Re: iptables redirect is broken on bridged setup

From: Harald Welte
Date: Sun Jul 31 2005 - 05:58:45 EST


On Fri, Jul 29, 2005 at 03:11:35PM +0300, Denis Vlasenko wrote:

> Note that REDIRECT loads ip_conntrack, and this seem to
> cause problems, see another bugzilla entry at
> https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=339

REDIRECT is a for of DNAT, like you correctly state. DNAT _needs_
ip_conntrack, so that's not what is causing problems.

Causing problems is probably the nf_reset() and other hacks that were
put into the briding code to remove conntrack references once a packet
enters the bridge (in order to make the 'fake iptables hooks' from
the bridging code work).

There were recently a number of fixes for this issue, which each caused
new bugs.

Could you please try with a current development kernel (linus' git tree,
or davem's net-2.6.14 tree) and see if the problem persists?

--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie

Attachment: pgp00000.pgp
Description: PGP signature