Description

Continuation of #48365 (comment)

Given this trivial example with two containers each on separate networks

 ┌─────┐            ┌─────┐          
 │ ctr1│            │ ctr2│          
 └─┬─┬─┘            └─┬─┬─┘          
   │ │                │ │            
   │ │                │ │            
   │ net1             │ net2         
   │ │ mode=nat       │ │ mode=routed
   │ │                │ │            
┌──┴─┴───────────────port─:80        
│            host           │        
└───────────────────────────┘        

ctr1 in theory should be able to reach port 80 (that is explicitly exposed) on ctr2 with the reasoning being that any packets originating from outside the host would land in that network and the firewall would let them pass.

An alternate view would be the above diagram but without the port mapping, but the connectivity cross-network should still work given that the network is routed.

Reproduce

1. Create two networks, the latter of which has com.docker.network.bridge.gateway_mode_ipv[46]=routed
2. Attach a container to each of the networks. On the routed network, make sure to expose a port
3. Try to connect from the non-routed container to the routed container on that exposed port
4. Observe that the packet is dropped by the DOCKER-ISOLATION-STAGE-2 firewall chain, when it shouldn't be

Expected behavior

Packets from other docker networks should be treated the same as non-Docker originating packets when landing in a network that has gateway_mode_ipv[46]=routed

docker version

27.x, 26.x. Haven't tested older versions.

docker info

N/A

Additional Info

No response