocked by the "raw-PREROUTING" rules that block access from
untrusted interfaces (all interfaces apart from the network's
own bridge).

Drop these INC rules to resolve the inconsistencies listed above,
with this change:
- Published ports on host addresses can be accessed from containers
  in other networks (even without the userland-proxy).
- The rules for direct routing between bridge networks are the same
  as the rules for direct routing from outside the Docker host
  (allowed for gw modes "routed" and "nat-unprotected", disallowed
  for "nat").

Fewer rules, so it's simpler, and perhaps slightly faster.

Internal networks (with no access to networks outside the host)
are also implemented using rules in the DOCKER-ISOLATION chains.
This change moves those rules to a new chain, DOCKER-INTERNAL,
and drops the DOCKER-ISOLATION chains.

Signed-off-by: Rob Murray <rob.murray@docker.com>

integration/network/bridge/iptablesdoc/generated/new-daemon.md

@@ -31,17 +31,12 @@ Table `filter`:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (1 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -57,8 +52,7 @@ Table `filter`:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -66,24 +60,23 @@ Table `filter`:
     -A DOCKER-BRIDGE -o docker0 -j DOCKER
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
 
 The FORWARD chain's policy shown above is ACCEPT. However:
 
-   - For IPv4, [setupIPForwarding][1] sets the POLICY to DROP if the sysctl
+   - For IPv4, [setupIPv4Forwarding][1] sets the POLICY to DROP if the sysctl
      net.ipv4.ip_forward was not set to '1', and the daemon set it itself when
      an IPv4-enabled bridge network was created.
-   - For IPv6, similar, but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding"
+   - For IPv6, [similar][2], but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding"
      and "/proc/sys/net/ipv6/conf/all/forwarding".
 
-[1]: https://github.com/moby/moby/blob/cff4f20c44a3a7c882ed73934dec6a77246c6323/libnetwork/drivers/bridge/setup_ip_forwarding.go#L44
+[1]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv4Forwarding&type=code
+[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv6Forwarding&type=code
 
 The FORWARD chain rules, explained in the order they appear in the output above, are:
 
@@ -93,7 +86,7 @@ The FORWARD chain rules, explained in the order they appear in the output above,
      It's (mostly) kept at the top of the by deleting it and re-creating after each
      new network is created, while traffic may be running for other networks.
   2. Unconditional jump to DOCKER-FORWARD.
-     This is set up by libnetwork, in [setupUserChain][10].
+     This is set up by libnetwork, in [setupIPChains][11].
 
 Once the daemon has initialised, it doesn't touch these rules. Users are free to
 append rules to the FORWARD chain, and they'll run after DOCKER's rules (or to
@@ -106,12 +99,12 @@ the output above, are:
 
   1. Unconditional jump to DOCKER-CT.
      Created during driver initialisation, in `setupIPChains`.
-  2. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
+  2. Unconditional jump to DOCKER-INTERNAL.
      Also created during driver initialisation, in `setupIPChains`.
   3. Unconditional jump to DOCKER-BRIDGE.
      Also created during driver initialisation, in `setupIPChains`.
   4. ACCEPT any packet leaving a network, set up when the network is created, in
-     `setupIPTablesInternal`. Note that this accepts any packet leaving the
+     [setupIPTablesInternal][12]. Note that this accepts any packet leaving the
      network that's made it through the DOCKER and isolation chains, whether the
      destination is external or another network.
 
@@ -122,29 +115,21 @@ DOCKER-BRIDGE has a rule for each bridge network, to jump to the DOCKER chain.
 
 The DOCKER chain implements per-port/protocol filtering for each container.
 
-[10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50
+[10]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupUserChain&type=code
-[11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232
+[11]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPChains&type=code
-[12]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L227-L229
+[12]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupNonInternalNetworkRules&type=code
-[13]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L223-L226
-[15]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L343
 
 The DOCKER chain has a single DROP rule for the bridge network, to drop any
 packets routed to the network that have not originated in the network. Added by
-[setDefaultForwardRule][21].
+[setDefaultForwardRule][20].
 _This means there is no dependency on the filter-FORWARD chain's default policy.
 Even if it is ACCEPT, packets will be dropped unless container ports/protocols
 are published._
 
-The DOCKER-ISOLATION chains implement inter-network isolation, all (unrelated)
+[20]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code
-packets are processed by these chains. The rule are inserted at the head of the
-chain when a network is created, in [setINC][20].
-  - DOCKER-ISOLATION-STAGE-1 jumps to DOCKER-ISOLATION-STAGE-2 for any packet
-    routed to a docker network that has not come from that docker network.
-  - DOCKER-ISOLATION-STAGE-2 processes all packets leaving a bridge network,
-    packets that are destined for any other network are dropped.
 
-[20]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L369
+The DOCKER-INTERNAL chain is for `--internal` networks (bridge networks that
-[21]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252
+have no external access), it's unused in this example.
 
 Table nat:
 
@@ -165,7 +150,6 @@ Table nat:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -179,7 +163,6 @@ Table nat:
     -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i docker0 -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/swarm-portmap.md

@@ -36,7 +36,7 @@ The filter table is:
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-INGRESS  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     2        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    3        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     6        0     0 DROP       0    --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
@@ -48,15 +48,8 @@ The filter table is:
     2        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:8080 ctstate RELATED,ESTABLISHED
     3        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -73,8 +66,7 @@ The filter table is:
     -N DOCKER-CT
     -N DOCKER-FORWARD
     -N DOCKER-INGRESS
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -86,7 +78,7 @@ The filter table is:
     -A DOCKER-CT -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-INGRESS
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
@@ -94,10 +86,6 @@ The filter table is:
     -A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j ACCEPT
     -A DOCKER-INGRESS -p tcp -m tcp --sport 8080 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-INGRESS -j RETURN
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -132,8 +120,6 @@ And the corresponding nat table:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-INGRESS (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -157,8 +143,6 @@ And the corresponding nat table:
     -A POSTROUTING -o docker_gwbridge -m addrtype --src-type LOCAL -j MASQUERADE
     -A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i docker_gwbridge -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     -A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.2:8080
     -A DOCKER-INGRESS -j RETURN
     

integration/network/bridge/iptablesdoc/generated/usernet-internal.md

@@ -46,23 +46,18 @@ The filter table is updated as follows:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridgeICC bridgeICC  0.0.0.0/0            0.0.0.0/0           
     6        0     0 DROP       0    --  bridgeNoICC bridgeNoICC  0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DROP       0    --  *      bridgeNoICC !198.51.100.0/24      0.0.0.0/0           
     2        0     0 DROP       0    --  bridgeNoICC *       0.0.0.0/0           !198.51.100.0/24     
     3        0     0 DROP       0    --  *      bridgeICC !192.0.2.0/24         0.0.0.0/0           
     4        0     0 DROP       0    --  bridgeICC *       0.0.0.0/0           !192.0.2.0/24        
-    5        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (1 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -78,8 +73,7 @@ The filter table is updated as follows:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -87,17 +81,15 @@ The filter table is updated as follows:
     -A DOCKER-BRIDGE -o docker0 -j DOCKER
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridgeICC -o bridgeICC -j ACCEPT
     -A DOCKER-FORWARD -i bridgeNoICC -o bridgeNoICC -j DROP
-    -A DOCKER-ISOLATION-STAGE-1 ! -s 198.51.100.0/24 -o bridgeNoICC -j DROP
+    -A DOCKER-INTERNAL ! -s 198.51.100.0/24 -o bridgeNoICC -j DROP
-    -A DOCKER-ISOLATION-STAGE-1 ! -d 198.51.100.0/24 -i bridgeNoICC -j DROP
+    -A DOCKER-INTERNAL ! -d 198.51.100.0/24 -i bridgeNoICC -j DROP
-    -A DOCKER-ISOLATION-STAGE-1 ! -s 192.0.2.0/24 -o bridgeICC -j DROP
+    -A DOCKER-INTERNAL ! -s 192.0.2.0/24 -o bridgeICC -j DROP
-    -A DOCKER-ISOLATION-STAGE-1 ! -d 192.0.2.0/24 -i bridgeICC -j DROP
+    -A DOCKER-INTERNAL ! -d 192.0.2.0/24 -i bridgeICC -j DROP
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -106,11 +98,9 @@ By comparison with the [network with external access][1]:
 
 - In the DOCKER-FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`).
 - There are no rules for this network in the DOCKER chain.
-- In DOCKER-ISOLATION-STAGE-1:
+- In DOCKER-INTERNAL:
   - Rule 1 drops any packet routed to the network that does not have a source address in the network's subnet.
   - Rule 2 drops any packet routed out of the network that does not have a dest address in the network's subnet.
-  - There is no jump to DOCKER-ISOLATION-STAGE-2.
-- DOCKER-ISOLATION-STAGE-2 is unused.
 
 The only difference between `bridgeICC` and `bridgeNoICC` is the rule in the DOCKER-FORWARD
 chain. To enable ICC, the rule for packets looping through the bridge is ACCEPT. For
@@ -137,7 +127,6 @@ And the corresponding nat table:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -151,7 +140,6 @@ And the corresponding nat table:
     -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i docker0 -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md

@@ -42,20 +42,13 @@ The filter and nat tables are identical to [nat mode][0]:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -68,8 +61,7 @@ The filter and nat tables are identical to [nat mode][0]:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -81,14 +73,10 @@ The filter and nat tables are identical to [nat mode][0]:
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -114,9 +102,7 @@ The filter and nat tables are identical to [nat mode][0]:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
+    1        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 to:192.0.2.2:80
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 to:192.0.2.2:80
     
 
     -P PREROUTING ACCEPT
@@ -128,8 +114,6 @@ The filter and nat tables are identical to [nat mode][0]:
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i bridge1 -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     -A DOCKER -d 127.0.0.1/32 ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80
     
 

integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md

@@ -39,20 +39,13 @@ The filter table is:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -68,8 +61,7 @@ The filter table is:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -80,14 +72,10 @@ The filter table is:
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -128,9 +116,7 @@ The nat table is identical to [nat mode][400].
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
+    1        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
     
 
     -P PREROUTING ACCEPT
@@ -142,8 +128,6 @@ The nat table is identical to [nat mode][400].
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i bridge1 -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80
     
 

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md

@@ -40,21 +40,14 @@ The filter table is:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 DROP       0    --  bridge1 bridge1  0.0.0.0/0            0.0.0.0/0           
     6        0     0 ACCEPT     0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -70,8 +63,7 @@ The filter table is:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -83,15 +75,11 @@ The filter table is:
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -o bridge1 -j DROP
     -A DOCKER-FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -124,9 +112,7 @@ And the corresponding nat table:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
+    1        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
     
 
 <details>
@@ -141,8 +127,6 @@ And the corresponding nat table:
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i bridge1 -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80
     
 

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md

@@ -43,20 +43,13 @@ The filter table is the same as with the userland proxy enabled.
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -69,8 +62,7 @@ The filter table is the same as with the userland proxy enabled.
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -82,14 +74,10 @@ The filter table is the same as with the userland proxy enabled.
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -144,8 +132,6 @@ Differences from [running with the proxy][0] are:
 
   - The jump from the OUTPUT chain to DOCKER happens even for loopback addresses.
     [ProgramChain][1].
-  - The "SKIP DNAT" RETURN rule for packets routed to the bridge is omitted from
-    the DOCKER chain [setupIPTablesInternal][2].
   - A MASQUERADE rule is added for packets sent from the container to one of its
     own published ports on the host.
   - A MASQUERADE rule for packets from a LOCAL source address is included in
@@ -154,6 +140,5 @@ Differences from [running with the proxy][0] are:
 
 [0]: usernet-portmap.md
 [1]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302
-[2]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L293
 [3]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302
 [4]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L772

integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md

@@ -41,22 +41,13 @@ The filter table is:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
-    2        0     0 RETURN     0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    4        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -72,8 +63,7 @@ The filter table is:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -86,31 +76,16 @@ The filter table is:
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -o bridge1 -j RETURN
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
 
 Compared to the equivalent [nat mode network][1]:
 
-- In DOCKER-ISOLATION-STAGE-1:
-  - Rule 1 accepts outgoing packets related to established connections. This
-    is for responses to containers on NAT networks that would not normally
-    accept packets from another network, and may have port/protocol filtering
-    rules in place that would otherwise drop these responses.
-  - Rule 2 skips the jump to DOCKER-ISOLATION-STAGE-2 for any packet routed
-    to the routed-mode network. So, it will accept packets from other networks,
-    if they make it through the port/protocol filtering rules in the DOCKER
-    chain.
 - In the DOCKER chain:
   - A rule is added by [setICMP][5] to allow ICMP.
     *ALL* ICMP message types are allowed.
@@ -163,8 +138,6 @@ The nat table is:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     
 
 <details>
@@ -178,8 +151,6 @@ The nat table is:
     -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i bridge1 -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     
 
 </details>

integration/network/bridge/iptablesdoc/generated/usernet-portmap.md

@@ -39,20 +39,13 @@ The filter table is updated as follows:
     Chain DOCKER-FORWARD (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
     1        0     0 DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
+    2        0     0 DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     3        0     0 DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
     4        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
     5        0     0 ACCEPT     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
     
-    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
+    Chain DOCKER-INTERNAL (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DOCKER-ISOLATION-STAGE-2  0    --  bridge1 !bridge1  0.0.0.0/0            0.0.0.0/0           
-    
-    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
-    num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 DROP       0    --  *      bridge1  0.0.0.0/0            0.0.0.0/0           
-    2        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
     
     Chain DOCKER-USER (1 references)
     num   pkts bytes target     prot opt in     out     source               destination         
@@ -68,8 +61,7 @@ The filter table is updated as follows:
     -N DOCKER-BRIDGE
     -N DOCKER-CT
     -N DOCKER-FORWARD
-    -N DOCKER-ISOLATION-STAGE-1
+    -N DOCKER-INTERNAL
-    -N DOCKER-ISOLATION-STAGE-2
     -N DOCKER-USER
     -A FORWARD -j DOCKER-USER
     -A FORWARD -j DOCKER-FORWARD
@@ -81,14 +73,10 @@ The filter table is updated as follows:
     -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     -A DOCKER-FORWARD -j DOCKER-CT
-    -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+    -A DOCKER-FORWARD -j DOCKER-INTERNAL
     -A DOCKER-FORWARD -j DOCKER-BRIDGE
     -A DOCKER-FORWARD -i docker0 -j ACCEPT
     -A DOCKER-FORWARD -i bridge1 -j ACCEPT
-    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
-    -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
-    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
     
 
 </details>
@@ -98,8 +86,6 @@ Note that:
  - In the DOCKER-FORWARD chain, rule 5 for outgoing traffic from the new network has been
    appended to the end of the chain.
  - The DOCKER-CT and DOCKER-FORWARD chains each have a rule for the new network.
- - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have
-   also been inserted for the new bridge.
  - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed
    to the container's address. This rule is added when the container is created
    (unlike all the other rules so-far, which were created during driver or
@@ -110,8 +96,8 @@ Note that:
      created before `bridge1`, the `bridge1` rules appear above and below the
      `docker0` DROP rule.
 
-[1]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L795
+[1]: https://github.com/search?q=repo%3Amoby%2Fmoby+setPerPortForwarding&type=code
-[2]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252
+[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code
 
 The corresponding nat table:
 
@@ -133,9 +119,7 @@ The corresponding nat table:
     
     Chain DOCKER (2 references)
     num   pkts bytes target     prot opt in     out     source               destination         
-    1        0     0 RETURN     0    --  bridge1 *       0.0.0.0/0            0.0.0.0/0           
+    1        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
-    2        0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
-    3        0     0 DNAT       6    --  !bridge1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.0.2.2:80
     
 
 <details>
@@ -150,8 +134,6 @@ The corresponding nat table:
     -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
     -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE
     -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-    -A DOCKER -i bridge1 -j RETURN
-    -A DOCKER -i docker0 -j RETURN
     -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80
     
 

integration/network/bridge/iptablesdoc/templates/new-daemon.md

@@ -16,13 +16,14 @@ Table `filter`:
 
 The FORWARD chain's policy shown above is ACCEPT. However:
 
-   - For IPv4, [setupIPForwarding][1] sets the POLICY to DROP if the sysctl
+   - For IPv4, [setupIPv4Forwarding][1] sets the POLICY to DROP if the sysctl
      net.ipv4.ip_forward was not set to '1', and the daemon set it itself when
      an IPv4-enabled bridge network was created.
-   - For IPv6, similar, but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding"
+   - For IPv6, [similar][2], but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding"
      and "/proc/sys/net/ipv6/conf/all/forwarding".
 
-[1]: https://github.com/moby/moby/blob/cff4f20c44a3a7c882ed73934dec6a77246c6323/libnetwork/drivers/bridge/setup_ip_forwarding.go#L44
+[1]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv4Forwarding&type=code
+[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv6Forwarding&type=code
 
 The FORWARD chain rules, explained in the order they appear in the output above, are:
 
@@ -32,7 +33,7 @@ The FORWARD chain rules, explained in the order they appear in the output above,
      It's (mostly) kept at the top of the by deleting it and re-creating after each
      new network is created, while traffic may be running for other networks.
   2. Unconditional jump to DOCKER-FORWARD.
-     This is set up by libnetwork, in [setupUserChain][10].
+     This is set up by libnetwork, in [setupIPChains][11].
 
 Once the daemon has initialised, it doesn't touch these rules. Users are free to
 append rules to the FORWARD chain, and they'll run after DOCKER's rules (or to
@@ -45,12 +46,12 @@ the output above, are:
 
   1. Unconditional jump to DOCKER-CT.
      Created during driver initialisation, in `setupIPChains`.
-  2. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
+  2. Unconditional jump to DOCKER-INTERNAL.
      Also created during driver initialisation, in `setupIPChains`.
   3. Unconditional jump to DOCKER-BRIDGE.
      Also created during driver initialisation, in `setupIPChains`.
   4. ACCEPT any packet leaving a network, set up when the network is created, in
-     `setupIPTablesInternal`. Note that this accepts any packet leaving the
+     [setupIPTablesInternal][12]. Note that this accepts any packet leaving the
      network that's made it through the DOCKER and isolation chains, whether the
      destination is external or another network.
 
@@ -61,29 +62,21 @@ DOCKER-BRIDGE has a rule for each bridge network, to jump to the DOCKER chain.
 
 The DOCKER chain implements per-port/protocol filtering for each container.
 
-[10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50
+[10]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupUserChain&type=code
-[11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232
+[11]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPChains&type=code
-[12]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L227-L229
+[12]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupNonInternalNetworkRules&type=code
-[13]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L223-L226
-[15]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L343
 
 The DOCKER chain has a single DROP rule for the bridge network, to drop any
 packets routed to the network that have not originated in the network. Added by
-[setDefaultForwardRule][21].
+[setDefaultForwardRule][20].
 _This means there is no dependency on the filter-FORWARD chain's default policy.
 Even if it is ACCEPT, packets will be dropped unless container ports/protocols
 are published._
 
-The DOCKER-ISOLATION chains implement inter-network isolation, all (unrelated)
+[20]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code
-packets are processed by these chains. The rule are inserted at the head of the
-chain when a network is created, in [setINC][20].
-  - DOCKER-ISOLATION-STAGE-1 jumps to DOCKER-ISOLATION-STAGE-2 for any packet
-    routed to a docker network that has not come from that docker network.
-  - DOCKER-ISOLATION-STAGE-2 processes all packets leaving a bridge network,
-    packets that are destined for any other network are dropped.
 
-[20]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L369
+The DOCKER-INTERNAL chain is for `--internal` networks (bridge networks that
-[21]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252
+have no external access), it's unused in this example.
 
 Table nat:
 

integration/network/bridge/iptablesdoc/templates/usernet-internal.md

@@ -33,11 +33,9 @@ By comparison with the [network with external access][1]:
 
 - In the DOCKER-FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`).
 - There are no rules for this network in the DOCKER chain.
-- In DOCKER-ISOLATION-STAGE-1:
+- In DOCKER-INTERNAL:
   - Rule 1 drops any packet routed to the network that does not have a source address in the network's subnet.
   - Rule 2 drops any packet routed out of the network that does not have a dest address in the network's subnet.
-  - There is no jump to DOCKER-ISOLATION-STAGE-2.
-- DOCKER-ISOLATION-STAGE-2 is unused.
 
 The only difference between `bridgeICC` and `bridgeNoICC` is the rule in the DOCKER-FORWARD
 chain. To enable ICC, the rule for packets looping through the bridge is ACCEPT. For

integration/network/bridge/iptablesdoc/templates/usernet-portmap-noproxy.md

@@ -34,8 +34,6 @@ Differences from [running with the proxy][0] are:
 
   - The jump from the OUTPUT chain to DOCKER happens even for loopback addresses.
     [ProgramChain][1].
-  - The "SKIP DNAT" RETURN rule for packets routed to the bridge is omitted from
-    the DOCKER chain [setupIPTablesInternal][2].
   - A MASQUERADE rule is added for packets sent from the container to one of its
     own published ports on the host.
   - A MASQUERADE rule for packets from a LOCAL source address is included in
@@ -44,6 +42,5 @@ Differences from [running with the proxy][0] are:
 
 [0]: usernet-portmap.md
 [1]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302
-[2]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L293
 [3]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302
 [4]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L772

integration/network/bridge/iptablesdoc/templates/usernet-portmap-routed.md

@@ -21,15 +21,6 @@ The filter table is:
 
 Compared to the equivalent [nat mode network][1]:
 
-- In DOCKER-ISOLATION-STAGE-1:
-  - Rule 1 accepts outgoing packets related to established connections. This
-    is for responses to containers on NAT networks that would not normally
-    accept packets from another network, and may have port/protocol filtering
-    rules in place that would otherwise drop these responses.
-  - Rule 2 skips the jump to DOCKER-ISOLATION-STAGE-2 for any packet routed
-    to the routed-mode network. So, it will accept packets from other networks,
-    if they make it through the port/protocol filtering rules in the DOCKER
-    chain.
 - In the DOCKER chain:
   - A rule is added by [setICMP][5] to allow ICMP.
     *ALL* ICMP message types are allowed.

integration/network/bridge/iptablesdoc/templates/usernet-portmap.md

@@ -23,8 +23,6 @@ Note that:
  - In the DOCKER-FORWARD chain, rule 5 for outgoing traffic from the new network has been
    appended to the end of the chain.
  - The DOCKER-CT and DOCKER-FORWARD chains each have a rule for the new network.
- - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have
-   also been inserted for the new bridge.
  - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed
    to the container's address. This rule is added when the container is created
    (unlike all the other rules so-far, which were created during driver or
@@ -35,8 +33,8 @@ Note that:
      created before `bridge1`, the `bridge1` rules appear above and below the
      `docker0` DROP rule.
 
-[1]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L795
+[1]: https://github.com/search?q=repo%3Amoby%2Fmoby+setPerPortForwarding&type=code
-[2]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252
+[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code
 
 The corresponding nat table:
 

integration/networking/bridge_linux_test.go

@@ -496,40 +496,39 @@ func TestBridgeINCRouted(t *testing.T) {
 	}
 }
 
-// TestRoutedAccessToPublishedPort checks that:
+// TestAccessToPublishedPort checks that a container in one network can
-//   - with docker-proxy enabled, a container in a gw-mode=routed network can access a port
+// access a port published to the host by a container in another network,
-//     published to the host by a container in a gw-mode=nat network.
+// with various combinations of gateway-mode, with and without the
-//   - if the proxy is disabled, those packets are dropped by the network isolation rules
+// userland proxy.
-//   - working around those INC rules by adding a rule to DOCKER-USER enables access to the
-//     published port (so, packets from the mode-routed network are still DNAT'd).
 //
 // Regression test for https://github.com/moby/moby/issues/49509
-func TestRoutedAccessToPublishedPort(t *testing.T) {
+func TestAccessToPublishedPort(t *testing.T) {
 	skip.If(t, testEnv.IsRootless, "Published port not accessible from rootless netns")
 
 	ctx := setupTest(t)
 
 	testcases := []struct {
-		name                string
+		name          string
-		userlandProxy       bool
+		clientGwMode  string
-		skipINC             bool
+		userlandProxy bool
-		expResponseIptables bool
-		expResponseNftables bool
 	}{
 		{
-			name:                "proxy=true/skipINC=false",
+			name:          "client=routed/proxy=true",
-			userlandProxy:       true,
+			clientGwMode:  "routed",
-			expResponseIptables: true,
+			userlandProxy: true,
-			expResponseNftables: true,
 		},
 		{
-			name:                "proxy=false/skipINC=false",
+			name:         "client=routed/proxy=false",
-			expResponseNftables: true,
+			clientGwMode: "routed",
 		},
 		{
-			name:                "proxy=false/skipINC=true",
+			name:          "client=nat/proxy=true",
-			skipINC:             true,
+			clientGwMode:  "nat",
-			expResponseIptables: true,
+			userlandProxy: true,
+		},
+		{
+			name:         "client=nat/proxy=false",
+			clientGwMode: "nat",
 		},
 	}
 
@@ -538,61 +537,36 @@ func TestRoutedAccessToPublishedPort(t *testing.T) {
 			d := daemon.New(t)
 			d.StartWithBusybox(ctx, t, "--ipv6", "--userland-proxy="+strconv.FormatBool(tc.userlandProxy))
 			defer d.Stop(t)
-			usingNftables := d.FirewallBackendDriver(t) == "nftables"
-			if usingNftables && tc.skipINC {
-				t.Skip("Skipping iptables skip-INC test, using nftables")
-			}
 
 			c := d.NewClientT(t)
 			defer c.Close()
 
-			const natNetName = "tnet-nat"
+			const serverNetName = "tnet-server"
-			const natBridgeName = "br-nat"
+			network.CreateNoError(ctx, t, c, serverNetName,
-			network.CreateNoError(ctx, t, c, natNetName,
 				network.WithDriver("bridge"),
 				network.WithIPv6(),
-				network.WithOption(bridge.BridgeName, natBridgeName),
+				network.WithOption(bridge.BridgeName, "br-server"),
 			)
-			defer network.RemoveNoError(ctx, t, c, natNetName)
+			defer network.RemoveNoError(ctx, t, c, serverNetName)
 
 			ctrId := container.Run(ctx, t, c,
-				container.WithNetworkMode(natNetName),
+				container.WithNetworkMode(serverNetName),
-				container.WithName("ctr-nat"),
+				container.WithName("ctr-server"),
 				container.WithExposedPorts("80/tcp"),
 				container.WithPortMap(nat.PortMap{"80/tcp": {nat.PortBinding{HostPort: "8080"}}}),
 				container.WithCmd("httpd", "-f"),
 			)
 			defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true})
 
-			const routedNetName = "tnet-routed"
+			const clientNetName = "tnet-client"
-			network.CreateNoError(ctx, t, c, routedNetName,
+			network.CreateNoError(ctx, t, c, clientNetName,
 				network.WithDriver("bridge"),
 				network.WithIPv6(),
-				network.WithOption(bridge.BridgeName, "br-routed"),
+				network.WithOption(bridge.BridgeName, "br-client"),
-				network.WithOption(bridge.IPv4GatewayMode, "routed"),
+				network.WithOption(bridge.IPv4GatewayMode, tc.clientGwMode),
-				network.WithOption(bridge.IPv6GatewayMode, "routed"),
+				network.WithOption(bridge.IPv6GatewayMode, tc.clientGwMode),
 			)
-			defer network.RemoveNoError(ctx, t, c, routedNetName)
+			defer network.RemoveNoError(ctx, t, c, clientNetName)
-
-			// With docker-proxy disabled, a container can't normally access a port published
-			// from a container in a different bridge network. But, users can add rules to
-			// the DOCKER-USER chain to get around that limitation of docker's iptables rules.
-			// Do that here, if the test requires it.
-			if tc.skipINC {
-				for _, ipv := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} {
-					rule := iptables.Rule{
-						IPVer: ipv, Table: iptables.Filter, Chain: "DOCKER-USER",
-						Args: []string{"-o", natBridgeName, "-j", "ACCEPT"},
-					}
-					err := rule.Insert()
-					assert.NilError(t, err)
-					defer func() {
-						if err := rule.Delete(); err != nil {
-							t.Errorf("Failed to delete %s DOCKER-USER rule: %v", ipv, err)
-						}
-					}()
-				}
-			}
 
 			// Use the default bridge addresses as host addresses (like "host-gateway", but
 			// there's no way to tell wget to prefer ipv4/ipv6 transport, so just use the
@@ -607,17 +581,148 @@ func TestRoutedAccessToPublishedPort(t *testing.T) {
 				t.Run(ipv, func(t *testing.T) {
 					url := "http://" + net.JoinHostPort(ipamCfg.Gateway, "8080")
 					res := container.RunAttach(ctx, t, c,
-						container.WithNetworkMode(routedNetName),
+						container.WithNetworkMode(clientNetName),
 						container.WithCmd("wget", "-O-", "-T3", url),
 					)
-					if (usingNftables && tc.expResponseNftables) || (!usingNftables && tc.expResponseIptables) {
+					// 404 Not Found means the server responded, but it's got nothing to serve.
+					assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url)
+				})
+			}
+		})
+	}
+}
+
+// TestInterNetworkDirectRouting checks whether containers in one network
+// can access ports on container addresses in other networks for combinations
+// of gateway mode, published and unpublished ports, with and without the
+// userland-proxy. (This is about direct routing between containers, so the
+// docker-proxy shouldn't be involved - but the firewall config is a bit
+// different, so it's worth testing.)
+//
+// Regression test for https://github.com/moby/moby/issues/49509
+func TestInterNetworkDirectRouting(t *testing.T) {
+	ctx := setupTest(t)
+
+	testcases := []struct {
+		name          string
+		serverGwMode  string
+		userlandProxy bool
+		expPubResp    bool
+		expUnpubResp  bool
+	}{
+		{
+			name:          "server=nat/proxy=true",
+			serverGwMode:  "nat",
+			userlandProxy: true,
+			expPubResp:    false, // Direct routing is blocked by raw-prerouting rules.
+			expUnpubResp:  false, // Direct routing is blocked by raw-prerouting rules.
+		},
+		{
+			name:         "server=nat/proxy=false",
+			serverGwMode: "nat",
+			expPubResp:   false, // Direct routing is blocked by raw-prerouting rules.
+			expUnpubResp: false, // Direct routing is blocked by raw-prerouting rules.
+		},
+		{
+			name:          "server=routed/proxy=true",
+			serverGwMode:  "routed",
+			userlandProxy: true,
+			expPubResp:    true,
+			expUnpubResp:  false, // Unpublished ports are blocked by port-filtering rules.
+		},
+		{
+			name:         "server=routed/proxy=false",
+			serverGwMode: "routed",
+			expPubResp:   true,
+			expUnpubResp: false, // Unpublished ports are blocked by port-filtering rules.
+		},
+		{
+			name:          "server=nat-unprotected/proxy=true",
+			serverGwMode:  "nat-unprotected",
+			userlandProxy: true,
+			expPubResp:    true,
+			expUnpubResp:  true,
+		},
+		{
+			name:         "server=nat-unprotected/proxy=false",
+			serverGwMode: "nat-unprotected",
+			expPubResp:   true,
+			expUnpubResp: true,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			d := daemon.New(t)
+			d.StartWithBusybox(ctx, t, "--ipv6", "--userland-proxy="+strconv.FormatBool(tc.userlandProxy))
+			defer d.Stop(t)
+
+			c := d.NewClientT(t)
+			defer c.Close()
+
+			const serverNetName = "tnet-server"
+			network.CreateNoError(ctx, t, c, serverNetName,
+				network.WithDriver("bridge"),
+				network.WithIPv6(),
+				network.WithOption(bridge.BridgeName, "br-server"),
+				network.WithOption(bridge.IPv4GatewayMode, tc.serverGwMode),
+				network.WithOption(bridge.IPv6GatewayMode, tc.serverGwMode),
+			)
+			defer network.RemoveNoError(ctx, t, c, serverNetName)
+
+			ctrPubId := container.Run(ctx, t, c,
+				container.WithNetworkMode(serverNetName),
+				container.WithName("ctr-pub"),
+				container.WithExposedPorts("80/tcp"),
+				container.WithPortMap(nat.PortMap{"80/tcp": {nat.PortBinding{HostPort: "8080"}}}),
+				container.WithCmd("httpd", "-f"),
+			)
+			defer c.ContainerRemove(ctx, ctrPubId, containertypes.RemoveOptions{Force: true})
+			inspPub := container.Inspect(ctx, t, c, ctrPubId)
+			pub4 := inspPub.NetworkSettings.Networks[serverNetName].IPAddress
+			pub6 := inspPub.NetworkSettings.Networks[serverNetName].GlobalIPv6Address
+
+			ctrUnpubId := container.Run(ctx, t, c,
+				container.WithNetworkMode(serverNetName),
+				container.WithName("ctr-unpub"),
+				container.WithCmd("httpd", "-f"),
+			)
+			defer c.ContainerRemove(ctx, ctrUnpubId, containertypes.RemoveOptions{Force: true})
+			inspUnpub := container.Inspect(ctx, t, c, ctrUnpubId)
+			unpub4 := inspUnpub.NetworkSettings.Networks[serverNetName].IPAddress
+			unpub6 := inspUnpub.NetworkSettings.Networks[serverNetName].GlobalIPv6Address
+
+			const clientNetName = "tnet-client"
+			network.CreateNoError(ctx, t, c, clientNetName,
+				network.WithDriver("bridge"),
+				network.WithIPv6(),
+				network.WithOption(bridge.BridgeName, "br-client"),
+			)
+			defer network.RemoveNoError(ctx, t, c, clientNetName)
+
+			checkHTTP := func(addr string, expResp bool) func(t *testing.T) {
+				return func(t *testing.T) {
+					t.Parallel()
+					t.Helper()
+					url := "http://" + net.JoinHostPort(addr, "80")
+					res := container.RunAttach(ctx, t, c,
+						container.WithNetworkMode(clientNetName),
+						container.WithCmd("wget", "-O-", "-T3", url),
+					)
+					if expResp {
 						// 404 Not Found means the server responded, but it's got nothing to serve.
 						assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url)
 					} else {
 						assert.Check(t, is.Contains(res.Stderr.String(), "download timed out"), "url: %s", url)
 					}
-				})
+				}
 			}
+			t.Run("w", func(t *testing.T) { // Wait for the parallel tests to complete.
+				t.Run("ipv4/pub", checkHTTP(pub4, tc.expPubResp))
+				t.Run("ipv6/pub", checkHTTP(pub6, tc.expPubResp))
+				t.Run("ipv4/unpub", checkHTTP(unpub4, tc.expUnpubResp))
+				t.Run("ipv6/unpub", checkHTTP(unpub6, tc.expUnpubResp))
+			})
 		})
 	}
 }

integration/service/testdata/TestDockerIngressChainPosition_docker_forward.golden

@@ -1,5 +1,5 @@
 -N DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-INGRESS
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE

libnetwork/drivers/bridge/internal/iptabler/iptabler.go

@@ -18,19 +18,19 @@ const (
 	// DockerForwardChain contains Docker's filter-FORWARD rules.
 	//
 	// FIXME(robmry) - only exported because it's used to set up the jump to swarm's DOCKER-INGRESS chain.
-	DockerForwardChain = "DOCKER-FORWARD"
+	DockerForwardChain  = "DOCKER-FORWARD"
-	dockerBridgeChain  = "DOCKER-BRIDGE"
+	dockerBridgeChain   = "DOCKER-BRIDGE"
-	dockerCTChain      = "DOCKER-CT"
+	dockerCTChain       = "DOCKER-CT"
+	dockerInternalChain = "DOCKER-INTERNAL"
 
-	// Isolation between bridge networks is achieved in two stages by means
+	// These INC (inter-network communication) chains are no longer needed, packets
-	// of the following two chains in the filter table. The first chain matches
+	// sent to unpublished ports in other networks are now dropped by rules in the DOCKER
-	// on the source interface being a bridge network's bridge and the
+	// chain. Packets sent directly to published ports in a different network don't need
-	// destination being a different interface. A positive match leads to the
+	// to be dropped:
-	// second isolation chain. No match returns to the parent chain. The second
+	// - containers in other networks have access via the host's address, and
-	// isolation chain matches on destination interface being a bridge network's
+	// - it was surprising that a container in a gwmode=nat network couldn't talk to a
-	// bridge. A positive match identifies a packet originated from one bridge
+	//   published port in a gwmode=routed network, but anything outside a bridge
-	// network's bridge destined to another bridge network's bridge and will
+	//   network could.
-	// result in the packet being dropped. No match returns to the parent chain.
 	isolationChain1 = "DOCKER-ISOLATION-STAGE-1"
 	isolationChain2 = "DOCKER-ISOLATION-STAGE-2"
 )
@@ -180,26 +180,14 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, iptCfg firew
 		}
 	}()
 
-	_, err = iptable.NewChain(isolationChain1, iptables.Filter)
+	_, err = iptable.NewChain(dockerInternalChain, iptables.Filter)
 	if err != nil {
-		return fmt.Errorf("failed to create FILTER isolation chain: %v", err)
+		return fmt.Errorf("failed to create FILTER internal chain: %v", err)
 	}
 	defer func() {
 		if retErr != nil {
-			if err := iptable.RemoveExistingChain(isolationChain1, iptables.Filter); err != nil {
+			if err := iptable.RemoveExistingChain(dockerInternalChain, iptables.Filter); err != nil {
-				log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", isolationChain1, err)
+				log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", dockerInternalChain, err)
-			}
-		}
-	}()
-
-	_, err = iptable.NewChain(isolationChain2, iptables.Filter)
-	if err != nil {
-		return fmt.Errorf("failed to create FILTER isolation chain: %v", err)
-	}
-	defer func() {
-		if retErr != nil {
-			if err := iptable.RemoveExistingChain(isolationChain2, iptables.Filter); err != nil {
-				log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", isolationChain2, err)
 			}
 		}
 	}()
@@ -224,7 +212,7 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, iptCfg firew
 	if err := iptable.EnsureJumpRule(DockerForwardChain, dockerBridgeChain); err != nil {
 		return err
 	}
-	if err := iptable.EnsureJumpRule(DockerForwardChain, isolationChain1); err != nil {
+	if err := iptable.EnsureJumpRule(DockerForwardChain, dockerInternalChain); err != nil {
 		return err
 	}
 	if err := iptable.EnsureJumpRule(DockerForwardChain, dockerCTChain); err != nil {

libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go

@@ -39,12 +39,14 @@ func TestCleanupIptableRules(t *testing.T) {
 		expRemoved bool
 	}{
 		{name: dockerChain, table: iptables.Nat, expRemoved: true},
-		// The filter-FORWARD chain has references to dockerChain and isolationChain1,
+		// The filter-FORWARD chain has a reference to dockerForwardChain, so it won't be
-		// so the chains won't be removed - but they should be flushed. (This has
+		// removed - but it should be flushed. (This has long/always been the case for
-		// long/always been the case for the daemon, its filter-FORWARD rules aren't
+		// the daemon, its filter-FORWARD rules aren't removed.)
-		// removed.)
+		{name: DockerForwardChain, table: iptables.Filter},
-		{name: dockerChain, table: iptables.Filter},
+		{name: dockerCTChain, table: iptables.Filter, expRemoved: true},
-		{name: isolationChain1, table: iptables.Filter},
+		{name: dockerBridgeChain, table: iptables.Filter, expRemoved: true},
+		{name: dockerChain, table: iptables.Filter, expRemoved: true},
+		{name: dockerInternalChain, table: iptables.Filter, expRemoved: true},
 	}
 
 	ipVersions := []iptables.IPVersion{iptables.IPv4, iptables.IPv6}

libnetwork/drivers/bridge/internal/iptabler/network.go

@@ -71,15 +71,9 @@ func (n *network) DelNetworkLevelRules(_ context.Context) error {
 
 func (n *network) configure(ctx context.Context, ipv iptables.IPVersion, conf firewaller.NetworkConfigFam) error {
 	if !conf.Prefix.IsValid() {
-		// Delete INC rules, in case they were created by a 28.0.0 daemon that didn't check
+		return nil
-		// whether the network had iptables/ip6tables enabled.
-		// This preserves https://github.com/moby/moby/commit/8cc4d1d4a2b6408232041f9ba4dff966eba80cc0
-		return setINC(ctx, ipv, n.config.IfName, conf.Routed, false)
 	}
-	if err := n.setupIPTables(ctx, ipv, conf); err != nil {
+	return n.setupIPTables(ctx, ipv, conf)
-		return err
-	}
-	return nil
 }
 
 func (n *network) registerCleanFunc(clean iptableCleanFunc) {
@@ -145,15 +139,6 @@ func (n *network) setupIPTables(ctx context.Context, ipVersion iptables.IPVersio
 		n.registerCleanFunc(func() error {
 			return appendOrDelChainRule(jumpToDockerRule, "jump to docker", false)
 		})
-
-		// Register the cleanup function first. Then, if setINC fails after creating
-		// some rules, they will be deleted.
-		n.registerCleanFunc(func() error {
-			return setINC(ctx, ipVersion, n.config.IfName, config.Routed, false)
-		})
-		if err := setINC(ctx, ipVersion, n.config.IfName, config.Routed, true); err != nil {
-			return err
-		}
 	}
 	return nil
 }
@@ -311,26 +296,6 @@ func (n *network) setupNonInternalNetworkRules(ctx context.Context, ipVer iptabl
 				return err
 			}
 		}
-		// If the userland proxy is running (!hairpin), skip DNAT for packets originating from
-		// this new network. Then, the proxy can pick up the packet from the host address the dest
-		// port is published to. Otherwise, if the packet is DNAT'd, it's forwarded straight to the
-		// target network, and will be dropped by network isolation rules if it didn't originate in
-		// the same bridge network. (So, with the proxy enabled, this skip allows a container in one
-		// network to reach a port published by a container in another bridge network.)
-		//
-		// If the userland proxy is disabled, don't skip, so packets will be DNAT'd. That will
-		// enable access to ports published by containers in the same network. But, the INC rules
-		// will block access to that published port from containers in other networks. (However,
-		// users may add a rule to DOCKER-USER to work around the INC rules if needed.)
-		if !n.ipt.config.Hairpin {
-			skipDNAT := iptables.Rule{IPVer: ipVer, Table: iptables.Nat, Chain: dockerChain, Args: []string{
-				"-i", n.config.IfName,
-				"-j", "RETURN",
-			}}
-			if err := programChainRule(skipDNAT, "SKIP DNAT", enable); err != nil {
-				return err
-			}
-		}
 	}
 
 	// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
@@ -434,70 +399,6 @@ func setIcc(ctx context.Context, version iptables.IPVersion, bridgeIface string,
 	return nil
 }
 
-// Control Inter-Network Communication.
-// Install rules only if they aren't present, remove only if they are.
-// If this method returns an error, it doesn't roll back any rules it has added.
-// No error is returned if rules cannot be removed (errors are just logged).
-func setINC(ctx context.Context, version iptables.IPVersion, iface string, routed, enable bool) (retErr error) {
-	iptable := iptables.GetIptable(version)
-	actionI, actionA := iptables.Insert, iptables.Append
-	actionMsg := "add"
-	if !enable {
-		actionI, actionA = iptables.Delete, iptables.Delete
-		actionMsg = "remove"
-	}
-
-	if routed {
-		// Anything is allowed into a routed network at this stage, so RETURN. Port
-		// filtering rules in the DOCKER chain will drop anything that's not destined
-		// for an open port.
-		if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionI, []string{
-			"-o", iface,
-			"-j", "RETURN",
-		}); err != nil {
-			log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg)
-			if enable {
-				return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err)
-			}
-		}
-
-		// Allow responses from the routed network into whichever network made the request.
-		if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionI, []string{
-			"-i", iface,
-			"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
-			"-j", "ACCEPT",
-		}); err != nil {
-			log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg)
-			if enable {
-				return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err)
-			}
-		}
-	}
-
-	if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionA, []string{
-		"-i", iface,
-		"!", "-o", iface,
-		"-j", isolationChain2,
-	}); err != nil {
-		log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg)
-		if enable {
-			return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err)
-		}
-	}
-
-	if err := iptable.ProgramRule(iptables.Filter, isolationChain2, actionI, []string{
-		"-o", iface,
-		"-j", "DROP",
-	}); err != nil {
-		log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg)
-		if enable {
-			return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err)
-		}
-	}
-
-	return nil
-}
-
 // Obsolete chain from previous docker versions
 const oldIsolationChain = "DOCKER-ISOLATION"
 
@@ -514,6 +415,7 @@ func removeIPChains(ctx context.Context, version iptables.IPVersion) {
 		{Name: DockerForwardChain, Table: iptables.Filter, IPVersion: version},
 		{Name: dockerBridgeChain, Table: iptables.Filter, IPVersion: version},
 		{Name: dockerCTChain, Table: iptables.Filter, IPVersion: version},
+		{Name: dockerInternalChain, Table: iptables.Filter, IPVersion: version},
 		{Name: isolationChain1, Table: iptables.Filter, IPVersion: version},
 		{Name: isolationChain2, Table: iptables.Filter, IPVersion: version},
 		{Name: oldIsolationChain, Table: iptables.Filter, IPVersion: version},
@@ -544,13 +446,13 @@ func setupInternalNetworkRules(ctx context.Context, bridgeIface string, prefix n
 		inDropRule = iptables.Rule{
 			IPVer: version,
 			Table: iptables.Filter,
-			Chain: isolationChain1,
+			Chain: dockerInternalChain,
 			Args:  []string{"-i", bridgeIface, "!", "-d", prefix.String(), "-j", "DROP"},
 		}
 		outDropRule = iptables.Rule{
 			IPVer: version,
 			Table: iptables.Filter,
-			Chain: isolationChain1,
+			Chain: dockerInternalChain,
 			Args:  []string{"-o", bridgeIface, "!", "-s", prefix.String(), "-j", "DROP"},
 		}
 	} else {
@@ -558,13 +460,13 @@ func setupInternalNetworkRules(ctx context.Context, bridgeIface string, prefix n
 		inDropRule = iptables.Rule{
 			IPVer: version,
 			Table: iptables.Filter,
-			Chain: isolationChain1,
+			Chain: dockerInternalChain,
 			Args:  []string{"-i", bridgeIface, "!", "-o", bridgeIface, "!", "-d", prefix.String(), "-j", "DROP"},
 		}
 		outDropRule = iptables.Rule{
 			IPVer: version,
 			Table: iptables.Filter,
-			Chain: isolationChain1,
+			Chain: dockerInternalChain,
 			Args:  []string{"!", "-i", bridgeIface, "-o", bridgeIface, "!", "-s", prefix.String(), "-j", "DROP"},
 		}
 	}

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__ip6tables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__iptables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__ip6tables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__iptables.golden

@@ -10,11 +10,10 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 COMMIT
 *nat

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -13,20 +13,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden

@@ -12,20 +12,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,19 +12,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,8 +12,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -21,14 +20,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden

@@ -11,8 +11,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -20,14 +19,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -13,20 +13,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden

@@ -12,20 +12,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,19 +12,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,8 +12,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -21,14 +20,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden

@@ -11,8 +11,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -20,14 +19,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,7 +32,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -13,20 +13,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -37,7 +34,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden

@@ -12,20 +12,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +33,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,7 +30,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,19 +12,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,7 +32,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -34,6 +31,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,7 +31,6 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,8 +12,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -21,14 +20,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -38,7 +33,6 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden

@@ -11,8 +11,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -20,14 +19,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -37,6 +32,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,7 +32,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -13,20 +13,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -37,7 +34,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden

@@ -11,20 +11,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,6 +32,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden

@@ -12,20 +12,17 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +33,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,7 +30,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,19 +12,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -35,7 +32,6 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden

@@ -10,19 +10,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -33,6 +30,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -34,6 +31,5 @@ COMMIT
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,7 +31,6 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden

@@ -12,8 +12,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -21,14 +20,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -38,7 +33,6 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden

@@ -10,8 +10,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT
@@ -19,14 +18,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -36,6 +31,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden

@@ -11,8 +11,7 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER -o br-dummy -p icmp -j ACCEPT
@@ -20,14 +19,10 @@ COMMIT
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP
 -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -37,6 +32,5 @@ COMMIT
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A DOCKER -i br-dummy -j RETURN
 -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80
 COMMIT

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]

libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden

@@ -11,19 +11,16 @@ COMMIT
 :DOCKER-BRIDGE - [0:0]
 :DOCKER-CT - [0:0]
 :DOCKER-FORWARD - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-INTERNAL - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
 -A FORWARD -j DOCKER-FORWARD
 -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER ! -i br-dummy -o br-dummy -j DROP
 -A DOCKER-BRIDGE -o br-dummy -j DOCKER
 -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-FORWARD -j DOCKER-CT
--A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-INTERNAL
 -A DOCKER-FORWARD -j DOCKER-BRIDGE
 -A DOCKER-FORWARD -i br-dummy -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]