ron lai wrote:
My ruleset is
iptables -t nat -A POSTROUTING -s 172.16.119.91 -j SNAT --to-source
172.16.255.123
I am using a bridge containing only one physical interface and the FTP
traffic goes through the bridge.
That explains it. The bridge netfilter code calls the IP POST_ROUTING
hook for outgoing packets, but the packet already went through it
during forwarding. Please try this patch, which makes the bridge
netfilter code only call the IP hook for packets that also came in
on the bridge.
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 3ee2022..d8e5c94 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -773,7 +773,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
}
#endif
- if (!nf_bridge)
+ if (!nf_bridge || !nf_bridge->physindev)
return NF_ACCEPT;
if (!realoutdev)
