162388 – 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ

Bug 162388 - 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ

Summary: 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dave Jones
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-03 22:27 UTC by Doncho Gunchev
Modified:	2015-01-04 22:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-04 01:29:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Doncho Gunchev 2005-07-03 22:27:23 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Updating the kernel from 2.6.10-1.770_FC3smp to 2.6.11-1.35_FC3smp kills transperent proxy and connection tracking.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.35_FC3s / kernel-smp-2.6.11-1.35_FC3s

How reproducible:
Always

Steps to Reproduce:
1. install both 2.6.10-1.770_FC3 and 2.6.11-1.35_FC3 kernels in FC3 (fully updated)
2. try setting up a transperent proxy
3. watch squid - it receives no data

Actual Results:  no packet hits squid

Additional info:

    I only got DNAT working with --to-destination 127.0.0.1 ('nc -l' + 'nc') in rare cases (2.6.11-1.35_FC3smp). I rebooted to the old and the new kernel several times and the results were the same.
    On another machine with UP kernel all masquerading stopped working - the packet comes in (SYN), goes out and when the response returns (ACK) skips the '--state RELATED,ESTABLISHED' and gets dropped. The setup is simple: in FORWARD chain all RELATED,ESTABLISHED packets and what comes from LAN and goes out (NEW) is accepted, everything else is denied (2.6.11-1.35_FC3, not sure if it was working with 2.6.10 or 2.6.9 before the update). The reverse firewall worked - drop all NEWs from the net and accept anything else.
    Both machines bridge two network interfaces (the internal ones) but I had no time to try to reproduce the problem without the bridge.
    Can this be related to bug # 160218?

Comment 1 Doncho Gunchev 2005-07-06 22:32:19 UTC

    I think I found the problem -
http://www.opensubscriber.com/message/bridge@lists.osdl.org/1561677.html
([Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces) and
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2649.

Comment 2 Dave Jones 2005-07-15 17:46:24 UTC

An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 3 Doncho Gunchev 2005-07-21 19:44:34 UTC

2.6.12-1.1372_FC3smp seems to fix this bug, but it crashed with HT enabled on
P4, Bug # 163437 I think. I'll have to go back to 2.6.9 or go without HT :(

Comment 4 Doncho Gunchev 2005-07-21 20:20:02 UTC

PS: 2.6.10-1.770_FC3smp works with HT, bridge and DNAT. I'll try to check this
with FC4 too...

Comment 5 Dave Jones 2005-08-04 01:29:28 UTC

update the mkinitrd package to the latest update, and then remove and reinstall
2.6.12-1.1372_FC3smp and it should work.

Note You need to log in before you can comment on or make changes to this bug.