>----- Oorspronkelijk bericht ----- >Van: Patrick McHardy [mailto:kaber@xxxxxxxxx] >Verzonden: woensdag, november 7, 2007 11:33 AM >Aan: 'ron lai' >CC: netfilter@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, 'Bart De Schuymer' >Onderwerp: Re: Fw: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6 > >Patrick McHardy wrote: >I can reproduce this with forwarding between two bridges. >The reason is that skb->nf_bridge still contains the data >from the first bridge and so br_netfilter thinks this is >a bridged packet. I don't know how this is supposed to work, >but it seems to me that on packets going out a bridge device >this should be reset in case it originates from a different >bridge (actually I think it should be reset unconditionally >but that would probably break bridged DNAT). > >Bart, what do you think about changing this: (sorry for the webmail mess) I think that would work. It shouldn't be reset unconditionally at that point since we allow IP dnating of bridged packets (bridged-and-DNAT'ed case). Another solution I think is this: in br_nf_post_routing(): change if (!nf_bridge) to if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED_DNAT)) This regression was introduced when the ip_out sabotage stuff was removed. br_nf_post_routing should now only consider bridged IP packets. cheers, Bart - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
