On Mon, 2012-10-01 at 16:13 +0100, Chris Clayton wrote:

On 10/01/12 10:15, Eric Dumazet wrote:

quoted

On Mon, 2012-10-01 at 09:36 +0100, Chris Clayton wrote:

quoted

quoted

      0 ICMP messages received
      0 input ICMP message failed.
      ICMP input histogram:
      0 ICMP messages sent
      0 ICMP messages failed
      ICMP output histogram:

quoted

After:

$ netstat -s
Icmp:
      4 ICMP messages received
      4 input ICMP message failed.
      ICMP input histogram:
          echo replies: 4

So icmp replies come back and are delivered to host instead of being
forwarded.

I wonder if MASQUERADE broke...

Could you send

iptables -t -nat -nvL

$ iptables -t -nat -nvL
iptables v1.4.15: can't initialize iptables table `-nat': Table does not 
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

quoted

conntrack -L   # while ping is running from guest

$ conntrack -L
conntrack v1.2.2 (conntrack-tools): Operation failed: invalid parameters

Thats not expected, you described you used MASQUERADE target, so
"iptables -t nat -nvL" should display something.

Forgive me for asking, but why is the problem not down to the change 
that I identified by bisecting? The title of the patch is "ipv4: Cache 
local output routes" and, although I'm a million miles from being an 
expert here, to me it does make it look a good candidate. 
http://marc.info/?l=linux-netdev&m=134797809611847&w=2

Because I cant reproduce your problem at all, using your setup.