Bug 162388

Summary: 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Product: [Fedora] Fedora Reporter: Doncho Gunchev <dgunchev>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: pfrields, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-04 01:29:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doncho Gunchev 2005-07-03 22:27:23 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Updating the kernel from 2.6.10-1.770_FC3smp to 2.6.11-1.35_FC3smp kills transperent proxy and connection tracking.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.35_FC3s / kernel-smp-2.6.11-1.35_FC3s

How reproducible:
Always

Steps to Reproduce:
1. install both 2.6.10-1.770_FC3 and 2.6.11-1.35_FC3 kernels in FC3 (fully updated)
2. try setting up a transperent proxy
3. watch squid - it receives no data

Actual Results:  no packet hits squid

Additional info:

    I only got DNAT working with --to-destination 127.0.0.1 ('nc -l' + 'nc') in rare cases (2.6.11-1.35_FC3smp). I rebooted to the old and the new kernel several times and the results were the same.
    On another machine with UP kernel all masquerading stopped working - the packet comes in (SYN), goes out and when the response returns (ACK) skips the '--state RELATED,ESTABLISHED' and gets dropped. The setup is simple: in FORWARD chain all RELATED,ESTABLISHED packets and what comes from LAN and goes out (NEW) is accepted, everything else is denied (2.6.11-1.35_FC3, not sure if it was working with 2.6.10 or 2.6.9 before the update). The reverse firewall worked - drop all NEWs from the net and accept anything else.
    Both machines bridge two network interfaces (the internal ones) but I had no time to try to reproduce the problem without the bridge.
    Can this be related to bug # 160218?
Comment 1 Doncho Gunchev 2005-07-06 22:32:19 UTC 
    I think I found the problem -
http://www.opensubscriber.com/message/bridge@lists.osdl.org/1561677.html
([Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces) and
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2649.
Comment 2 Dave Jones 2005-07-15 17:46:24 UTC 
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.
Comment 3 Doncho Gunchev 2005-07-21 19:44:34 UTC 
2.6.12-1.1372_FC3smp seems to fix this bug, but it crashed with HT enabled on
P4, Bug # 163437 I think. I'll have to go back to 2.6.9 or go without HT :(
Comment 4 Doncho Gunchev 2005-07-21 20:20:02 UTC 
PS: 2.6.10-1.770_FC3smp works with HT, bridge and DNAT. I'll try to check this
with FC4 too...
Comment 5 Dave Jones 2005-08-04 01:29:28 UTC 
update the mkinitrd package to the latest update, and then remove and reinstall
2.6.12-1.1372_FC3smp and it should work.