Hi Tim,
As promised, a proper patch for making ICMP rejects work. Could you
give it a go? It seems to work just fine in my lab.
http://bridge.sf.net/patches/nf/04_fix_reject_with_icmp.diff
If you try to REJECT a packet that was DNAT'ed before, you will reliably
get "Dead loop on virtual device br0, fix it urgently!". This message
appears to indicate a recursion bug in the bridge stuff, but it's misleading:
there is no such bug. What is actually happening is subtle, but the effect
is quite blunt: the lower layers will drop the generated REJECT packet. I
have a workaround, but it's not exactly nice; more thinking will have to go
into this.
So for now, don't REJECT packets to DNAT'ed destinations.
Once this is solved, my list of pending bugs will be empty.
cheers,
Lennert
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
