Begin forwarded message:
Date: Sat, 1 Apr 2006 16:30:11 +0200
From: Thomas Zeitlhofer <[EMAIL PROTECTED]>
To: linux-kernel@vger.kernel.org
Subject: bridge+netfilter broken for IP fragments in 2.6.16?
Hello,
I have set up a bridge with two ports:
# brctl show br0
bridge name bridge id STP enabled interfaces
br0 8000.000021f23d58 no eth1
tap1
Using 2.6.16/.1 non fragmented IP packets are passing the bridge without
problems, but fragmented IP packets do not show up on the outgoing
interface. E.g., for fragmented traffic coming in from tap1 and going
out via eth1 tcpdump shows:
1) on tap1: fragmented packets
2) on br0: the defragmented packet (connection tracking)
3) on eth1: no packet!?
This breaks IPsec connections for example.
Doing the same on 2.6.15.x shows:
1) on tap1: fragmented packets
2) on br0: the defragmented packet (connection tracking)
3) on eth1: fragmented packets
and IPsec connections are ok.
If I disable netfilter for bridged traffic in 2.6.16/.1
# echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
then the fragmented traffic passes the bridge without problems.
Is this a known issue?
--
Thomas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
