Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159693 - ethernet bridge + netfilter failing with latest kernels
Summary: ethernet bridge + netfilter failing with latest kernels
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-07 03:47 UTC by Ian Mortimer
Modified: 2015-01-04 22:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-30 00:48:07 UTC

Attachments (Terms of Use)

Description Ian Mortimer 2005-06-07 03:47:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
A working packet filtering bridge fails when the kernel is upgraded to 2.6.11-1.27_FC3.  I also tried the newer 2.6.11-1.33_FC3 with the same result.

2.6.11-1.14_FC3 is working fine.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.27_FC3, kernel-2.6.11-1.33_FC3

How reproducible:

Steps to Reproduce:
1. Configure an ethernet bridge
2. Confirm the bridge is working
3. Load netfilter rules

Actual Results:  All network connections to and from the bridge fail.  Can't ping or do dns lookups from the bridge using the bridge interface.

Expected Results:  With no changes in bridge configuration and no changes in iptables configuration
it should work as it did with earlier kernels (e.g. 2.6.11-1.14_FC3).

Additional info:

The problem is with netfiler not with bridging.  Turn off iptables and everything works.  Install a set of iptables rules with ACCEPT as the default policy and it works.

Here's a simple set of iptables rules that demonstrates the problem:

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -P FORWARD DROP
   iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

That should allow all outgoing traffic from the bridge and replies.  Works as 
expected with 2.6.11-1.14 but with 2.6.11-1.27 and 2.6.11-1.33 all outgoing network connections from the bridge fail (ping, dns, ntp for example).

Comment 1 Ian Mortimer 2005-06-28 00:06:05 UTC
The problem persists with kernel-2.6.11-1.35_FC3

Comment 2 Dave Jones 2005-07-15 18:25:24 UTC
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 3 Chris Schultz 2005-07-18 10:01:40 UTC
Updated to latest FC4 kernel 2.6.12-1.1398_FC4.  Some of the problems appear to
be fixed, but not all...

My firewall now works and all computers on the bridge can get out of my network.
 However, boxes on different physical parts of the bridge cannot communicate.

My bridge is made up of 1 ethernet (3c59x) and 1 wireless (rt2400 -
cvs)interface.  I then use ppp to connect to the internet.  I MASQ ppp0.

All of my computers (windows and linux) can communicate out through my NAT'd
network.  However, when i attempt to connect to my linux pc (wired) from my
laptop (wireless) I get NO traffic flow.  Everything to/from the router (FC4
box) are happy (DHCP, DNS, NAT'd traffic) but I cannot ping/ssh/http/anything my
pc from my laptop or vise versa.

This all worked with the same iptables configuration under FC1 (which is what I
upgraded from).

Comment 4 Chris Schultz 2005-07-19 20:24:43 UTC
I may have been incorrect in my earlier assertion that bridging is still not
working correctly.  I have managed to get traffic to pass between the two
segments of my bridge, but I had to issue an

ifconfig ra0

after all interfaces were up (ra0 is my wireless interface) to get traffic to
pass through. It looks more likely that my wireless drivers are more dodgy under
2.6 than previously under 2.4.

Comment 5 Dave Jones 2005-07-30 00:48:07 UTC
Ok, take that up with the vendor of your out-of-kernel-tree driver.
Based on comment #3, it sounds like this issue is closed.


Comment 6 Ian Mortimer 2005-08-01 03:14:03 UTC
Has been working fine for me with kernel 2.6.12-1.1372_FC3.

Note You need to log in before you can comment on or make changes to this bug.