[Bridge] The problem of bridge+netfilter+nat

Zheng Chuanbo zhengcb at netpower.com.cn
Mon Mar 21 02:44:20 PST 2005


Hi,

I met a problem when using bridge with netfilter. The kernel version 
2.4.20, and the patch is bridge-nf-0.0.10-against-2.4.20.diff. 

Our firewall configuration is as follows,
eth3,eth4,eth5,eth6 configured as a bridge with an IP address 10.0.0.1.
The local net connect to the internet via the gateway 10.0.0.1 and SNAT 
is applied on the firewall. It worked but sometimes there are some 
problems. The bridge stopped resonse now and there. When checking the
log there were some messages as below,

Mar 21 13:48:04 NPFW br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth6][Bridge_0]
Mar 21 13:48:04 NPFW br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth5][Bridge_0]
Mar 21 13:48:04 NPFW br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth4][Bridge_0]
Mar 21 13:48:04 NPFW br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth3][Bridge_0]

I checked the code, it is caused by some certain types of packets.
         
        /* Be very paranoid.  */
        if (skb->mac.raw < skb->head || skb->mac.raw + ETH_HLEN > skb->data) {
                printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
                                 "bad mac.raw pointer."); 
                if (skb->dev != NULL) {
                        printk("[%s]", skb->dev->name);
                        if (has_bridge_parent(skb->dev))
                                printk("[%s]", bridge_parent(skb->dev)->name);
                }       
                printk("\n");
                return NF_ACCEPT;               
        }

And in the new bridge-nf version it is annouced this sould not happen anymore.
I think I should upgrade the kernel. But I'm curious on the problem and I wish
I could know what kind of packets caused such a problem. 

Thanks for help. Please cc.

Regards,

Zheng chuanbo          
zhengcb at netpower.com.cn




More information about the Bridge mailing list