netfilter buglog - Jun 2006 - [Bug 400] connection tracking does not work on VLANs if underlying interface is a bridge

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From pila@pilasecurity.com  2006-06-08 10:03 MET
-------
I had the same trouble yesterday.

It's very useful to have vlan over bridges. Think this situation:

1- You have a cluster of firewall
2- You have a DMZ net with two switches for redundancy
3- You have two nic on your firewall to connect to each switch
4- You need VLAN to separate server each other on DMZ

The best resolution is to bridge the two nic and to create vlan over bridges.

This is the case we have and where we find the same bug in iptables.

It should be very useful to have this bug resolved.

Bye

Andrea "Pila" Ghirardini

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From pila@pilasecurity.com  2006-06-08 10:03 MET
-------
I had the same trouble yesterday.

It's very useful to have vlan over bridges. Think this situation:

1- You have a cluster of firewall
2- You have a DMZ net with two switches for redundancy
3- You have two nic on your firewall to connect to each switch
4- You need VLAN to separate server each other on DMZ

The best resolution is to bridge the two nic and to create vlan over bridges.

This is the case we have and where we find the same bug in iptables.

It should be very useful to have this bug resolved.

Bye

Andrea "Pila" Ghirardini

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From kaber@trash.net  2006-06-08 10:10 MET -------
We had a number of fixes that might help, please try the latest -git kernel from
kernel.org and let us know if it helps. 

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From kaber@trash.net  2006-06-08 10:10 MET -------
We had a number of fixes that might help, please try the latest -git kernel from
kernel.org and let us know if it helps. 

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From kaber@trash.net  2006-07-07 06:09 MET -------
Created an attachment (id=247)
 -->
(https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=247&action=view)
Patch

This patch finally fixes the problem (and a bunch of related problems) unless
you use --physdev-out in OUTPUT or FORWARD.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400





------- Additional Comments From kaber@trash.net  2006-07-07 06:09 MET -------
Created an attachment (id=247)
 -->
(https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=247&action=view)
Patch

This patch finally fixes the problem (and a bunch of related problems) unless
you use --physdev-out in OUTPUT or FORWARD.


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.