Heh, well I did some spelunking and I think I've figured it out... What was really throwing me was that the only visible route to the MDS was via ens4 on _both_ Jammy and Noble (I couldn't find a route via ens5 to the MDS on either release, and I really looked xD). But on Jammy `curl --interface ens5 http://169.254.169.254` still succeeded (and of course on Noble the same call failed) So I kept digging and tried to contact the MDS a few different ways:
```` # ens4/primary NIC by name curl -m 2 -v http://169.254.169.254/ --interface ens4 # 200 OK (as expected) # ens5/secondary NIC by name curl -m 2 -v http://169.254.169.254/ --interface ens5 # also 200 OK (but unwanted) # ens5/secondary NIC by IP curl -m 2 -v http://169.254.169.254/ --interface 10.1.2.8 # connection timed out (surprising, but wanted!) ```` so from Google's perspective (as they were using the interface names, not their IPs) it still looks like the MDS is reachable over ens5 on Jammy. Around here I got a brainwave from a past life and thought I'd check the `rp_filter`s xD Vanilla Jammy -> net.ipv4.conf.{ens4,ens5}.rp_filter = 2 Vanilla Noble -> net.ipv4.conf.{ens4,ens5}.rp_filter = 1 ...so I changed Jammy to use `rp_filter=1` on both interfaces, and voila Jammy’s behaviour now matches Noble! (i.e. `curl --interface ens5` now timeouts out) To kind of close this all off and take the scrutiny off of `systemd` and `netplan`: * There is no route to metadata via ens5 on either Jammy or Noble (which is good and what is expected) * The only difference between the releases here is the `rp_filter` strictness, effecting whether asymmetric flows are allowed I guess my open question now is whether this `rp_filter` change between Jammy and Noble is/was intentional, and whether implementing stricter `rp_filter`s is best practice for multi-NIC setups is good practice... but I can go ask people :) Thanks for humouring me everyone! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2131966 Title: Netplan on Jammy doesn't prevent metadata/DNS routing on a secondary NIC despite any DHCP overrides given To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2131966/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
