Description of problem: In a gateway configuration, iptables rules that properly kept state with the previous 3.2.10 kernel (and all previous kernels for that matter), no longer work. The outgoing connection occurs, but the return ACK SYN is blocked by the firewall.


Version-Release number of selected component (if applicable): 3.3.0-4


How reproducible: Always


Steps to Reproduce:
1. Update to new kernel via yum
2. Reboot
3.
  
Actual results: Packets which used to pass as established outbound connections via automatic state keeping find the replies blocked. It isn't 100%, but it is a high enough percentage (95% or better) that it is not a functional gateway. Once in a great while you can get a web page to load but it is very rare. Same way with DNS lookups from clients on the internal LAN. Everything is fine from the gateway itself.


Expected results: Continued proper operation of existing configurations - even though you are moving to bright shiny new dynamic firewall configurations.


Additional info: I don't know what else to say. This is a fwbuilder (latest version) generated firewall that has worked fine for a long time. If you are just using 3.3.0 in a simple configuration, it seems to work fine. Passing traffic between NICs though somehow is now broken when it comes to state keeping.

The NICs in question are Intel Corporation 82574L gigabit cards running the e1000e driver. The internal net runs MTU of 9216 and the external 1500. Both have txqueuelens of 10000. IPv6 is disabled by default. If there is any other info you need, I can pass it along, but again - this is basic functionality that worked in 3.2.10 (and still works when booted to that kernel).