[Bridge] 2.6.12: iptables connection tracking broken on bridge interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

As noted by Chris Rankin on a mail to netfilter-devel and to the
linux-kernel mailing list (subject: 2.6.12: connection tracking broken?),
there is a problem with the connection tracking of iptables when one of the
interfaces is a bridge.

On my tests here I have setup a connection between two machines using a real
interface (eth0) and then the same setup using a bridge interface (br0) to
which that interface had been enslaved:

The setup had modules ipt_LOG, ipt_state, ip_conntrack, iptable_filter and
ip_tables loaded, as well as bridge and I loaded a simple set of rules,
exactly the same set each time but changing the interface name, I'll just
write the setup for br0, but the setup was the same one for eth0 with that
little change:

iptables -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i br0 -j LOG --log-level 7 --log-prefix "NOTESTABLISHED "
iptables -A INPUT -i br0 -j DROP

this set of rules with eth0 on them worked ok when I tried to telnet a port
on a remote machine (192.168.0.1) from the local machine (192.168.0.2),
concretelly the test was a telnet to port 22 where the ssh daemon was
listening. However, when I did the same test using the br0 interface, I got
this logged:

NOTESTABLISHED IN=br0 OUT= PHYSIN=eth0
MAC=00:50:ba:54:39:8c:00:48:54:6a:58:90:08:00 SRC=192.168.0.1
DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=48448 WINDOW=5792 RES=0x00 ACK SYN URGP=0 

doing a grep for 192.168.0.1 on /proc/net/ip_conntrack* returned nothing,
however netstat showed the connection:
tcp        0      1 192.168.0.2:48448       192.168.0.1:22          SYN_SENT

I believe that iptables works ok execept for the connection tracking, but I
have not tested this fully.

Machines were I tried this were a Pentium III and an AMD K6II both with
kernel 2.6.12, I know this is happening at least from RC5, but at that time
I didn't have the time to check and I thought it was due to the kernel
bridge firewall being loaded, the tests I did today with 2.6.12 final didn't
have the kernel bridge firewall, just normal bridge and normal iptables.

If you need any other info to check this just ask for it.

Regards...
-- 
Manty/BestiaTester -> http://manty.net
[Index of Archives]     [Netdev]     [AoE Tools]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux