Philip: Thanks for the pointer to frox. I'm not sure if the DSL modem vendor would add in this piece of opensource software to their box, but we'll see. Regards, Frank -----Original Message----- From: Philip Craig [mailto:philipc@xxxxxxxxxxxx] Sent: Monday, November 17, 2008 6:30 PM To: Frank Bulk Cc: netfilter-devel@xxxxxxxxxxxxxxx Subject: Re: conntrack ftp fails to handle PORT (and PASV?) command when split over multiple TCP packets Frank Bulk wrote: > Can anyone confirm that iptables still behaves this way, and if so, code a > fix so that no matter how many packets a PORT or PASV command are split over > (in other words, no matter how small the client's MTU) that iptables ACKs > each packet received on the LAN side and the ALG properly reassembles the > command and sends it out the WAN interface? iptables is a packet filter, not an ALG. You could add more state to the helper, but it would be hard to get right, and I don't think it is worth the effort. Try using a userspace ftp proxy instead. (eg I've used frox with no problems.) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
