Casper Gripenberg wrote:
>
> Hi..I have a very simple bridging firewall setup:
>
> BRIDGE
> computer1 <-internet-> [eth1 <-> br0 <-> eth0] <-> computer2
>
> [..snip..]
I think there's a bug in either the bridging or netfilter
code. I just found a workaround which seem to indicate
that the way the firewall is currently working is incorrect.
The workaround is to use ebtables to rewrite the MAC source
of the RST packet to the correct source.
I.e. I rewrite it from the bridge address to the address
of computer2 -> the test case suddenly starts working.
Here's the workaround:
ebtables -t nat -A POSTROUTING -o eth1 -p ipv4 --ip-proto tcp \
--ip-sport 5555 -j snat --to-src 00:0d:56:af:17:47
That of course will break a lot of other stuff, but
it just proves that repairing the MAC is what makes
the RST reply work properly.
This bug seems to have been around for quite a while,
as there was someone else back in 2004 who stumbled on
the same problem:
http://www.archivum.info/netfilter/2004-08/msg00614.html
Casper
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
