Hi, I checked more carefully on https://github.com/moby/moby/pull/28257 and https://github.com/moby/moby/issues/14041 Then I concluded that docker does nothing wrong in this case.
If you didn't set net.ipv4.ip_forward=1 before starting docker, then docker will set this for you by default, otherwise the containers can't access the network. This causes security issue as described in https://github.com/moby/moby/issues/14041. So if docker set net.ipv4.ip_forward=1 itself, it will set the default FORWARD policy to DROP. This looks quite correct. So when docker will not touch your FORWARD policy? just don't let docker enable ip_forward itself. You can set net.ipv4.ip_forward=1 in /etc/sysctl.conf(enable it before starting docker). Then docker will know that user want the host to forward all traffic and it will touch your default FORWARD policy. I've verified it by adding net.ipv4.ip_forward=1 to /etc/sysctl.conf, then reboot. And my FORWARD policy is ACCEPT. So as for your VM scenario, why didn't you set ip_forward manually? How docker know it's not a vulnerability if it didn't set FORWARD chain to DROP when it enables ip_forward. -- Shengjing Zhu