I want to confirm that both the LXC Host and the Container see the packets going back and forth with tcpdump -n -i eth1 "(icmp)"
There is no rp_filter sysctl -a | grep [.]rp_filter net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.eth2.rp_filter = 0 net.ipv4.conf.eth3.rp_filter = 0 net.ipv4.conf.eth4.rp_filter = 0 net.ipv4.conf.eth5.rp_filter = 0 net.ipv4.conf.eth6.rp_filter = 0 net.ipv4.conf.eth7.rp_filter = 0 net.ipv4.conf.eth8.rp_filter = 0 net.ipv4.conf.eth9.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 But the response from the container never reach the machine that is trying to ping the container. Any idea what can be wrong? The fact is I did not change anything on my network. On Wed, Nov 9, 2016 at 9:42 AM, Saint Michael <[email protected]> wrote: > I don't know how to downgrade the kernel. > This is Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64) > > I always use apt-get -y update and apt-get -y dist-upgrade > > > > > On Wed, Nov 9, 2016 at 2:22 AM, Janjaap Bos <[email protected]> wrote: > >> Downgrade the kernel to verify your guess, as the other feedback you got >> also points to the kernel. If that solves it, go file a kernel bug. >> >> 2016-11-09 7:33 GMT+01:00 Saint Michael <[email protected]>: >> >>> It was working fine until a week ago. >>> I have two sites, it happened on both, so the issue is not on my router >>> or my switch, since they are different sites and we did not upgrade >>> anything. >>> Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64) >>> LXC installed from apt-get install lxc1 >>> iptables off in both hosts and containers. I protect my network at the >>> perimeter. >>> >>> All my container networking is defined >>> >>> lxc.network.type=macvlan >>> lxc.network.macvlan.mode=bridge >>> lxc.network.link=eth1 >>> lxc.network.name = eth0 >>> lxc.network.flags=up >>> lxc.network.hwaddr = XX:XX:XX:XX:XX:XX >>> lxc.network.ipv4 = 0.0.0.0/24 >>> >>> Now suppose I have a machine, not a container, in the same broadcast >>> domain as the containers, same subnet. >>> It cannot ping or ssh into a container, which is accessible from outside >>> my network. >>> However, from inside the container the packets come and go perfectly, >>> when the connection is originated by the container. >>> A container can ping that host I mentioned, but the host cannot ping >>> back the container. >>> It all started a few days ago. >>> Also, from the host, this test works >>> arping -I eth0 (container IP address) >>> it shows that we share the same broadcast domain. >>> >>> My guess is that the most recent kernel update in the LXC host, is >>> blocking the communication to the containers, but it allows connections >>> from the containers or connections from IP addresses not on the same >>> broadcast domain. >>> Any idea? >>> >>> _______________________________________________ >>> lxc-users mailing list >>> [email protected] >>> http://lists.linuxcontainers.org/listinfo/lxc-users >>> >> >> >> _______________________________________________ >> lxc-users mailing list >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
