Extra ip rule table breaking my connectivity with container

It seems like the reverse path checking issue. Please check the counter with nstat -az TcpExtIPReversePathFilter. If the counter is being incremented, then check the route to source of these packets with command

ip route get 10.0.10.5 from 10.42.1.2 iif cali02ad7e68ce1

Likely you will get the error.

The reverse path filter checks the route to the source of incoming packets and can drop the packets received on unexpected interface. The action depends on the value of sysctl variable net.ipv4.conf.<iface>.rp_filter.

The solutions:

  • Disable the rp_filter or set it into the loose mode (value 2 of net.ipv4.conf.<iface>.rp_filter) - see the sysctl documentation.
  • Set the additional route to container in the 30400 routing table.

Update:

The output of commands shows the reverse path filter doesn't drop any packets (SNMP counter is zero, route is valid). So the cause of issue is in something other. Check the firewall rules with iptables-save -c command. It shows the full rule set with hit counters. May be some rule blocks the reply packets.