Comment 6 for bug 1814262

Reporting back on this:

The opinion there seems to be that the problem is down to the sys net.ipv4.conf.*.rp_filter values being set to 1 instead of defaulting to 0. This is done in the procps package, and I'm guessing is the way it is as a protection against IP spoofing. kernel doc page I was pointed to says:

 Current recommended practice in RFC3704 is to enable strict mode
 to prevent IP spoofing from DDos attacks. If using asymmetric routing
 or other complicated routing, then loose mode is recommended.

 The max value from conf/{all,interface}/rp_filter is used
 when doing source validation on the {interface}.

 Default value is 0. Note that some distributions enable it
 in startup scripts.

Presumably Ubuntu enables by default (I can see it does, in a file in the procps package) and Red Hat, where it seems the NetworkManager maintainers sit, does not.

This is going to have to be argued out between procps and network-manager maintainers I guess. You can have IP spoofing protection or you can have connectivity checking. Choose one, or argue who should fix it. :-) Personally, at least for now, my solution is to remove the connectivity-check package, which was presumably brought in by something, and keep the procps defaults.