Thanks for this info.
LXD does enable that on bridge networks, but if Docker has started before LXD and that setting isn’t enabled at the system level then that could explain why Docker is not detecting it set at the time it starts and is modifying the FORWARD policy.