moby: Globally exposed ports are unreachable from isolated networks

Description of problem: Globally (0.0.0.0) exposed ports are unreachable from isolated networks.

docker version:

Client:
 Version:         1.9.1-fc23
 API version:     1.21
 Package version: docker-1.9.1-2.git78bc3ea.fc23.x86_64
 Go version:      go1.5.1
 Git commit:      f7c1d52-dirty
 Built:           Fri Nov 20 21:07:14 UTC 2015
 OS/Arch:         linux/amd64

Server:
 Version:         1.9.1-fc23
 API version:     1.21
 Package version: docker-1.9.1-2.git78bc3ea.fc23.x86_64
 Go version:      go1.5.1
 Git commit:      f7c1d52-dirty
 Built:           Fri Nov 20 21:07:14 UTC 2015
 OS/Arch:         linux/amd64

docker info:

Server Version: 1.9.1-fc23
Storage Driver: overlay
 Backing Filesystem: extfs
Execution Driver: native-0.2
Logging Driver: journald
Kernel Version: 4.2.6-301.fc23.x86_64
Operating System: Fedora 23 (Cloud Edition)

uname -a: Linux 4.2.6-301.fc23.x86_64 #1 SMP Fri Nov 20 22:22:41 UTC 2015 x86_64 GNU/Linux

Environment details (AWS, VirtualBox, physical, etc.): Fedora 23 with iptables, DigitalOcean Fedora 23 with firewalld, physical

How reproducible: 100%

Steps to Reproduce: 0. docker network create test

1. docker run -it -p 5000:5000 busybox nc -lp 5000
2. docker run -it --net=test busybox nc 172.17.0.1 5000

Actual Results: The connection times out. Even if I use a physical interface’s IP instead of docker0’s. The inter-network FORWARD DROP rules take precedence over everything so I can’t even have a static rule to allow specific traffic.

Expected Results: The above scenario works if both containers use the default bridge. I expect the same regardless of which network they’re in. I think those DROP rules should be inserted after the DOCKER chain.

Additional info: The daemon is running with --icc=false.

If this is the intended behavior, how can I expose a port to all networks using a static IP?