+----+ +----+ | R1 | | R2 | +----+ +----+ | | +-------------+ | eth0 eth1 | | \ / | | \ / | | br0 | +-------------+ So, the Linux box at the bottom attempts to route a packet from itself using R1, but R1 forwards the packet on to R2, at which point Linux creates a new conntrack and rewrites the port number as it passes over the bridge since that particular IP/port combination was already in use, by the first conntrack. Does that make it clearer? On 5 June 2015 at 15:35, Florian Westphal <fw@xxxxxxxxx> wrote: > Daniel Collins <daniel.collins@xxxxxxxxxxxxxx> wrote: >> Hi >> >> We have encountered problems when attempting to bridge packets that we >> just sent, then saw a second time as the receiving router forwarded >> them to another router attached to a different bridge port. > > I have no idea what that means. > -v please. > >> This only occurs when SNAT was used on the original connection, this >> seems to prevent the original conntrack entry from being used for the >> bridged packet, > > Uhh.. what? > Not following, sorry :-/ > >> instead creating a new one for them, our router's > > If a new conntrack is created, then the skb did not (yet) have a conntrack > entry or something has caused the conntrack to be destroyed/discarded. > > The latter typically happens with veth, or other > virtualization/container use cases where skb_scrub_packet() is called. > >> router then sends the replies directly to us (as you'd expect), but >> Linux only undoes the first layer of NAT and then discards the packet >> since a local socket for it doesn't exist. > > again, no idea what that means. Please explain in more detail or > provide some graph that describes what is connected where, how the > routing happens and where bridge(s) are sitting. -- Daniel Collins Software Developer smoothwall daniel.collins@xxxxxxxxxxxxxx www.smoothwall.com Head Office : 1 John Charles Way, Leeds, LS12 6QA, United Kingdom Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD, United Kingdom US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States Telephone: UK: +44 870-199-9500 US: +1 800-959-3760 Smoothwall Limited is registered in England, Company Number: 4298247 and whose registered address is 1 John Charles Way, Leeds, LS12 6QA United Kingdom. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
