Dropped packets with bridge + ip_conntrack module

Dropped packets with bridge + ip_conntrack module

[maurizio.gladioro]

	
Hello,

I'm using netfilter with the l7-filter patch, and a 2.6.13 kernel.

I had to create a bridge interface in order to enable the listening
interface in promiscous mode and to classify the traffic mirrored to
that (I touch eth1 to br1 interface).

So, the problem is that I'm seeing many dropped packets on the bridge,
and I cannot understand why.

If I don't add the ip_conntrack module, the whole traffic going through
the ethernet interface eth1 is passed to the bridge; but, if I add
ip_conntrack some packets don't cross the bridge interface.

Following, I show you the output of "netstat -i":
  without module ip_conntrack (before sending packets)
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR
Flg
br1 1500 0 6576580 0 0 0 5 0 0 0
BMRU
eth1 1500 0 16105342 25606 0 25606 13 0 0 0

  after sending packets
olmo:/home/maurizio# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR
Flg
br1 1500 0 8220973 0 0 0 5 0 0 0
BMPRU
eth1 1500 0 17749735 25606 0 25606 13 0 0 0
BMPRU


difference eth1 1644393
difference br1 1644393
than NO DROPPED PACKETS

with ip_conntrack (before sending packets)

Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR
Flg
br1 1500 0 4932660 0 0 0 5 0 0 0
BMPRU
eth1 1500 0 14460948 25606 0 25606 13 0 0 0
BMPRU


  with ip_conntrack (after sending packets)
olmo:/home/maurizio# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR
Flg
br1 1500 0 6576579 0 0 0 5 0 0 0
BMPRU

eth1 1500 0 16105341 25606 0 25606 13 0 0 0
BMPRU


difference eth1 1644393
difference br1 1643919
than there are 474 DROPPED PACKETS

May be someone can help me?
I have read about some similar problems with Kernel 2.6.16 and
fragmented IP packets.

Thank you very much, regards,