Re: helpers register for a specific port, but work anyway

Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> · Wed, 27 Feb 2008 18:08:14 +0100 (CET)

On Feb 27 2008 15:36, Jozsef Kadlecsik wrote:
>
>On Wed, 27 Feb 2008, Jan Engelhardt wrote:
>
>> in nf_conntrack_ftp.c for example we find
>> 
>>              ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
>> 
>> assuming the user does not specify any ports on modprobe, the default 
>> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
>> But even ftp connections to non-21 ports are inspected for PORT 
>> commands. 
>
>Why do you think so? Ports not specified as FTP command ports are not 
>parsed.

Yes, I find it strange. On the router (192.168.222.1), I do:

# iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
	-j DNAT --to 134.76.12.5:21

and on the client (192.168.222.24),:

# conntrack -E expect &
# ftp 134.76.12.5 2121
Connected to ftp5.gwdg.de.
220 "Welcome to FTP5.GWDG.DE."
Name (ftp5.gwdg.de:jengelh): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
229 Entering Extended Passive Mode (|||32238|)
150 Here comes the directory listing.
drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
226 Directory send OK.
ftp>

The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
does not parse streams to port 2121 by default, how could it have
set up the expectation?

Case 2. On the router:
# iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21
# rcvsftpd start

On the client:
# ftp 192.168.222.1 2121
Connected to 192.168.222.1.
220 (vsFTPd 2.0.5)
Name (192.168.222.1:jengelh): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||7366|)
150 Here comes the directory listing.
226 Directory send OK.

and this does not analyze ftp, just as I would have guessed from the C code.
But what's with case 1?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html