Bart, can you please have a look at this patch and ACK/NACK it?
We have a bugreport in the netfilter bugzilla of broken conntrack
with tunnels on top of bridge devices (#448), which should be cured
by this patch.

There is also another report of broken conntrack with vlan on top
of bridge devices (#400) that looks related, but probably this
patch won't help.