Red Hat Bugzilla – Bug 159693
ethernet bridge + netfilter failing with latest kernels
Last modified: 2015-01-04 17:20:07 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Description of problem:
A working packet filtering bridge fails when the kernel is upgraded to 2.6.11-1.27_FC3. I also tried the newer 2.6.11-1.33_FC3 with the same result.
2.6.11-1.14_FC3 is working fine.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure an ethernet bridge
2. Confirm the bridge is working
3. Load netfilter rules
Actual Results: All network connections to and from the bridge fail. Can't ping or do dns lookups from the bridge using the bridge interface.
Expected Results: With no changes in bridge configuration and no changes in iptables configuration
it should work as it did with earlier kernels (e.g. 2.6.11-1.14_FC3).
The problem is with netfiler not with bridging. Turn off iptables and everything works. Install a set of iptables rules with ACCEPT as the default policy and it works.
Here's a simple set of iptables rules that demonstrates the problem:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
That should allow all outgoing traffic from the bridge and replies. Works as
expected with 2.6.11-1.14 but with 2.6.11-1.27 and 2.6.11-1.33 all outgoing network connections from the bridge fail (ping, dns, ntp for example).
The problem persists with kernel-2.6.11-1.35_FC3
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem. Please update to this new kernel, and
report whether or not it fixes your problem.
If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.
Updated to latest FC4 kernel 2.6.12-1.1398_FC4. Some of the problems appear to
be fixed, but not all...
My firewall now works and all computers on the bridge can get out of my network.
However, boxes on different physical parts of the bridge cannot communicate.
My bridge is made up of 1 ethernet (3c59x) and 1 wireless (rt2400 -
cvs)interface. I then use ppp to connect to the internet. I MASQ ppp0.
All of my computers (windows and linux) can communicate out through my NAT'd
network. However, when i attempt to connect to my linux pc (wired) from my
laptop (wireless) I get NO traffic flow. Everything to/from the router (FC4
box) are happy (DHCP, DNS, NAT'd traffic) but I cannot ping/ssh/http/anything my
pc from my laptop or vise versa.
This all worked with the same iptables configuration under FC1 (which is what I
I may have been incorrect in my earlier assertion that bridging is still not
working correctly. I have managed to get traffic to pass between the two
segments of my bridge, but I had to issue an
ifconfig ra0 0.0.0.0
after all interfaces were up (ra0 is my wireless interface) to get traffic to
pass through. It looks more likely that my wireless drivers are more dodgy under
2.6 than previously under 2.4.
Ok, take that up with the vendor of your out-of-kernel-tree driver.
Based on comment #3, it sounds like this issue is closed.
Has been working fine for me with kernel 2.6.12-1.1372_FC3.