I'm stick on this one for the moment. There may not be a fix tomorrow. It is getting hairier as you've seen. I've now observed the same. I need to find some other sort of trick. The alternative is to step backwards and add except-interfaces for docker0 in app-docker, but I don;t kow what to do about virbr (from KVM) and there are other interfaces I want to exclude (if you see my write up on running an AD Domain Controller in the KB, I don't want it to bind to virtual IP's.