2.6.12: connection tracking broken?
kaber at trash.net
Sun Jun 19 15:05:31 CEST 2005
Santiago Garcia Mantinan wrote:
>>I have sent this right now to the bridge list, I'm copying it here so that
>>more info is available about this bug.
> I have selected patches from 2.6.12 that I thought could be related to this
> issue, and I have finaly identified this patch...
> as the patch causing the problem, I have reversed it on my kernel tree and
> now the firewall is working again.
> I have not really looked at what the patch does and how it does that, I have
> just identified it as the one causing the break of this connection tracking
> relating to the bridges.
The patch drops the conntrack reference when a packet leaves IP to avoid
problems with module unload because of indefinitely queued packets.
The bridge-netfilter code defers calling of some NF_IP_* hooks to the
bridge layer, when the conntrack reference is already gone, so the entry
is neither confirmed (enters the hashtable) nor available for use by
matches or targets. Reverting the patch is not a good option, I'll look
into other possiblities.
More information about the netfilter-devel