Bug 13079

Summary: bridge not working when MASQUERADE is active
Product: Networking Reporter: Sergey (a_s_y)
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Status: CLOSED DOCUMENTED    
Severity: normal CC: alan, evg, kaber
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.27 Subsystem:
Regression: No Bisected commit-id:

Description Sergey 2009-04-13 07:02:22 UTC
Hello.

2.6.27-ovz-smp-alt3 #1 SMP Tue Apr 7 17:06:33 UTC 2009 x86_64 GNU/Linux

configuration:

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

# brctl show
bridge name     bridge id               STP enabled     interfaces
bridge1         8000.0015172652e5       yes             eth0.22
                                                        eth6.22

eth0.22 and eth6.22 both without IP addresses. If ethernet segments which connected via bridge1 used, for example, 192.168.1.0/24, bridge is not work because IP-addressess MASQUERADEd between eth0.22 and eth6.22. But it starts to work, if any IP-address from the 192.168.1.0/24 set on bridge1. I believe that IP-operation should not be made for traffic between bridged interfaces.
Comment 1 Sergey 2009-04-13 15:11:58 UTC
Some about workarounds.

This is resolving the problem for 192.168.1.0/24:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

But this is not:
iptables -t nat -A POSTROUTING -o eth0.22 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth6.22 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

Is this a problem with 802.1q also ? eth0.22 and eth6.22 are 802.1q interfaces
Comment 2 Sergey 2009-04-13 16:03:06 UTC
And
iptables -t nat -A POSTROUTING -o eth0.11 -s 192.168.0.0/16 -j MASQUERADE
can be used as workaround too, if outgoing NAT interface(s) can be specified.
Comment 3 Patrick McHardy 2009-04-14 11:20:00 UTC
I agree that this shouldn't be done by default, it has unfortunately been the default since the introduction of bridge netfilter and we can't change it now, at least not without a long warning period.
Comment 4 Sergey 2009-04-16 06:36:54 UTC
(In reply to comment #3)

leave the bug as memo ? Or close it ?