I'm fighting this issue too, but on Debian 8. KVM + Docker = my broken heart.
Seems that this issue happens because Docker loads
module and sets
kernel parameters to 1 (or it is default module config) so all bridged traffic is now subject to iptables filtering.
See following links about br_netfilter:
I haven't yet figured out how to fix this issue, because simply blacklisting br_netfilter won't go - Docker needs this module to filter bridged connections between containers that are created with 'link' option. Filtering bridged connections is necessary to Docker to properly handle '--icc' flag, which enables or disables inter-container communication.
I suppose that we need to figure out some Iptables rule that will ACCEPT all bridged traffic except for traffic going through Docker bridges. One way is to add such rules for each of your custom bridges:
iptables -A FORWARD -i <your-bridge> -o <your-bridge> -j ACCEPT
But I think it is not flexible solution.
Could someone propose a better approach?