SCIENTIFIC-LINUX-DEVEL Archives

December 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Kernel stack corruption regarding use of netfilter on bridges
From:
Stephan Wiesand <[log in to unmask]>
Reply To:
Stephan Wiesand <[log in to unmask]>
Date:
Wed, 28 Dec 2011 18:35:26 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (24 lines) 
On Dec 28, 2011, at 15:54 , Steve Hill wrote:

> When using iptables to "REJECT" bridged network traffic under Scientific Linux 6.1, the kernel stack is corrupted, causing a kernel panic.

Right, this doesn't work. I'm not sure it will work with any Linux kernel.

DROPping packets, instead of REJECTing them, is probably safe. If it must be REJECT, the only solution is probably to have an additional VM acting as the firewall/router for the others.

Ebtables will work, but is rather limited in possibilities.

If you find another solution, I'd love to hear about it.

>  I have submitted a more detailed bug report, complete with stack trace, in the Red Hat bugzilla since this problem would affect Red Hat as well, but I am unsure if this is the appropriate place to file the bug report:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=770709

If you're 100% sure that it *does* affect RHEL, that's the right place.

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2