From 126f99d77648bd8083197b992f94e54d1551db27 Mon Sep 17 00:00:00 2001
From: Rob Murray <rob.murray@docker.com>
Date: Wed, 14 May 2025 10:01:29 +0100
Subject: [PATCH 1/2] Add a way to undo nftables.Enable(), for unit tests

Signed-off-by: Rob Murray <rob.murray@docker.com>
---
 libnetwork/internal/nftables/nftables_linux.go      | 10 +++++++++-
 libnetwork/internal/nftables/nftables_linux_test.go | 11 +----------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/libnetwork/internal/nftables/nftables_linux.go b/libnetwork/internal/nftables/nftables_linux.go
index 8bf8179cee..98af625ad4 100644
--- a/libnetwork/internal/nftables/nftables_linux.go
+++ b/libnetwork/internal/nftables/nftables_linux.go
@@ -147,7 +147,15 @@ func Enabled() bool {
 	return nftPath != ""
 }
 
-// ////////////////////////////
+// Disable undoes Enable. Intended for unit testing.
+func Disable() {
+	nftPath = ""
+	incrementalUpdateTempl = nil
+	reloadTempl = nil
+	enableOnce = sync.Once{}
+}
+
+//////////////////////////////
 // Tables
 
 // table is the internal representation of an nftables table.
diff --git a/libnetwork/internal/nftables/nftables_linux_test.go b/libnetwork/internal/nftables/nftables_linux_test.go
index b73afd2e9c..e1caa44a94 100644
--- a/libnetwork/internal/nftables/nftables_linux_test.go
+++ b/libnetwork/internal/nftables/nftables_linux_test.go
@@ -3,7 +3,6 @@ package nftables
 import (
 	"context"
 	"os"
-	"sync"
 	"testing"
 
 	"github.com/docker/docker/internal/testutils/netnsutils"
@@ -28,18 +27,10 @@ func testSetup(t *testing.T) func() {
 	cleanupContext := netnsutils.SetupTestOSContext(t)
 	return func() {
 		cleanupContext()
-		disable()
+		Disable()
 	}
 }
 
-// disable undoes Enable
-func disable() {
-	incrementalUpdateTempl = nil
-	nftPath = ""
-	reloadTempl = nil
-	enableOnce = sync.Once{}
-}
-
 func applyAndCheck(t *testing.T, tbl TableRef, goldenFilename string) {
 	t.Helper()
 	err := tbl.Apply(context.Background())

From ec185e57cfc567589c0b52163c76e135a9b8b853 Mon Sep 17 00:00:00 2001
From: Rob Murray <rob.murray@docker.com>
Date: Mon, 17 Mar 2025 11:47:26 +0000
Subject: [PATCH 2/2] Test Nftabler params

Signed-off-by: Rob Murray <rob.murray@docker.com>
---
 .../bridge/internal/nftabler/nftabler_test.go | 169 ++++++++++++++++++
 ...hairpin=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...tNftabler_cleaned,hairpin=false__ip.golden |  46 +++++
 ...Nftabler_cleaned,hairpin=false__ip6.golden |  46 +++++
 ...,hairpin=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...stNftabler_cleaned,hairpin=true__ip.golden |  46 +++++
 ...tNftabler_cleaned,hairpin=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...,bindlh=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...rue,icc=false,wsl2mirrored=true__ip.golden |  47 +++++
 ...n=false,internal=true,icc=false__ip.golden |  46 +++++
 ...=false,internal=true,icc=false__ip6.golden |  46 +++++
 ...true,icc=true,wsl2mirrored=true__ip.golden |  47 +++++
 ...in=false,internal=true,icc=true__ip.golden |  46 +++++
 ...n=false,internal=true,icc=true__ip6.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...nat=false,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...,snat=false,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...snat=false,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...=false,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...at=false,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...t=false,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=false__ip.golden |  46 +++++
 ...snat=true,gwm=nat,bindlh=false__ip6.golden |  46 +++++
 ...t,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...e,snat=true,gwm=nat,bindlh=true__ip.golden |  46 +++++
 ...,snat=true,gwm=nat,bindlh=true__ip6.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=false__ip.golden |  46 +++++
 ...m=nat-unprotected,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...gwm=nat-unprotected,bindlh=true__ip.golden |  46 +++++
 ...wm=nat-unprotected,bindlh=true__ip6.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=false__ip.golden |  46 +++++
 ...t=true,gwm=routed,bindlh=false__ip6.golden |  46 +++++
 ...d,bindlh=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...nat=true,gwm=routed,bindlh=true__ip.golden |  46 +++++
 ...at=true,gwm=routed,bindlh=true__ip6.golden |  46 +++++
 ...rue,icc=false,wsl2mirrored=true__ip.golden |  46 +++++
 ...in=true,internal=true,icc=false__ip.golden |  46 +++++
 ...n=true,internal=true,icc=false__ip6.golden |  46 +++++
 ...true,icc=true,wsl2mirrored=true__ip.golden |  46 +++++
 ...pin=true,internal=true,icc=true__ip.golden |  46 +++++
 ...in=true,internal=true,icc=true__ip6.golden |  46 +++++
 283 files changed, 13192 insertions(+)
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/nftabler_test.go
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip6.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip.golden
 create mode 100644 libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip6.golden

diff --git a/libnetwork/drivers/bridge/internal/nftabler/nftabler_test.go b/libnetwork/drivers/bridge/internal/nftabler/nftabler_test.go
new file mode 100644
index 0000000000..b6a1e3b35c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/nftabler_test.go
@@ -0,0 +1,169 @@
+//go:build linux
+
+package nftabler
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/docker/docker/internal/testutils/netnsutils"
+	"github.com/docker/docker/libnetwork/drivers/bridge/internal/firewaller"
+	"github.com/docker/docker/libnetwork/internal/nftables"
+	"github.com/docker/docker/libnetwork/types"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/golden"
+	"gotest.tools/v3/icmd"
+)
+
+func TestNftabler(t *testing.T) {
+	const (
+		ipv4 uint64 = 1 << iota
+		ipv6
+		hairpin
+		internal
+		icc
+		masq
+		snat
+		bindLocalhost
+		wsl2Mirrored
+		numBoolParams = iota
+	)
+	nftables.Enable()
+	t.Cleanup(func() { nftables.Disable() }) // Cleanup instead of defer, this func returns before the parallel subtests finish.
+	for i := range uint64(1) << numBoolParams {
+		p := func(n uint64) bool { return (i & n) == n }
+		for _, gwmode := range []string{"nat", "nat-unprotected", "routed"} {
+			config := firewaller.Config{
+				IPv4:         p(ipv4),
+				IPv6:         p(ipv6),
+				Hairpin:      p(hairpin),
+				WSL2Mirrored: p(wsl2Mirrored),
+			}
+			netConfig := firewaller.NetworkConfig{
+				IfName:     "br-dummy",
+				Internal:   p(internal),
+				ICC:        p(icc),
+				Masquerade: p(masq),
+				Config4: firewaller.NetworkConfigFam{
+					HostIP:      netip.Addr{},
+					Prefix:      netip.MustParsePrefix("192.168.0.0/24"),
+					Routed:      gwmode == "routed",
+					Unprotected: gwmode == "nat-unprotected",
+				},
+				Config6: firewaller.NetworkConfigFam{
+					HostIP:      netip.Addr{},
+					Prefix:      netip.MustParsePrefix("fd49:efd7:54aa::/64"),
+					Routed:      gwmode == "routed",
+					Unprotected: gwmode == "nat-unprotected",
+				},
+			}
+			if p(snat) {
+				netConfig.Config4.HostIP = netip.MustParseAddr("192.168.123.0")
+				netConfig.Config6.HostIP = netip.MustParseAddr("fd34:d0d4:672f::123")
+			}
+			tn := t.Name()
+			t.Run(fmt.Sprintf("ipv4=%v/ipv6=%v/hairpin=%v/internal=%v/icc=%v/masq=%v/snat=%v/gwm=%v/bindlh=%v/wsl2mirrored=%v",
+				p(ipv4), p(ipv6), p(hairpin), p(internal), p(icc), p(masq), p(snat), gwmode, p(bindLocalhost), p(wsl2Mirrored)), func(t *testing.T) {
+				// If updating results, don't run in parallel because some of the results files are shared.
+				if !golden.FlagUpdate() {
+					t.Parallel()
+				}
+				// Combine results (golden output files) where possible to:
+				// - check params that should have no effect when made irrelevant by other params, and
+				// - minimise the number of results files.
+				var resName string
+				if p(internal) {
+					// Port binding params should have no effect on an internal network.
+					resName = fmt.Sprintf("hairpin=%v,internal=true,icc=%v", p(hairpin), p(icc))
+				} else {
+					resName = fmt.Sprintf("hairpin=%v,internal=%v,icc=%v,masq=%v,snat=%v,gwm=%v,bindlh=%v",
+						p(hairpin), p(internal), p(icc), p(masq), p(snat), gwmode, p(bindLocalhost))
+				}
+				testNftabler(t, tn, config, netConfig, p(bindLocalhost), tn+"_"+resName)
+			})
+		}
+	}
+}
+
+func testNftabler(t *testing.T, tn string, config firewaller.Config, netConfig firewaller.NetworkConfig, bindLocalhost bool, resName string) {
+	defer netnsutils.SetupTestOSContext(t)()
+
+	checkResults := func(family, name string, en bool) {
+		t.Helper()
+		res := icmd.RunCommand("nft", "list", "table", family, dockerTable)
+		if !en {
+			assert.Assert(t, is.Contains(res.Combined(), "No such file or directory"))
+			return
+		}
+		assert.Assert(t, res.Error)
+		golden.Assert(t, res.Combined(), name+"__"+family+".golden")
+	}
+
+	makePB := func(hip string, cip netip.Addr) types.PortBinding {
+		return types.PortBinding{
+			Proto:       types.TCP,
+			IP:          cip.AsSlice(),
+			Port:        80,
+			HostIP:      net.ParseIP(hip),
+			HostPort:    8080,
+			HostPortEnd: 8080,
+		}
+	}
+
+	// WSL2Mirrored should only affect IPv4 results, and only if there's a port binding
+	// to a loopback address or docker-proxy is disabled. Share other results files.
+	rnWSL2Mirrored := func(resName string) string {
+		if config.IPv4 && config.WSL2Mirrored && (bindLocalhost || !config.Hairpin) {
+			return resName + ",wsl2mirrored=true"
+		}
+		return resName
+	}
+
+	// Initialise iptables, check the iptables config looks like it should look at the
+	// end of the test (after deleting per-network and per-port rules).
+	fw, err := NewNftabler(context.Background(), config)
+	assert.NilError(t, err)
+	checkResults("ip", rnWSL2Mirrored(fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin)), config.IPv4)
+	checkResults("ip6", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv6)
+
+	// Add the network.
+	nw, err := fw.NewNetwork(context.Background(), netConfig)
+	assert.NilError(t, err)
+
+	// Add an endpoint.
+	epAddr4 := netip.MustParseAddr("192.168.0.2")
+	epAddr6 := netip.MustParseAddr("fd49:efd7:54aa::1")
+	err = nw.AddEndpoint(context.Background(), epAddr4, epAddr6)
+	assert.NilError(t, err)
+
+	// Add IPv4 and IPv6 port mappings.
+	var pb4, pb6 types.PortBinding
+	if bindLocalhost {
+		pb4 = makePB("127.0.0.1", epAddr4)
+		pb6 = makePB("::1", epAddr6)
+	} else {
+		pb4 = makePB("0.0.0.0", epAddr4)
+		pb6 = makePB("::", epAddr6)
+	}
+	err = nw.AddPorts(context.Background(), []types.PortBinding{pb4, pb6})
+	assert.NilError(t, err)
+
+	// Check the resulting iptables config.
+	checkResults("ip", rnWSL2Mirrored(resName), config.IPv4)
+	checkResults("ip6", resName, config.IPv6)
+
+	// Remove the port mappings and the network, and check the result (should be the same
+	// for all tests with the same "hairpin" setting).
+	err = nw.DelPorts(context.Background(), []types.PortBinding{pb4, pb6})
+	assert.NilError(t, err)
+	err = nw.DelEndpoint(context.Background(), epAddr4, epAddr6)
+	assert.NilError(t, err)
+	err = nw.DelNetworkLevelRules(context.Background())
+	assert.NilError(t, err)
+	checkResults("ip", rnWSL2Mirrored(fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin)), config.IPv4)
+	checkResults("ip6", fmt.Sprintf("%s_cleaned,hairpin=%v", tn, config.Hairpin), config.IPv6)
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_cleaned,hairpin=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..2364b7366a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,47 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+		iifname "loopback0" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip.golden
new file mode 100644
index 0000000000..420c8e517c
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip6.golden
new file mode 100644
index 0000000000..3322d3478a
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=true,icc=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=false__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip.golden
new file mode 100644
index 0000000000..b2a46538e7
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip.golden
@@ -0,0 +1,46 @@
+table ip docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip6.golden
new file mode 100644
index 0000000000..470902e9c4
--- /dev/null
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=true,icc=true__ip6.golden
@@ -0,0 +1,46 @@
+table ip6 docker-bridges {
+	map filter-forward-in-jumps {
+		type ifname : verdict
+	}
+
+	map filter-forward-out-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-in-jumps {
+		type ifname : verdict
+	}
+
+	map nat-postrouting-out-jumps {
+		type ifname : verdict
+	}
+
+	chain filter-FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname vmap @filter-forward-in-jumps
+		iifname vmap @filter-forward-out-jumps
+	}
+
+	chain nat-OUTPUT {
+		type nat hook output priority -100; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		iifname vmap @nat-postrouting-out-jumps
+		oifname vmap @nat-postrouting-in-jumps
+	}
+
+	chain nat-PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump nat-prerouting-and-output
+	}
+
+	chain nat-prerouting-and-output {
+	}
+
+	chain raw-PREROUTING {
+		type filter hook prerouting priority raw; policy accept;
+	}
+}