Observing this issue on one of our clouds we've found that the root cause was VM getting incorrect default gw from DHCP server.
dnsmasq for some reason advertises default gw = dhcp port ip, despite what is in dnsmasq config.
Then ping reply goes through dhcp namespace to snat gateway and then it is not snatted.
One possible way to highlight the issue would be to disable ip forwarding in dhcp namespace.
In such case traffic just would not go back.
Observing this issue on one of our clouds we've found that the root cause was VM getting incorrect default gw from DHCP server.
dnsmasq for some reason advertises default gw = dhcp port ip, despite what is in dnsmasq config.
Then ping reply goes through dhcp namespace to snat gateway and then it is not snatted.
One possible way to highlight the issue would be to disable ip forwarding in dhcp namespace.
In such case traffic just would not go back.