From: Patrick McHardy <kaber@trash.net>
To: "Damien Thébault" <damien.thebault@gmail.com>
Cc: linux-net@vger.kernel.org, netfilter-devel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: conntrack doesn't always work when a bridge is used
Date: Fri, 11 Jan 2008 13:57:11 +0100 [thread overview]
Message-ID: <478767A7.9000807@trash.net> (raw)
In-Reply-To: <9a4a382a0801110453m66b42329w15c6ae3b68d37699@mail.gmail.com>
Damien Thébault wrote:
> On Jan 11, 2008 1:24 PM, Patrick McHardy <kaber@trash.net> wrote:
>
>> No, this should work properly. I just tried to reproduce it,
>> but I only get a single POSTROUTING invocation. I tried with
>> real bridged traffic, traffic routed between two different
>> bridge devices and traffic routed between a bridge device
>> and a normal ethernet device, but everything seems to work
>> correctly.
>>
>> Could you send me the commands you're using to configure
>> your setup and everything (routing, iptables, ...) that
>> could be related?
>>
>>
>
> On the router, I'm using this script :
>
> ifconfig eth0 0.0.0.0 up
> brctl addbr br0
> brctl addif br0 eth0
> ifconfig br0 192.168.1.70 up
> ifconfig br0:0 192.168.2.70 up
> iptables -t nat -A POSTROUTING -d 192.168.2.0/24 -j MASQUERADE
> iptables -t nat -A PREROUTING -d 192.168.2.250 -j DNAT
> --to-destination 192.168.2.50
> modprobe nf_nat_ftp
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> And for logging :
>
> modprobe ipt_LOG
> iptables -t raw -A OUTPUT -p tcp --dport 21 -j TRACE
> iptables -t raw -A OUTPUT -p tcp --sport 21 -j TRACE
> iptables -t raw -A PREROUTING -p tcp --dport 21 -j TRACE
> iptables -t raw -A PREROUTING -p tcp --sport 21 -j TRACE
>
> I only have one interface (eth0), that's why I use br0 and br0:0, so
> the wireshark captures show each packet twice, input on br0 and output
> on br0:0 (or input on br0:0 and output on br0) when capturing on eth0.
>
> On the ftp client/server :
>
> ifconfig eth2 192.168.1.50
> ifconfig eth2:0 192.168.2.50
> ip route del 192.168.2.0/24
> ip route add 192.168.2.0/24 dev eth2 via 192.168.1.70
>
> And then I try to connect to 192.168.2.250, this will use the router
> 192.168.1.70 on eth2, wille be DNATted to 192.168.2.50 and will come
> back on eth2:0 on the ftp server.
>
> Like the router captures, we have eth2 and eth2:0 together when
> capturing on eth2.
>
> This configuration will work fine, but if I run any of this on the
> router, it will not work well anymore :
>
> ifconfig br0:0 192.168.2.7 up
>
> or
>
> ifconfig br0:0 192.168.2.170 up
>
> I don't think I'm using anything else.
>
Thanks. Its the DNAT rule thats causing this, the bridge netfilter code
calls dst_output directly for bridged dnated frames, causing these
hook invocations:
PREROUTING
dst_output() POSTROUTING
FORWARD
POSTROUTING
which is obviously broken. I'll see if I can come up with a fix for this.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-01-11 12:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <9a4a382a0712180648i7fc958edt6f0d9db83f574c77@mail.gmail.com>
2007-12-19 17:00 ` conntrack doesn't always work when a bridge is used Damien Thébault
2007-12-19 19:03 ` Patrick McHardy
2007-12-20 8:30 ` Damien Thébault
2007-12-20 10:06 ` Patrick McHardy
2007-12-20 11:06 ` Damien Thébault
2007-12-20 11:07 ` Patrick McHardy
2007-12-20 11:20 ` Damien Thébault
2007-12-20 11:25 ` Patrick McHardy
2007-12-20 13:21 ` Damien Thébault
2007-12-20 16:08 ` Damien Thébault
2007-12-22 7:56 ` Patrick McHardy
2007-12-26 9:54 ` Damien Thébault
2007-12-30 17:53 ` Patrick McHardy
[not found] ` <9a4a382a0801020118n4166e505l5eb84a9f07f620be@mail.gmail.com>
2008-01-11 8:10 ` Damien Thébault
2008-01-11 12:24 ` Patrick McHardy
2008-01-11 12:53 ` Damien Thébault
2008-01-11 12:57 ` Patrick McHardy [this message]
2008-01-11 13:25 ` Patrick McHardy
2008-01-11 15:16 ` Damien Thébault
2008-01-11 17:33 ` Patrick McHardy
2007-12-28 14:39 ` Damien Thébault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=478767A7.9000807@trash.net \
--to=kaber@trash.net \
--cc=damien.thebault@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-net@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.