Cannot reach container from published port when connected to overlay network #7854
Description
Description
When a container is connected to an overlay network, connections to published ports on the host get closed without any reply.
Reproduce
docker swarm initdocker network create --attachable --driver overlay my-ovldocker run -d --name nginxtest --network my-ovl --publish 8080:80 nginxdemos/hello:plain-text
$ docker exec nginxtest curl -Ss localhost
Server address: ::1:80
Server name: f369a2b56db6
Date: 10/Feb/2026:21:45:16 +0000
URI: /
Request ID: 050aaa199778336fd61d3b4b32b69855
$ curl -Ss localhost:8080
curl: (52) Empty reply from server
$ docker exec nginxtest curl -Ss host.docker.internal:8080
curl: (52) Empty reply from serverExpected behavior
Both curl commands to port 8080 complete successfully.
docker version
Client:
Version: 29.2.0
API version: 1.53
Go version: go1.25.6
Git commit: 0b9d198
Built: Mon Jan 26 19:25:13 2026
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.60.0 (218231)
Engine:
Version: 29.2.0
API version: 1.53 (minimum version 1.41)
Go version: go1.25.6
Git commit: 9c62384
Built: Mon Jan 26 19:25:48 2026
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v2.2.1
GitCommit: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client:
Version: 29.2.0
Context: desktop-linux
Debug Mode: false
Plugins:
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.17.2
Path: /Users/corysnider/.docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.31.1-desktop.1
Path: /Users/corysnider/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.0.2
Path: /Users/corysnider/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.47
Path: /Users/corysnider/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.3.0
Path: /Users/corysnider/.docker/cli-plugins/docker-desktop
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: /Users/corysnider/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /Users/corysnider/.docker/cli-plugins/docker-init
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.38.0
Path: /Users/corysnider/.docker/cli-plugins/docker-mcp
model: Docker Model Runner (Docker Inc.)
Version: v1.0.8
Path: /Users/corysnider/.docker/cli-plugins/docker-model
offload: Docker Offload (Docker Inc.)
Version: v0.5.42
Path: /Users/corysnider/.docker/cli-plugins/docker-offload
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.24
Path: /Users/corysnider/.docker/cli-plugins/docker-pass
sandbox: Docker Sandbox (Docker Inc.)
Version: v0.11.0
Path: /Users/corysnider/.docker/cli-plugins/docker-sandbox
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/corysnider/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.19.0
Path: /Users/corysnider/.docker/cli-plugins/docker-scout
Server:
Containers: 3
Running: 1
Paused: 0
Stopped: 2
Images: 284
Server Version: 29.2.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Discovered Devices:
cdi: docker.com/gpu=webgpu
Swarm: active
NodeID: kb72q7uyykbepqrojhwtu0o71
Is Manager: true
ClusterID: 33nvdfz71alyelv5n07ulmgre
Managers: 1
Nodes: 1
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.65.3
Manager Addresses:
192.168.65.3:2377
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.67-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 14
Total Memory: 15.6GiB
Name: docker-desktop
ID: 7d16dc4f-1ab0-4010-96b9-1cf1d1c1a934
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/corysnider/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptablesDiagnostics ID
68D04927-3F69-4C2F-86B2-00297715D278/20260210214719
Additional Info
No response