Em 14-04-2016 08:27, Reindl Harald escreveu:
why are that packages dropped in context of nf_nat_ftp? that are the part of FTP connections and that IP exists, has a valid PTR and is a known client and so what is wrong with cotaining "227"? [845643.840984] nf_ct_ftp: dropping packet: partial matching of `227 ' IN= OUT= SRC=192.168.196.1 DST=xx.120.227.194 LEN=53 TOS=0x10 PREC=0x00 TTL=80 ID=24046 DF PROTO=TCP SPT=21 DPT=55980 SEQ=350417036 ACK=3295683477 WINDOW=15752 RES=0x00 ACK PSH FIN URGP=0 [845645.377695] nf_ct_ftp: dropping packet: partial matching of `227 ' IN= OUT= SRC=192.168.196.1 DST=xx.120.227.194 LEN=53 TOS=0x10 PREC=0x00 TTL=80 ID=24047 DF PROTO=TCP SPT=21 DPT=55980 SEQ=350417036 ACK=3295683477 WINDOW=15752 RES=0x00 ACK PSH FIN URGP=0
227 is the reply for PASV command (http://www.serv-u.com/respcode.asp?resp=227), and nf_ct_ftp could get only part of the reply on that packet. So it drops the packet and waits for the next one, which shall contain the full information.
Otherwise it won't be able to expect the new connection. Marcelo _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
