I think this solves my woes regarding unwanted IPv6 addresses as well. If the firewall ate important protocol negotiations, the containers probably fell back to an emergency address, thinking they had none. As to why none of the kernel parameters in the containers helped, and why rebooting the LXD host exposed the issue – I don’t know. But I think I’ll leave it at that for now and be glad things work well again.