Bug 162388 - 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Summary: 2.6.11-1.35_FC3[smp] breaks iptables DNAT/MASQ
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
(Show other bugs)
Version: 3
Hardware: i686 Linux
medium
medium
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-03 22:27 UTC by Doncho Gunchev
Modified: 2015-01-04 22:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-04 01:29:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Doncho Gunchev 2005-07-03 22:27:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
Updating the kernel from 2.6.10-1.770_FC3smp to 2.6.11-1.35_FC3smp kills transperent proxy and connection tracking.

Version-Release number of selected component (if applicable):
kernel-2.6.11-1.35_FC3s / kernel-smp-2.6.11-1.35_FC3s

How reproducible:
Always

Steps to Reproduce:
1. install both 2.6.10-1.770_FC3 and 2.6.11-1.35_FC3 kernels in FC3 (fully updated)
2. try setting up a transperent proxy
3. watch squid - it receives no data

Actual Results:  no packet hits squid

Additional info:

    I only got DNAT working with --to-destination 127.0.0.1 ('nc -l' + 'nc') in rare cases (2.6.11-1.35_FC3smp). I rebooted to the old and the new kernel several times and the results were the same.
    On another machine with UP kernel all masquerading stopped working - the packet comes in (SYN), goes out and when the response returns (ACK) skips the '--state RELATED,ESTABLISHED' and gets dropped. The setup is simple: in FORWARD chain all RELATED,ESTABLISHED packets and what comes from LAN and goes out (NEW) is accepted, everything else is denied (2.6.11-1.35_FC3, not sure if it was working with 2.6.10 or 2.6.9 before the update). The reverse firewall worked - drop all NEWs from the net and accept anything else.
    Both machines bridge two network interfaces (the internal ones) but I had no time to try to reproduce the problem without the bridge.
    Can this be related to bug # 160218?

Comment 1 Doncho Gunchev 2005-07-06 22:32:19 UTC
    I think I found the problem -
http://www.opensubscriber.com/message/bridge@lists.osdl.org/1561677.html
([Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces) and
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2649.

Comment 2 Dave Jones 2005-07-15 17:46:24 UTC
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 3 Doncho Gunchev 2005-07-21 19:44:34 UTC
2.6.12-1.1372_FC3smp seems to fix this bug, but it crashed with HT enabled on
P4, Bug # 163437 I think. I'll have to go back to 2.6.9 or go without HT :(

Comment 4 Doncho Gunchev 2005-07-21 20:20:02 UTC
PS: 2.6.10-1.770_FC3smp works with HT, bridge and DNAT. I'll try to check this
with FC4 too...

Comment 5 Dave Jones 2005-08-04 01:29:28 UTC
update the mkinitrd package to the latest update, and then remove and reinstall
2.6.12-1.1372_FC3smp and it should work.



Note You need to log in before you can comment on or make changes to this bug.