[bostik]

Likely due to technical limitations. At least docker does its port-forwarding with iptables (or these days, nftables), and the forwarding rules themselves span multiple custom tables/chains. If you ever do 'iptables-save' to inspect what rules have been created when a container is running, it may look a bit funky.

So updating a purportedly single rule might actually require to update several underlying traffic mangling rules, with logic that is not readily apparent. Or even easy to reason about. When you add the ability to route traffic directly from container to container without passing through the outermost interface, things can get quite hairy.