<div dir="ltr"><div class="gmail_default" style="font-size:small">I want to confirm that both the LXC Host and the Container see the packets going back and forth with<br>tcpdump -n -i eth1 "(icmp)"<br><br></div><div class="gmail_default" style="font-size:small">There is no rp_filter<br></div><div class="gmail_default" style="font-size:small">sysctl -a | grep [.]rp_filter <br>net.ipv4.conf.all.rp_filter = 0<br>net.ipv4.conf.default.rp_filter = 0<br>net.ipv4.conf.eth0.rp_filter = 0<br>net.ipv4.conf.eth1.rp_filter = 0<br>net.ipv4.conf.eth2.rp_filter = 0<br>net.ipv4.conf.eth3.rp_filter = 0<br>net.ipv4.conf.eth4.rp_filter = 0<br>net.ipv4.conf.eth5.rp_filter = 0<br>net.ipv4.conf.eth6.rp_filter = 0<br>net.ipv4.conf.eth7.rp_filter = 0<br>net.ipv4.conf.eth8.rp_filter = 0<br>net.ipv4.conf.eth9.rp_filter = 0<br>net.ipv4.conf.lo.rp_filter = 0<br><br></div><div class="gmail_default" style="font-size:small">But the response from the container never reach the machine that is trying to ping the container.<br><br></div><div class="gmail_default" style="font-size:small">Any idea what can be wrong?<br></div><div class="gmail_default" style="font-size:small">The fact is I did not change anything on my network.<br><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 9, 2016 at 9:42 AM, Saint Michael <span dir="ltr"><<a href="mailto:venefax@gmail.com" target="_blank">venefax@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">I don't know how to downgrade the kernel.<br></div><div class="gmail_default" style="font-size:small">This is Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)<br><br></div><div class="gmail_default" style="font-size:small">I always use apt-get -y update and apt-get -y dist-upgrade<br><br><br><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 9, 2016 at 2:22 AM, Janjaap Bos <span dir="ltr"><<a href="mailto:janjaapbos@gmail.com" target="_blank">janjaapbos@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Downgrade the kernel to verify your guess, as the other feedback you got also points to the kernel. If that solves it, go file a kernel bug.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_5917115894346307907h5">2016-11-09 7:33 GMT+01:00 Saint Michael <span dir="ltr"><<a href="mailto:venefax@gmail.com" target="_blank">venefax@gmail.com</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_5917115894346307907h5"><div dir="ltr"><div class="gmail_default" style="font-size:small">It was working fine until a week ago.<br>I have two sites, it happened on both, so the issue is not on my router or my switch, since they are different sites and we did not upgrade anything.<br>Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)<br>LXC installed from apt-get install lxc1<br>iptables off in both hosts and containers. I protect my network at the perimeter.<br><br>All my container networking is defined<br><br>lxc.network.type=macvlan<br>lxc.network.macvlan.mode=bridg<wbr>e<br>lxc.network.link=eth1<br><a href="http://lxc.network.name" target="_blank">lxc.network.name</a> = eth0<br>lxc.network.flags=up<br>lxc.network.hwaddr = XX:XX:XX:XX:XX:XX<br>lxc.network.ipv4 = <a href="http://0.0.0.0/24" target="_blank">0.0.0.0/24</a><br><br>Now suppose I have a machine, not a container, in the same broadcast domain as the containers, same subnet.<br>It cannot ping or ssh into a container, which is accessible from outside my network.<br>However, from inside the container the packets come and go perfectly, when the connection is originated by the container.<br>A container can ping that host I mentioned, but the host cannot ping back the container.<br>It all started a few days ago.<br>Also, from the host, this test works<br>arping -I eth0 (container IP address)<br>it shows that we share the same broadcast domain.<br><br>My guess is that the most recent kernel update in the LXC host, is blocking the communication to the containers, but it allows connections from the containers or connections from IP addresses not on the same broadcast domain.<br>Any idea?<br></div></div>
<br></div></div>______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a><br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>