Re: iptables redirect is broken on bridged setup
From: Harald Welte
Date: Sun Jul 31 2005 - 05:58:45 EST
On Fri, Jul 29, 2005 at 03:11:35PM +0300, Denis Vlasenko wrote:
> Note that REDIRECT loads ip_conntrack, and this seem to
> cause problems, see another bugzilla entry at
> https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=339
REDIRECT is a for of DNAT, like you correctly state. DNAT _needs_
ip_conntrack, so that's not what is causing problems.
Causing problems is probably the nf_reset() and other hacks that were
put into the briding code to remove conntrack references once a packet
enters the bridge (in order to make the 'fake iptables hooks' from
the bridging code work).
There were recently a number of fixes for this issue, which each caused
new bugs.
Could you please try with a current development kernel (linus' git tree,
or davem's net-2.6.14 tree) and see if the problem persists?
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Attachment:
pgp00000.pgp
Description: PGP signature