It was issue with cgroups, NAT table was handled exclusively by one container. It was fixed by upgrading to kernel version 4.3-rc7 (possibly only to 4.3-rc1 but we went with the newest). I would like to thank `nt` on #Netfilter@freenode who provided us with this information. Jakub (Kubuxu) Sztandera -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
