Package: linux-2.6
Version: 3.0.0-1
Severity: important
*** Please type your report below this line ***
I'm using a lemote mini-pc as my gateway through simple iptables
configuration. I use debian unstable. With yesterday upgrade which
updated linux kernel to 3.0.0-1 and iptables as well, my gateway
broke.
% cat /var/log/aptitude
...
[UPGRADE] iptables 1.4.11.1-3 -> 1.4.12-1
...
[UPGRADE] linux-image-loongson-2f 2.6.39+35.1 -> 3.0.0+39
...
What got broken is some connection from internal boxes connected to
the gateway to some outside places external to the gateway.
For example, trying to upgrade again Today from the gateway had no
problem at all. However trying to upgrade from an internal box was
hard, both in the sense that getting the headers took way longer than
in the gateway, and that when the time came for safe-upgrade and after
downloading the packages, apt-listbugs just failed indicating it
couldn't connect to extract the bug information. To get to upgrade on
the internal boxes, the apt-listbugs part of the process was canceled.
I also connect to a msn account through pidgin. But since the upgrade
until I installed back 2.6.39-2 linux kernel, I could NOT connect at
all to msn. To get msn workign back, I just had to install old prior
working kernel 2.6.39-2.
The prior confirms to me that actually the problem was not with
iptables, since I didn't have to even try downgrading it. Just by
installing 2.6.39-2 linux kernel version for loongson-2f worked out
great.
Notice that there are several changes in the kernel config files
(under boot) between 2.6.39-2 and 3.0.0-1, however I couldn't
appreciate any significant variation that could have affected the
iptables behavior. My iptables script that is under:
/etc/network/if-up.d/00_gateway
It's pretty simple:
++
# delete all existing rules and clean up.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o
eth0 -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
++
That's it, pretty simple as well... Also I'm using an usb NIC to
connect outside the gateway through ppp:
/etc/network/interfaces
++
auto lo
iface lo inet loopback
# The internal LAN on embedded NIC
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -K eth0 rx off
post-up /sbin/ethtool -K eth0 rx off
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
# The external LAN USB NIC
auto eth1
iface eth1 inet manual
## The dsl-provider through PPPoE
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth1 up # line maintained by pppoeconf
provider dsl-provider
post-down /sbin/ifconfig eth1 down
++
I didn't have the post-up command before for the built-in NIC, but one
of my initial thoughs was that perhaps one of the changes was related
to that, but in reality it was not the issue. One needs to disable
hardware crc sum calculation on the realtek built-in card otherwise
the NIC transports wrong packages... Again this seems not to be the
issue though, since the setting (/sbin/ethtool -K eth0 rx off) is
working out in the prior kernel, and has no observed effect in the
current one.
So I can't really use at this moment linux kernel 3.0.0-1 on my
gateway. My work around was to use prior one 2.6.39-2 still present
on testing, and with the work around the problems go away, :-)
Not sure what changes in the linux kernel for loongson-2f cause the
new misbehavior, but it's sure the kernel is the one preventing my
connections from internal boxes connected to my gateway...
% aptitude search '~i' | 'grep' linux-image
u linux-image-2.6-loongson-2f - Linux for Loongson 2F (dummy package)
i linux-image-2.6.39-2-loongson-2 - Linux 2.6.39 for Loongson 2F
i A linux-image-3.0.0-1-loongson-2f - Linux 3.0.0 for Loongson 2F
i linux-image-loongson-2f - Linux for Loongson 2F (meta-package)
Any help to get the kernel work properly with iptables for a gateway
will be most appreciated...
Thanks,
Javier.
-- Package-specific info:
** Model information
system type : lemote-fuloong-2f-box
cpu model : ICT Loongson-2 V0.3 FPU V0.1
** PCI devices:
00:06.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
RTL-8169 Gigabit Ethernet [10ec:8169] (rev 10)
Subsystem:
