Re: 2.6.12: connection tracking broken?

From: Patrick McHardy (kaber_at_trash.net)
Date: 06/27/05

  • Next message: Jakob Oestergaard: "Re: dm-mirror/kmirrord oops" 
    Date:	Mon, 27 Jun 2005 13:46:46 +0200
To: Harald Welte <laforge@netfilter.org>

    Harald Welte wrote:
    > I have to agree with Bart. I don't know any bridging-packetfilter setup
    > that doesn't use ipt_physdev in FORWARD :(

    It shouldn't be a problem to MARK in ebtables and use the marks instead.
    So far I think we can only remove the support for locally generated
    packets, but the way bridge-netfilter and ip-netfilter interact causes
    some more problems and inconsistencies which I would like to look into
    first. One thing I've noticed is that NF_IP_LOCAL_OUT, NF_IP_FORWARD and
    NF_IP_POST_ROUTING get called for every clone when packets are delivered
    to multiple ports, which causes unexpected results with REJECT (many
    packets sent in response to a single one) and probably others. This
    could be avoided by only passing packets to the NF_IP_* hooks once, but
    that would make the physdev match useless.

    Another problem is defragmentation, we've added the user argument to
    ip_defrag to avoid packets from jumping through the stack between
    different callers. With bridge-netfilter defragmentation in
    NF_IP_PRE_ROUTING can be reached from both the IP layer and the bridge
    layer, so packets can still jump (see netfilter bugzilla #339).

    I expect there are more problems, I hope I can find some time to look
    into it this week.

    Regards
    Patrick
    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Jakob Oestergaard: "Re: dm-mirror/kmirrord oops"

    Relevant Pages