libnetwork uses the br-netfilter module to allow filtering of packets passing through a bridge. To do so, it sets /proc/sys/net/bridge/bridge-nf-call-ip[6]tables to 1, forcing iptables for every bridge on the system, whether this is desired or not. This overrides anything set in /etc/sysctl.conf.

This is not Friendly Behaviour. iptables can be enabled per-bridge, by instead setting /sys/class/net/<bridge-name>/bridge/nf_call_ip[6]tables. Note that it cannot be disabled per-bridge when it is enabled system-wide, only enabled per-bridge when it is disabled system-wide. libnetwork should only enable iptables for the bridges it is managing.

See drivers/bridge/setup_bridgenetfiltering.go:71.