Alin Năstac <alin.nastac@xxxxxxxxx> wrote: > Hi, > > I've discovered that MASQUERADE target overwrites the CT --helper settings. > The setup I used is the following: > iptables -t raw -A PREROUTING -i lan -p tcp --dport 2121 -j CT --helper ftp > iptables -t nat -A POSTROUTING -o wan -s 192.168.1.0/24 -j MASQUERADE > > I found out the problem, the helper set in the conntrack template is > overwritten by MASQUERADE target. > This patch fixes the issue: > > diff --git a/net/netfilter/nf_conntrack_core.c > b/net/netfilter/nf_conntrack_core.c > index bba14a7..ab7cd3e 100644 > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -1445,7 +1445,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct, > nf_ct_dump_tuple(newreply); > > ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; > - if (ct->master || (help && !hlist_empty(&help->expectations))) > + if (ct->master || help) This is confusing. This forces re-ookup of helper even if expectations have been setup (i.e., helper is being used). IOW, this increases __nf_ct_try_assign_helper() call count... Would you mind letting us know what kernel version is having problems, and wheter helper autoassignments are enabled? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
