netfilter + iproute2 + bridge = incompatible?

After extensive testing, I believe that the combination
netfilter-iproute2-bridge does not work. The following has been set up
on a machine:

- A transparent bridge between eth0 and eth1 (Bridge code patched, so
it act as a hub)

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp br0 off

- Marking certain sessions with netfilter

iptables -t mangle -A PREROUTING -m conntrack --ctorigsrc <address> -j
MARK --set-mark 1
iptables -t mangle -A PREROUTING -m mark --mark 1 -j LOG --log-prefix
"Mark: " #used only for testing

- ip2routing based on netfilter marks

ip rule add fwmark 1 table 2
ip route add 0/0 dev eth2 table 2

A simple drawing of the setup. Notice that the box is located off the
main wire.

External net |
------------ eth2
| +--+--+
TAP----eth0+ +eth1--
| +-----+
------------
Internal net

All interfaces are configured as follows:

ip addr add 0.0.0.0 dev {eth0, eth1, eth2, br0}
ip link set {eth0, eth1, eth2, br0} arp off up

The marking of packets works correctly (log as expected), but iproute2
does not perform routing.

Any suggestions to why this does not work?

-
BTW, using the netfilter route patch/module is not an option as this
removes state entries from /proc/net/ip_conntrack.

I recently found a similar case on this group:

http://groups.google.com/groups?hl=e...5bc.0407202219
..8daacc3%40posting.google.com&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF
-8%26selm%3Dd10945bc.0407202219.8daacc3%2540posting .google.com

On 3 Aug 2004 02:34:32 -0700, Tor I. Skaar wrote:


> ip rule add fwmark 1 table 2
> ip route add 0/0 dev eth2 table 2

> The marking of packets works correctly (log as expected), but iproute2
> does not perform routing.

> Any suggestions to why this does not work?

I dont know if it makes a difference but I use this syntax:

ip rule add fwmark 1 table 100 pref 1000
ip route add table 200 scope global nexthop dev eth2

--
Morten Isaksen
http://www.aub.dk/~misak/

Morten Isaksen <(E-Mail Removed)> wrote in message news:<15904q5m0c2kn$.z742sb1s38s9$.(E-Mail Removed)> ...
> On 3 Aug 2004 02:34:32 -0700, Tor I. Skaar wrote:
>
>
> > ip rule add fwmark 1 table 2
> > ip route add 0/0 dev eth2 table 2
>
> > The marking of packets works correctly (log as expected), but iproute2
> > does not perform routing.
>
> > Any suggestions to why this does not work?
>
> I dont know if it makes a difference but I use this syntax:
>
> ip rule add fwmark 1 table 100 pref 1000
> ip route add table 200 scope global nexthop dev eth2

It shouldn't make any difference, as the order of the selector (e.g.
fwmark) and action (e.g. table) doesn't matter. And the extra
parameters you use is optional.

The thing is that I have gotten exactly this configuration to work in
a static network setup, but without the bridge (bridge + hub patch).

It's really puzzling, as my iproute2 rules are very simple.