Extra ip rule table breaking my connectivity with container

networking linux-networking

It seems like the reverse path checking issue. Please check the counter with nstat -az TcpExtIPReversePathFilter. If the counter is being incremented, then check the route to source of these packets with command

ip route get 10.0.10.5 from 10.42.1.2 iif cali02ad7e68ce1

Likely you will get the error.

The reverse path filter checks the route to the source of incoming packets and can drop the packets received on unexpected interface. The action depends on the value of sysctl variable net.ipv4.conf.<iface>.rp_filter.

The solutions:

  • Disable the rp_filter or set it into the loose mode (value 2 of net.ipv4.conf.<iface>.rp_filter) - see the sysctl documentation.
  • Set the additional route to container in the 30400 routing table.

Update:

The output of commands shows the reverse path filter doesn't drop any packets (SNMP counter is zero, route is valid). So the cause of issue is in something other. Check the firewall rules with iptables-save -c command. It shows the full rule set with hit counters. May be some rule blocks the reply packets.

Related

About Let's encrypt ACMEv1 deprecation. How to make certificate renewal work again in Ubuntu 14.04? [closed]
What is the best way to compress postgres database dump file?
kubectl error: cannot add key dashboard.yaml, another key by that name already exists
Office365 Guest Access to Shared Mailbox
Intune Autopilot replace WDS or Sccm
Configuring Squid to not log TCP connections (lots of "error:transaction-end-before-headers" showing up in logs)
ubuntu 18.04 "grub-install: error: cannot find EFI directory"
How to submission server of an email (SMTP)? [closed]
HOW TO: disable sudoer from editing /etc/sudoers file?
Raid 1 default disk capacity is lesser than the disk sizes. Any ideas? Intel Raid Storage Technology - Raid from Bios
Disk failure - unable to load operating system [closed]
Can't get file uri from intent onActivityResult