Actually this was fixed upstream lately, and the fix is in Debian testing already. See https://github.com/docker/libnetwork/pull/2339#issuecomment-487207550
There's still other iptables related bugs, the most outstanding being #903635. If this bug could be solved, then users could just run docker with `--iptables=false`. This is discussed upstream in the link above.
