Tailscale exit-node + Docker bridge networking: UDP hairpinning drops under load

Setup: Tailscale exit-node on Ubuntu 22.04, Docker containers on bridge network using the exit-node for external traffic. Under low load everything works fine. When we push ~500 concurrent UDP flows (gRPC streaming), about 15-20% of packets get silently dropped. Observations: - TCP connections survive fine - UDP drops correlate with conntrack table approaching 80% capacity - `tailscale status` shows the exit-node as healthy throughout - iptables MASQUERADE rules look correct Tried: bumping `net.netfilter.nf_conntrack_max` from 65536 to 262144, which helped but didn't eliminate the drops. Wondering if this is a known Tailscale + Docker bridge interaction, or if moving to `--network host` would sidestep it entirely. Anyone else running this combo at scale?