Re: [PATCH nf] netfilter: ipvs: flag ct as needing s/dnat in original direction

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Sun, 25 Feb 2018 20:12:32 +0100

Cc'ing Simon and Julian.

Please, ack this and I'll place this in the nf.git tree.

Thanks.

On Sat, Feb 24, 2018 at 08:41:06PM +0100, Florian Westphal wrote:
> FTP passive mode got broken by this change:
> - if (.. && nfct_nat(ct)) {
> + if (.. (ct->status & IPS_NAT_MASK)) {
> 
> The PASV reply sent by real server need to be translated to contain
> the load balancers address, but they are passed unchanged.
> 
> IPS_NAT_MASK should be true for connections where reverse
> of reply tuple isn't the original tupe (i.e. connection had
> its source/destination changed), but ipvs uses a different function
> to replace the reply tuple address, and did not set SRC/DST NAT bit.
> 
> Reported-by: Li Shuang <shuali@xxxxxxxxxx>
> Fixes: 41390895e50bc4 ("netfilter: ipvs: don't check for presence of nat extension")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  net/netfilter/ipvs/ip_vs_nfct.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
> index 6cf3fd81a5ec..0ceac36819d9 100644
> --- a/net/netfilter/ipvs/ip_vs_nfct.c
> +++ b/net/netfilter/ipvs/ip_vs_nfct.c
> @@ -119,13 +119,17 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
>  	if (outin) {
>  		new_tuple.src.u3 = cp->daddr;
>  		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
> -		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
> +		    new_tuple.dst.protonum != IPPROTO_ICMPV6) {
>  			new_tuple.src.u.tcp.port = cp->dport;
> +			ct->status |= IPS_SRC_NAT;
> +		}
>  	} else {
>  		new_tuple.dst.u3 = cp->vaddr;
>  		if (new_tuple.dst.protonum != IPPROTO_ICMP &&
> -		    new_tuple.dst.protonum != IPPROTO_ICMPV6)
> +		    new_tuple.dst.protonum != IPPROTO_ICMPV6) {
>  			new_tuple.dst.u.tcp.port = cp->vport;
> +			ct->status |= IPS_DST_NAT;
> +		}
>  	}
>  	IP_VS_DBG(7, "%s: Updating conntrack ct=%p, status=0x%lX, "
>  		  "ctinfo=%d, old reply=" FMT_TUPLE
> -- 
> 2.16.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html