Re: conntrack doesn't always work when a bridge is used
From: Damien Thébault
Date: Thu Dec 20 2007 - 08:21:10 EST
On Dec 20, 2007 12:25 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote:
>
> Thanks. Could you also post a tcpdump and enable conntrack logging
> by doing "echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid"
> and post the output of that, if any (you also need to load ipt_LOG
> in case you're not using some other logging backend).
>
I captured three times. The first time ("bad1" files), the reply is
coming back, but the ftp client doesn't seem to handle it. The second
time ("bad2" files), there is a problem with sequence numbers. And
then the last time ("good" files), it's ok.
I had sequence number errors without the previous bridge patch which
get merged in net-2.6. So I'll try again with the net-2.6 kernel.
--
Damien Thebault
Attachment:
capture_ftp_bad1_router.pcap
Description: application/cap
Attachment:
capture_ftp_bad2_router.pcap
Description: application/cap
Attachment:
capture_ftp_good_router.pcap
Description: application/cap
Attachment:
capture_ftp_bad1.pcap
Description: application/cap
Attachment:
capture_ftp_bad2.pcap
Description: application/cap
Attachment:
capture_ftp_good.pcap
Description: application/cap