On Fri, Jul 29, 2005 at 03:11:35PM +0300, Denis Vlasenko wrote: > Note that REDIRECT loads ip_conntrack, and this seem to > cause problems, see another bugzilla entry at > https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=339
REDIRECT is a for of DNAT, like you correctly state. DNAT _needs_ ip_conntrack, so that's not what is causing problems. Causing problems is probably the nf_reset() and other hacks that were put into the briding code to remove conntrack references once a packet enters the bridge (in order to make the 'fake iptables hooks' from the bridging code work). There were recently a number of fixes for this issue, which each caused new bugs. Could you please try with a current development kernel (linus' git tree, or davem's net-2.6.14 tree) and see if the problem persists? -- - Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
pgpT5xFPiJ24e.pgp
Description: PGP signature
