NF_INET_LOCAL_IN hook not work for bridge docker in linux 4.19

Topology is

physical x86 server  -> linux bridge -> docker(on same x86 server)

Traffic is as follows

client -> server -> bridge -> docker 

We have a kernel module (reg via _nf_register_hook), which has nf hooks as follows:

        .hook = my_hook,
#if LINUX_VERSION_CODE < KERNEL_VERSION(4,9,0)
        .owner = THIS_MODULE,
#endif
        .pf = PF_INET,
        .hooknum = NF_INET_LOCAL_IN,
        .priority = NF_IP_PRI_FIRST,

We found a weird case (the module is loaded at server):

  • for Linux 3.10 the my_hook function works fine for traffic to docker,
  • for Linux 4.19 my_hook is not triggered for traffic to docker.

By the way, we enable

net.bridge.bridge-nf-call-iptables = 1

just for logging purpose.

It looks like namespace-related, however _nf_register_hook loops all namespaces.

Can anyone give me some advice?

Source: Docker Questions