Re: 2.6.12: connection tracking broken?

[Patrick McHardy]

Santiago Garcia Mantinan wrote:
>>I have sent this right now to the bridge list, I'm copying it here so that
>>more info is available about this bug.
> 
> 
> I have selected patches from 2.6.12 that I thought could be related to this
> issue, and I have finaly identified this patch...
> 
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b31e5b1bb53b99dfd5e890aa07e943aff114ae1c
> 
> as the patch causing the problem, I have reversed it on my kernel tree and
> now the firewall is working again.
> 
> I have not really looked at what the patch does and how it does that, I have
> just identified it as the one causing the break of this connection tracking
> relating to the bridges.

The patch drops the conntrack reference when a packet leaves IP to avoid
problems with module unload because of indefinitely queued packets.
The bridge-netfilter code defers calling of some NF_IP_* hooks to the
bridge layer, when the conntrack reference is already gone, so the entry
is neither confirmed (enters the hashtable) nor available for use by
matches or targets. Reverting the patch is not a good option, I'll look
into other possiblities.

Regards
Patrick
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/