Bug 159693

Summary: ethernet bridge + netfilter failing with latest kernels
Product: [Fedora] Fedora Reporter: Ian Mortimer <i.mortimer>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: chris.schultz, pfrields, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-30 00:48:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Mortimer 2005-06-07 03:47:01 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
A working packet filtering bridge fails when the kernel is upgraded to 2.6.11-1.27_FC3.  I also tried the newer 2.6.11-1.33_FC3 with the same result.

2.6.11-1.14_FC3 is working fine.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.27_FC3, kernel-2.6.11-1.33_FC3

How reproducible:
Always

Steps to Reproduce:
1. Configure an ethernet bridge
2. Confirm the bridge is working
3. Load netfilter rules
  

Actual Results:  All network connections to and from the bridge fail.  Can't ping or do dns lookups from the bridge using the bridge interface.

Expected Results:  With no changes in bridge configuration and no changes in iptables configuration
it should work as it did with earlier kernels (e.g. 2.6.11-1.14_FC3).

Additional info:

The problem is with netfiler not with bridging.  Turn off iptables and everything works.  Install a set of iptables rules with ACCEPT as the default policy and it works.

Here's a simple set of iptables rules that demonstrates the problem:

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -P FORWARD DROP
   iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

That should allow all outgoing traffic from the bridge and replies.  Works as 
expected with 2.6.11-1.14 but with 2.6.11-1.27 and 2.6.11-1.33 all outgoing network connections from the bridge fail (ping, dns, ntp for example).
Comment 1 Ian Mortimer 2005-06-28 00:06:05 UTC 
The problem persists with kernel-2.6.11-1.35_FC3
Comment 2 Dave Jones 2005-07-15 18:25:24 UTC 
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.
Comment 3 Chris Schultz 2005-07-18 10:01:40 UTC 
Updated to latest FC4 kernel 2.6.12-1.1398_FC4.  Some of the problems appear to
be fixed, but not all...

My firewall now works and all computers on the bridge can get out of my network.
 However, boxes on different physical parts of the bridge cannot communicate.

My bridge is made up of 1 ethernet (3c59x) and 1 wireless (rt2400 -
cvs)interface.  I then use ppp to connect to the internet.  I MASQ ppp0.

All of my computers (windows and linux) can communicate out through my NAT'd
network.  However, when i attempt to connect to my linux pc (wired) from my
laptop (wireless) I get NO traffic flow.  Everything to/from the router (FC4
box) are happy (DHCP, DNS, NAT'd traffic) but I cannot ping/ssh/http/anything my
pc from my laptop or vise versa.

This all worked with the same iptables configuration under FC1 (which is what I
upgraded from).
Comment 4 Chris Schultz 2005-07-19 20:24:43 UTC 
I may have been incorrect in my earlier assertion that bridging is still not
working correctly.  I have managed to get traffic to pass between the two
segments of my bridge, but I had to issue an

ifconfig ra0 0.0.0.0

after all interfaces were up (ra0 is my wireless interface) to get traffic to
pass through. It looks more likely that my wireless drivers are more dodgy under
2.6 than previously under 2.4.
Comment 5 Dave Jones 2005-07-30 00:48:07 UTC 
Ok, take that up with the vendor of your out-of-kernel-tree driver.
Based on comment #3, it sounds like this issue is closed.

Thanks.
Comment 6 Ian Mortimer 2005-08-01 03:14:03 UTC 
Has been working fine for me with kernel 2.6.12-1.1372_FC3.