I ran into this today, not associated with LXD. The above is helpful, but there’s one more key detail. From sysctl.d(5):
The settings configured with sysctl.d files will be applied early on boot. The network interface-specific options will also be applied individually for each network interface as it shows up in the system. (More specifically,
net.ipv4.conf.*,net.ipv6.conf.*,net.ipv4.neigh.*andnet.ipv6.neigh.*).
So the globbed sysctls you found are applied /individually/ when e.g. eth0 was added. That will override the .defaults that you set.
I’ve filed Bug #2065439 “default globbed sysctls override linux defaults” : Bugs : systemd package : Ubuntu suggesting that systemd not ship network sysctls with globs.