[Bug 751] IPv6 bridging bug

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Sat Oct 1 23:38:30 CEST 2011


--- Comment #3 from David Davidson <david at commroom.net>  2011-10-01 23:38:30 ---

I have discovered something very interesting related to this problem. The
problem goes away if I install an older kernel version; for example, the
openSUSE box I mentioned has a version of 2.6.34.
So I decided to compile from an older source tree on the Gentoo box to see what
happens, for giggles. Since I knew the openSUSE box had 2.6.34, I decided to
use the Gentoo ebuild "xen-sources-2.6.34-r4.ebuild" which is provided by the
Gentoo Portage tree. Obviously, this accompanies a different set of "gentoo
xen" kernel patches than from the 2.6.38 ebuild.
It resolved the problem. Here's what I did:

1. I edited the /etc/portage/package.keywords and forced the older kernel

2. I re-emerged my xen-sources
emerge xen-sources

3. I changed directory to /usr/src/linux-2.6.34-xen-r4/
cd /usr/src/linux-2.6.34-xen-r4/

4. I copied the kernel config from the 2-6.38 setup.
cp ../linux-2.6.38-xen/.config .config

5. Built the kernel.
gmake modules_install
cp vmlinux /boot
(copy config-kernel-2.6.34-xen-r4, Module.symvers, symvers-kernel-2.6.34-xen-r4
to boot also).

6. Edited my GRUB configuration to boot the older kernel instead.

7. Reboot the box. Viola! It worked.

The problem went away! Notice how I even used the same kernel configuration.
ip6tables and the rules in my chains now work perfectly with
/proc/sys/net/bridge/bridge-nf-call-ip6tables set to "1".

This tells me that one of the following is true:

A. There is a problem with the bridge code using IPv6 in the newer kernel (in

B. There is a problem in the netfilter/ip6tables support code in the newer
kernel (in 2.6.38-xen).

C. There is a problem with the new xen patch set (xen-patches-2.6.38-2.tar.bz2
or AKA
Perhaps something in the patch set breaks ip6tables or breaks bridging using

D. There is a new kernel module in 2.6.38-xen that breaks ip6tables, or
bridging, if its installed or compiled in (which is what I was worried about in
the first place - this is still a possibility).

Unfortunately I am not a super code person, and so I also haven't a clue where
this bug should be directed next. I was hoping that the two different patch
sets were numbered the same, but they aren't. Perhaps I will try to analyze
this further to see which patches are included in both patch sets and deduce
which ones are new in the 2.6.38-xen patch set. This might help narrow this
down >if< the problem is in the patch sets (and not A, B, or D, which I have
mentioned above).

If anybody has some good insight on this, please let me know. Many kind thanks
again for your attention and thinking about this.

Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

More information about the netfilter-buglog mailing list