From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: Veth problems with bridge Date: Wed, 04 Jun 2008 15:42:11 +0200 Message-ID: <48469BB3.9040001@trash.net> References: <4845475A.7020207@inqnet.at> <48455240.8070102@trash.net> <4845621E.6080104@inqnet.at> <48456E99.4080803@trash.net> <48469ADC.5070800@inqnet.at> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-net@vger.kernel.org, Linux Netdev List To: miklautz@inqnet.at Return-path: Received: from stinky.trash.net ([213.144.137.162]:41557 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751724AbYFDNmN (ORCPT ); Wed, 4 Jun 2008 09:42:13 -0400 In-Reply-To: <48469ADC.5070800@inqnet.at> Sender: netdev-owner@vger.kernel.org List-ID: Bernhard Miklautz wrote: > Hi Patrick, > > Patrick McHardy wrote: >>>>> I also tried the whole setup without using veth; the IP directly bound >>>>> to br0, as well as without the bridge at all. No problems with that. >>>>> So there might be some problems with veth? >>>> Does "echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables" fix it? >>> On my hardware machine this seems to fix the problem :). But why does >>> bridge-nf-call-iptables influent source nat on an other interface? - >>> Shouldn't the source address always be translated when an output >>> interface is set (iptables -A POSTROUTING -o eth3 -t nat -j MASQUERADE)? >> The bridging code passes packets through IPv4 netfilter and >> connection tracking, so when they hit your MASQUERADE rule, >> the NAT mappings have already been set up. > > Remember my setup veth0 and eth1 bridged together to br0, eth3 is the > outgoing interface. > > Cases: > > 1) The ip address set on the bridge and no ip address on veth1 works > fine regardless whether bridge-nf-call-iptables is set or unset. > > 2) The ip set on veth1 and no ip on the bridge the > MASQUERADE rule is only hit when bridge-nf-call-iptables is unset. > > If I understood you correctly then the netfilters (nat/postrouting) > would only be applied once in the latter case when > bridge-nf-call-iptables is enabled. No, they will be applied twice, but NAT mappings are only set up on the first packet, so when the eth3 rule is hit, its too late. > But if veth should behave like a "regular" interface shouldn't the > netfilter rules be applied twice? - First when the packets enter the > bridge on eth0 and leave it on veth0, and secondly when they enter veth1 > and and leave it at the final outgoing interface. They are (see above). But NAT is a special case and would need namespace-aware connection tracking and both veths living in different namespaces for the scenario you describe (or disabled IPv4 netfilter for bridging).