The Docker daemon starts a userland proxy service for port forwarding whenever a port is exposed. Where hairpin NAT is available, this service is generally superfluous to requirements and can be disabled.
Recommended Mitigation
You should run the Docker daemon as follows: dockerd --userland-proxy=false