Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162388 - 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Summary: 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-03 22:27 UTC by Doncho Gunchev
Modified: 2015-01-04 22:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-04 01:29:28 UTC


Attachments (Terms of Use)

Description Doncho Gunchev 2005-07-03 22:27:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Updating the kernel from 2.6.10-1.770_FC3smp to 2.6.11-1.35_FC3smp kills transperent proxy and connection tracking.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.35_FC3s / kernel-smp-2.6.11-1.35_FC3s

How reproducible:
Always

Steps to Reproduce:
1. install both 2.6.10-1.770_FC3 and 2.6.11-1.35_FC3 kernels in FC3 (fully updated)
2. try setting up a transperent proxy
3. watch squid - it receives no data

Actual Results:  no packet hits squid

Additional info:

    I only got DNAT working with --to-destination 127.0.0.1 ('nc -l' + 'nc') in rare cases (2.6.11-1.35_FC3smp). I rebooted to the old and the new kernel several times and the results were the same.
    On another machine with UP kernel all masquerading stopped working - the packet comes in (SYN), goes out and when the response returns (ACK) skips the '--state RELATED,ESTABLISHED' and gets dropped. The setup is simple: in FORWARD chain all RELATED,ESTABLISHED packets and what comes from LAN and goes out (NEW) is accepted, everything else is denied (2.6.11-1.35_FC3, not sure if it was working with 2.6.10 or 2.6.9 before the update). The reverse firewall worked - drop all NEWs from the net and accept anything else.
    Both machines bridge two network interfaces (the internal ones) but I had no time to try to reproduce the problem without the bridge.
    Can this be related to bug # 160218?

Comment 1 Doncho Gunchev 2005-07-06 22:32:19 UTC
    I think I found the problem -
http://www.opensubscriber.com/message/bridge@lists.osdl.org/1561677.html
([Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces) and
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2649.

Comment 2 Dave Jones 2005-07-15 17:46:24 UTC
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 3 Doncho Gunchev 2005-07-21 19:44:34 UTC
2.6.12-1.1372_FC3smp seems to fix this bug, but it crashed with HT enabled on
P4, Bug # 163437 I think. I'll have to go back to 2.6.9 or go without HT :(

Comment 4 Doncho Gunchev 2005-07-21 20:20:02 UTC
PS: 2.6.10-1.770_FC3smp works with HT, bridge and DNAT. I'll try to check this
with FC4 too...

Comment 5 Dave Jones 2005-08-04 01:29:28 UTC
update the mkinitrd package to the latest update, and then remove and reinstall
2.6.12-1.1372_FC3smp and it should work.



Note You need to log in before you can comment on or make changes to this bug.