On Thu, 29 Dec 2011, Steve Hill wrote:

> On 28/12/11 17:35, Stephan Wiesand wrote:
>
>> >  When using iptables to "REJECT" bridged network traffic under Scientific 
>> >  Linux 6.1, the kernel stack is corrupted, causing a kernel panic.
>>
>>  Right, this doesn't work. I'm not sure it will work with any Linux kernel.
> It seems to me that there is no particular reason why this shouldn't work 
> though - when generating the ICMP response the kernel shouldn't have to deal 
> with the bridge at all - just inject it into the IP stack and let it traverse 
> the routing table as any other packet would.
>
> FWIW, this *does* seem to work under the 2.6.18 kernel (I've been doing it 
> for several years without any problems).

Well it *used* to work ok on the 2.6.18*.el5 kernels, but recently RH 
broke this behaviour in the el5 kernels (apparently a glitch in 
backporting various changes in how the network stuff works).  See:

   https://bugzilla.redhat.com/show_bug.cgi?id=749813

Currently on the affected systems we are forced to stick with 
2.6.18-238.19.1.el5 which seems to be the last version where ICMPs worked 
"properly" with bridged interfaces...

That bz contains backported patches (from the OpenVZ guys) which ought to 
fix the problems for the el5 kernels but there has been a distinct lack of 
(visible) TUV activity on that report so I can't tell if they plan to 
include them in a future update or not.

I wonder if a similar backport glitch might be causing the same problems 
in the el6 kernels!

I'll shortly mention #749813 in your bz just in case they are related.

  -- Jon