changing /etc/init.d/dockerd like this
uciadd() {
...
if [ "$(find_network_device "$device")" = "" ]; then
logger -t "dockerd-init" -p notice "Adding bridge device '${device}' to network config"
uci_quiet add network device
uci_quiet set network.@device[-1].type="bridge"
uci_quiet set network.@device[-1].name="${device}"
uci_quiet set network.@device[-1].bridge_empty='1' # <-- add this new bridge option
uci_quiet commit network
[...]
reload_config
ifup docker
seems to solve the issue. i can even set docker zone forward=REJECT.
@jow, thanks for the guidance!