It looks like something (docker perhaps) has refreshed the firewall rules and removed the ones LXD added.
Assuming your LXD bridge is lxdbr0 then you’re missing these lines:
-A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
before the line:
-A FORWARD -j DOCKER-USER