Bug 162388 - 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-07-03 18:27 EDT by Doncho N. Gunchev
Modified: 2015-01-04 17:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-03 21:29:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Doncho N. Gunchev 2005-07-03 18:27:23 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Updating the kernel from 2.6.10-1.770_FC3smp to 2.6.11-1.35_FC3smp kills transperent proxy and connection tracking.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.35_FC3s / kernel-smp-2.6.11-1.35_FC3s

How reproducible:

Steps to Reproduce:
1. install both 2.6.10-1.770_FC3 and 2.6.11-1.35_FC3 kernels in FC3 (fully updated)
2. try setting up a transperent proxy
3. watch squid - it receives no data

Actual Results:  no packet hits squid

Additional info:

    I only got DNAT working with --to-destination ('nc -l' + 'nc') in rare cases (2.6.11-1.35_FC3smp). I rebooted to the old and the new kernel several times and the results were the same.
    On another machine with UP kernel all masquerading stopped working - the packet comes in (SYN), goes out and when the response returns (ACK) skips the '--state RELATED,ESTABLISHED' and gets dropped. The setup is simple: in FORWARD chain all RELATED,ESTABLISHED packets and what comes from LAN and goes out (NEW) is accepted, everything else is denied (2.6.11-1.35_FC3, not sure if it was working with 2.6.10 or 2.6.9 before the update). The reverse firewall worked - drop all NEWs from the net and accept anything else.
    Both machines bridge two network interfaces (the internal ones) but I had no time to try to reproduce the problem without the bridge.
    Can this be related to bug # 160218?
Comment 1 Doncho N. Gunchev 2005-07-06 18:32:19 EDT
    I think I found the problem -
([Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces) and
Comment 2 Dave Jones 2005-07-15 13:46:24 EDT
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.
Comment 3 Doncho N. Gunchev 2005-07-21 15:44:34 EDT
2.6.12-1.1372_FC3smp seems to fix this bug, but it crashed with HT enabled on
P4, Bug # 163437 I think. I'll have to go back to 2.6.9 or go without HT :(
Comment 4 Doncho N. Gunchev 2005-07-21 16:20:02 EDT
PS: 2.6.10-1.770_FC3smp works with HT, bridge and DNAT. I'll try to check this
with FC4 too...
Comment 5 Dave Jones 2005-08-03 21:29:28 EDT
update the mkinitrd package to the latest update, and then remove and reinstall
2.6.12-1.1372_FC3smp and it should work.

Note You need to log in before you can comment on or make changes to this bug.