On 28/12/11 17:35, Stephan Wiesand wrote:

>> When using iptables to "REJECT" bridged network traffic under Scientific Linux 6.1, the kernel stack is corrupted, causing a kernel panic.
>
> Right, this doesn't work. I'm not sure it will work with any Linux kernel.
It seems to me that there is no particular reason why this shouldn't 
work though - when generating the ICMP response the kernel shouldn't 
have to deal with the bridge at all - just inject it into the IP stack 
and let it traverse the routing table as any other packet would.

FWIW, this *does* seem to work under the 2.6.18 kernel (I've been doing 
it for several years without any problems).

At the very least, if should "not work" in a safe way rather than 
bringing down the whole machine (also, there may be scope for a security 
exploit since the stack is getting trashed).

> DROPping packets, instead of REJECTing them, is probably safe. If it must be REJECT, the only solution is probably to have an additional VM acting as the firewall/router for the others.

I wonder if I can DNAT the packet to a local port that has nothing 
listening on it... that would generate an ICMP port unreachable.  Messy 
as hell though.

> If you're 100% sure that it *does* affect RHEL, that's the right place.

Well, I can't test it as I have no RHEL machines, but I see no reason 
why it wouldn't affect RHEL too.

-- 

  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:[log in to unmask]
    Email:            [log in to unmask]
    Phone:            sip:[log in to unmask]

Sales / enquiries contacts:
    Email:            [log in to unmask]
    Phone:            +44-844-9791439 / sip:[log in to unmask]

Support contacts:
    Email:            [log in to unmask]
    Phone:            +44-844-4844916 / sip:[log in to unmask]