Hi We have encountered problems when attempting to bridge packets that we just sent, then saw a second time as the receiving router forwarded them to another router attached to a different bridge port. This only occurs when SNAT was used on the original connection, this seems to prevent the original conntrack entry from being used for the bridged packet, instead creating a new one for them, our router's router then sends the replies directly to us (as you'd expect), but Linux only undoes the first layer of NAT and then discards the packet since a local socket for it doesn't exist. This behaviour has been observed under 3.13 and 3.16, is it intended? We have considered either patching the kernel to undo multiple levels of NAT, or trying to resolve conntracks using a reversed tuple the raw/PREROUTING chain using a new iptables target, so that the original conntrack is used as it is when the SNAT target wasn't used. Would either of the proposed kernel changes be a horribly bad idea with unintended side effects? Is there a better way? Thanks -- Daniel Collins Software Developer smoothwall daniel.collins@xxxxxxxxxxxxxx www.smoothwall.com Head Office : 1 John Charles Way, Leeds, LS12 6QA, United Kingdom Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD, United Kingdom US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States Telephone: UK: +44 870-199-9500 US: +1 800-959-3760 Smoothwall Limited is registered in England, Company Number: 4298247 and whose registered address is 1 John Charles Way, Leeds, LS12 6QA United Kingdom. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
