Damien Thébault wrote:
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index c1757c7..362fe89 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -285,12 +285,17 @@ static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb) skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; skb->dev = bridge_parent(skb->dev); - if (!skb->dev) - kfree_skb(skb); - else { + if (skb->dev) { + struct dst_entry *dst = skb->dst; + nf_bridge_pull_encap_header(skb); - skb->dst->output(skb); + + if (dst->hh) + return neigh_hh_output(dst->hh, skb); + else if (dst->neighbour) + return dst->neighbour->output(skb); } + kfree_skb(skb); return 0; }I confirm that this patch solves the problem with this setup, thanks!
Thanks a lot for testing and providing all the data.
Does this mean that without this patch, DNAT doesn't work (correctly) on a bridge?
DNAT itself works, but the incorrect POSTROUTING hook invocation can break other things like packet mangling by NAT helpers. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
