docker.io modifies routing rules in a way which breaks LXD bridge

I was trying to bootstrap a Juju controller on LXD. Unfortunately, this never finished, and upon further investigation, I found that none of my LXD containers could reach the Internet via the configured bridge, lxdbr0.

This was working previously, but recently I installed docker.io.

I stopped and/or removed other components which were installing routing rules, e.g. microk8s and multipass, but nothing resolved the problem until I removed docker.io and restarted my computer.

Long story short, I traced down the reason why this wasn't working to a routing rule. I dumped my iptables rules while docker.io was uninstalled and things were working, and then dumped again after I installed docker.io and rebooted. (The reboot was necessary; things still worked after installing docker.io, but stopped working after reboot.)

Here is the key diff that I saw:

[...]
 + sudo iptables -tfilter -S
 -P INPUT ACCEPT
--P FORWARD ACCEPT
+-P FORWARD DROP
[...]

I could manually run "sudo iptables -tfilter -P FORWARD ACCEPT" to make things work again. (Obviously that may not be the best workaround for security reasons, but LXD doesn't seem to install rules sufficient for routing to still work after docker.io makes this change.)

I'll leave it up to you whether this is a docker.io bug or an lxd bug, but it was installation of docker.io which triggered the situation for me.

Relevant information:

$ lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04

$ apt-cache policy docker.io | head -n2
docker.io:
  Installed: 20.10.7-0ubuntu1~20.04.1

Expected behavior: being able to use LXDs like normal without loss of Internet connectivity after installing docker.io package.

What happened instead: lost Internet connectivity due to change in filter table's -P FORWARD rule.

Best Regards,
Paul Goins