Rob Murray

> Seems to be related to a DinD container service (also Version 28.0.1), which gets started (and removed) from a GitLab CI/CD Pipeline by a gitlab-runner on the same machine.....

Got it - thank you. Is the DinD container running with `--network host`? In the iptables dump, there are rules for a lot of bridge networks in `DOCKER-BRIDGE` and `DOCKER-CT`,...

> Yes exactly the gitlab-runner is configured to use `--network host`. Ok, I don't think that can work. From the networking perspective, it's the same as running two docker daemons...

> Have been travelling so couldn’t test with 28.0.1 (though I did manage to reproduce it on even 27), in my case the issue occurs purely with bridge networks and...

> Thank you very much, let's hope this fixed my problem :). Thanks @TheEvilCoder42 ... if it's not fixed, please do raise a new issue.

Thanks @cheesycod.

> That behavior is indeed intentional since 27.0.3 The behaviour of `--ip6tables=true` hasn't changed but, since 27.0.1 it has been enabled by-default. (There was no 27.0.0, 27.0.1 was the major...

> > [...] networks relying on direct-routing to a container from outside the host, with no port mappings set up [...]. But, I imagine there are a lot more networks...

> Yeah that sounds like it would do the trick. Thanks Hi @frebib - just discussed this with moby network maintainers @corhere and @akerouanton ... we wondered if you'd considered...

> I may be overstretching this issue now, but I've just discovered that containercontainer communication is blocked by DOCKER-ISOLATION-STAGE-2 when using `--gateway_mode_ipv6=routed` even when ports are explicitly published for a...