On 28/12/11 17:35, Stephan Wiesand wrote: >> When using iptables to "REJECT" bridged network traffic under Scientific Linux 6.1, the kernel stack is corrupted, causing a kernel panic. > > Right, this doesn't work. I'm not sure it will work with any Linux kernel. It seems to me that there is no particular reason why this shouldn't work though - when generating the ICMP response the kernel shouldn't have to deal with the bridge at all - just inject it into the IP stack and let it traverse the routing table as any other packet would. FWIW, this *does* seem to work under the 2.6.18 kernel (I've been doing it for several years without any problems). At the very least, if should "not work" in a safe way rather than bringing down the whole machine (also, there may be scope for a security exploit since the stack is getting trashed). > DROPping packets, instead of REJECTing them, is probably safe. If it must be REJECT, the only solution is probably to have an additional VM acting as the firewall/router for the others. I wonder if I can DNAT the packet to a local port that has nothing listening on it... that would generate an ICMP port unreachable. Messy as hell though. > If you're 100% sure that it *does* affect RHEL, that's the right place. Well, I can't test it as I have no RHEL machines, but I see no reason why it wouldn't affect RHEL too. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:[log in to unmask] Email: [log in to unmask] Phone: sip:[log in to unmask] Sales / enquiries contacts: Email: [log in to unmask] Phone: +44-844-9791439 / sip:[log in to unmask] Support contacts: Email: [log in to unmask] Phone: +44-844-4844916 / sip:[log in to unmask]