From: Bernhard Miklautz <miklautz@inqnet.at>
To: Patrick McHardy <kaber@trash.net>
Cc: linux-net@vger.kernel.org, Linux Netdev List <netdev@vger.kernel.org>
Subject: Re: Veth problems with bridge
Date: Wed, 04 Jun 2008 15:38:36 +0200 [thread overview]
Message-ID: <48469ADC.5070800@inqnet.at> (raw)
In-Reply-To: <48456E99.4080803@trash.net>
Hi Patrick,
Patrick McHardy wrote:
>>>> I also tried the whole setup without using veth; the IP directly bound
>>>> to br0, as well as without the bridge at all. No problems with that.
>>>> So there might be some problems with veth?
>>> Does "echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables" fix it?
>>
>> On my hardware machine this seems to fix the problem :). But why does
>> bridge-nf-call-iptables influent source nat on an other interface? -
>> Shouldn't the source address always be translated when an output
>> interface is set (iptables -A POSTROUTING -o eth3 -t nat -j MASQUERADE)?
> The bridging code passes packets through IPv4 netfilter and
> connection tracking, so when they hit your MASQUERADE rule,
> the NAT mappings have already been set up.
Remember my setup veth0 and eth1 bridged together to br0, eth3 is the
outgoing interface.
Cases:
1) The ip address set on the bridge and no ip address on veth1 works
fine regardless whether bridge-nf-call-iptables is set or unset.
2) The ip set on veth1 and no ip on the bridge the
MASQUERADE rule is only hit when bridge-nf-call-iptables is unset.
If I understood you correctly then the netfilters (nat/postrouting)
would only be applied once in the latter case when
bridge-nf-call-iptables is enabled.
But if veth should behave like a "regular" interface shouldn't the
netfilter rules be applied twice? - First when the packets enter the
bridge on eth0 and leave it on veth0, and secondly when they enter veth1
and and leave it at the final outgoing interface.
Any hint would be appreciated,
best regards,
Bernhard
next prev parent reply other threads:[~2008-06-04 13:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4845475A.7020207@inqnet.at>
2008-06-03 14:16 ` Veth problems with bridge Patrick McHardy
2008-06-03 15:24 ` Bernhard Miklautz
2008-06-03 16:17 ` Patrick McHardy
2008-06-04 13:38 ` Bernhard Miklautz [this message]
2008-06-04 13:42 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48469ADC.5070800@inqnet.at \
--to=miklautz@inqnet.at \
--cc=kaber@trash.net \
--cc=linux-net@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).