Comment 4 for bug 1656847

James Page (james-page) wrote :

This may all have worked at some point in the past, but looking at mitaka onwards, rules are always applied to the tap device, not on a bridge.

I think the way forward is to create the tap device, plumbed to the bridge and then pass that as a physical device to the container - however I'm still not quite sure how iptables will handle all of that.