From a recent netfilter mailing list message:
Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.
If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter: allow logging from non-init namespaces") backported, you can enable netfilter logging from other network namespaces by
echo 1 >/proc/sys/net/netfilter/nf_log_all_netns(the command must be issued from init_net).
Logging via NFLOG target and ulogd2 should work even without the sysctl mentioned above, IIRC.