Subject: | |
From: | |
Reply To: | |
Date: | Thu, 29 Dec 2011 20:32:15 +0000 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 29 Dec 2011, Steve Hill wrote:
> On 28/12/11 17:35, Stephan Wiesand wrote:
>
>> > When using iptables to "REJECT" bridged network traffic under Scientific
>> > Linux 6.1, the kernel stack is corrupted, causing a kernel panic.
>>
>> Right, this doesn't work. I'm not sure it will work with any Linux kernel.
> It seems to me that there is no particular reason why this shouldn't work
> though - when generating the ICMP response the kernel shouldn't have to deal
> with the bridge at all - just inject it into the IP stack and let it traverse
> the routing table as any other packet would.
>
> FWIW, this *does* seem to work under the 2.6.18 kernel (I've been doing it
> for several years without any problems).
Well it *used* to work ok on the 2.6.18*.el5 kernels, but recently RH
broke this behaviour in the el5 kernels (apparently a glitch in
backporting various changes in how the network stuff works). See:
https://bugzilla.redhat.com/show_bug.cgi?id=749813
Currently on the affected systems we are forced to stick with
2.6.18-238.19.1.el5 which seems to be the last version where ICMPs worked
"properly" with bridged interfaces...
That bz contains backported patches (from the OpenVZ guys) which ought to
fix the problems for the el5 kernels but there has been a distinct lack of
(visible) TUV activity on that report so I can't tell if they plan to
include them in a future update or not.
I wonder if a similar backport glitch might be causing the same problems
in the el6 kernels!
I'll shortly mention #749813 in your bz just in case they are related.
-- Jon
|
|
|