linux-net@xxxxxxxxxxxxxxx netfilter@xxxxxxxxxxxxxxx Hi ML! Sometime time ago, an idea began knocking into my mind. Precisly I want to build a box, linux based of course, to implement a sort of "private virtual firewall". I build a very nice "mini-itx" box with 6 network eth real device. Before going straight forward, I tested my box for a checkpoint. But in this checkpoint I found a annoying error. I titled this error "The strange Packets Duplicated bug" Crime Scene ----------------------- I ) | | | | | | ------- N ( +-----------+ eth2 -+ +- eth4 +-----| | | T ) | | | | | |-----+ | E ( | | br0 br1 | | | | R ) | | | | | | N ( | | ipTables | [B] ------- E ) | | kernel 2.6.18 | T ( [A] ----------------------- I introduced the kernel bridge to split the packet traffic into several virtual tun (one for each virtual device). Now let me show You the bug. A client located into network B is trying to download a considerable dimention file like the kernel vanilla, after a time the transfer is frozen then connection is resetted. In my box the iptables filtering and source-natting rules refer bridges interface. C.S.I It's time to deep dig so I instrument a trace with wireshark both in network A and in network B and I realize that in network B there are a lot of retransmissions... (already changed hubs and cables) In particular: 1 SYN packet from client to br1 seen in B 2 SYN packet from br0 (NAT-ed) towards Internet seen in A 3 SYNACK packet from Internet towards br0 seen in A 4 SYNACK packet from Internet to client coming from br1 seen in B 5 SYNACK packet from Internet to client coming from br1 seen in B Packet5 leads me to think a bug, IMHO packet5 should not exist at all! Anyway the only difference between packet4 and packet5 is TTL value: TTL(packet5)=TTL(packet4)+1 I suppose this duplication shall produce a flood and the box would perform the kill action of the download session. Causes I'm thinking to some trouble in sundance driver, used for D-Link DFE-580TX (haven't seen interesting issues in ML) Or some misconfiguration in /proc/sys/net/ipv4/conf/br*/*. Or a design limit of the kernel virtual bridge (stp disabled). In which point I'm in error? Thank's in advance pvb265 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html