The comment above about docker using iptables-legacy before/after a reboot was wrong.
It seems the solution is to just use Docker from a Snap. If you already have docker from apt, purge it, install it from snap and reboot.
I redeployed a fresh VM, which has lxd pre-installed. I then install docker via apt and notice it’s using nftables:
root@jammy:~# apt install docker.io
...
root@jammy:~# nft list ruleset | grep -i docker | wc -l
17
root@jammy:~# iptables-legacy -L | grep -i docker | wc -l
0
and after a reboot LXD networking is not working while both share nftables:
root@jammy:~# lxc info | grep firewall:
firewall: nftables
root@jammy:~# lxc exec foo -- ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2036ms
But if I replace docker from apt with docker from snap and then reboot:
root@jammy:~# apt purge docker.io
...
root@jammy:~# apt autoremove
...
root@jammy:~# snap install docker
...
root@jammy:~# reboot
following reboot LXD external networking is working because the snap docker seems to keep to using iptables-legacy while lxd uses nftables:
root@jammy:~# lxc exec foo -- ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=12.1 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 12.109/12.127/12.145/0.018 ms
root@jammy:~# iptables-legacy -L | grep -i docker | wc -l
8
root@jammy:~# nft list ruleset | grep -i docker | wc -l
0