Docker隔离网络从外部接收数据包

Question

我建立了一个docker bridge网络（在Linux上），目的是测试各个应用程序（容器）的网络流量。因此，对网络的一项关键要求是，它必须与来自其他应用程序或设备的流量完全隔离。

我用compose创建的一个简单示例是一个ping容器，该容器将ICMP数据包发送到另一个容器，而第三个容器运行tcpdump来收集流量：

version: '3'
services:
  ping:
    image: 'detlearsom/ping'
    environment:
      - HOSTNAME=blank
      - TIMEOUT=2
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    networks:
      - capture

  blank:
    image: 'alpine'
    command: sleep 300
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    networks:
      - capture

  tcpdump:
    image: 'detlearsom/tcpdump'
    volumes: 
      - '$PWD/data:/data'
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    network_mode: 'service:ping'
    command: -v -w "/data/dump-011-ping2-${CAPTURETIME}.pcap"

networks:
  capture:
    driver: "bridge"
    internal: true

请注意，我已将网络设置为内部网络，并且还禁用了IPV6。但是，当我运行它并收集流量时，除了预期的ICMP数据包之外，我还获得了IPV6数据包：

10:42:40.863619 IP6 fe80::42:2aff:fe42:e303 > ip6-allrouters: ICMP6, router solicitation, length 16
10:42:43.135167 IP6 fe80::e437:76ff:fe9e:36b4.mdns > ff02::fb.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local.
10:42:37.875646 IP6 fe80::e437:76ff:fe9e:36b4.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR he...F.local., (Cache flush) AAAA fe80::e437:76ff:fe9e:36b4 (161)

更奇怪的是我从端口57621接收UDP数据包：

10:42:51.868199 IP 172.25.0.1.57621 > 172.25.255.255.57621: UDP, length 44

此端口对应于Spotify流量，并且很可能源自我在主机上运行的Spotify应用程序。

我的问题：为什么我应该在网络中看到应该隔离的流量？

对于感兴趣的人，以下是网络配置：

[
    {
    "Name": "capture-011-ping2_capture",
    "Id": "35512f852332351a9f677f75b522982aa6bd288e813a31a3c36477baa005c0fd",
    "Created": "2018-08-07T10:42:31.610178964+01:00",
    "Scope": "local",
    "Driver": "bridge",
    "EnableIPv6": false,
    "IPAM": {
        "Driver": "default",
        "Options": null,
        "Config": [
            {
                "Subnet": "172.25.0.0/16",
                "Gateway": "172.25.0.1"
            }
        ]
    },
    "Internal": true,
    "Attachable": true,
    "Ingress": false,
    "ConfigFrom": {
        "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {
        "dac25cb8810b2c786735a76c9b8387d1cfb4d6006dbb7549f5c7c3f381d884c2": {
            "Name": "capture-011-ping2_tcpdump_1",
            "EndpointID": "2463a46cf00a35c8c77ff9f224ff052aea7f061684b7a24b41dab150496f5c3d",
            "MacAddress": "02:42:ac:19:00:02",
            "IPv4Address": "172.25.0.2/16",
            "IPv6Address": ""
        }
    },
    "Options": {},
    "Labels": {
        "com.docker.compose.network": "capture",
        "com.docker.compose.project": "capture-011-ping2",
        "com.docker.compose.version": "1.22.0"
        }
    }
]