From: Patrick McHardy <kaber@trash.net>
To: ron lai <ronlai@cs.stanford.edu>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org,
Bart De Schuymer <bdschuym@pandora.be>
Subject: Re: Fw: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6
Date: Tue, 06 Nov 2007 15:05:12 +0100 [thread overview]
Message-ID: <47307498.70104@trash.net> (raw)
In-Reply-To: <001801c8207c$00307b70$6500a8c0@ronPc>
[-- Attachment #1: Type: text/plain, Size: 519 bytes --]
ron lai wrote:
> My ruleset is
> iptables -t nat -A POSTROUTING -s 172.16.119.91 -j SNAT --to-source
> 172.16.255.123
>
> I am using a bridge containing only one physical interface and the FTP
> traffic goes through the bridge.
That explains it. The bridge netfilter code calls the IP POST_ROUTING
hook for outgoing packets, but the packet already went through it
during forwarding. Please try this patch, which makes the bridge
netfilter code only call the IP hook for packets that also came in
on the bridge.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 379 bytes --]
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 3ee2022..d8e5c94 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -773,7 +773,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
}
#endif
- if (!nf_bridge)
+ if (!nf_bridge || !nf_bridge->physindev)
return NF_ACCEPT;
if (!realoutdev)
next prev parent reply other threads:[~2007-11-06 14:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-01 21:16 Fw: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6 Ron Lai
2007-11-05 11:03 ` Amin Azez
2007-11-05 16:36 ` ron lai
2007-11-06 10:14 ` Patrick McHardy
2007-11-06 13:19 ` ron lai
2007-11-06 13:24 ` Patrick McHardy
2007-11-06 13:50 ` ron lai
2007-11-06 14:05 ` Patrick McHardy [this message]
2007-11-06 15:17 ` Pascal Hambourg
2007-11-07 5:08 ` ron lai
2007-11-07 9:49 ` Patrick McHardy
2007-11-07 10:33 ` Patrick McHardy
2007-11-07 10:59 ` Pascal Hambourg
2007-11-07 11:37 ` Patrick McHardy
2007-11-07 15:17 ` ron lai
2007-11-07 23:19 ` Patrick McHardy
2007-11-07 23:54 ` Ron Lai
2007-11-08 9:03 ` Pascal Hambourg
2007-11-08 11:43 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2007-11-07 11:44 bdschuym@pandora.be
2007-11-07 11:55 ` Patrick McHardy
2007-11-07 23:29 ` Bart De Schuymer
2007-11-12 6:00 ` Patrick McHardy
2007-11-12 7:35 ` Philip Craig
2007-11-12 7:39 ` Patrick McHardy
2007-11-08 2:16 ` Philip Craig
2007-11-12 7:30 bdschuym@pandora.be
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47307498.70104@trash.net \
--to=kaber@trash.net \
--cc=bdschuym@pandora.be \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=ronlai@cs.stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).