Felix Jia <felix.jia@xxxxxxxxxxxxxxxxxxx> wrote: > From: Jason Rippon <jason.rippon@xxxxxxxxxxxxxxxxxxx> > > This ensures that port range masquerade rules work with the ftp alg. > Previously the tfp data flow was not following the iptables rules. The data connections are supposed to inherit the NAT transformation of the master connection (connection created the expectation, i.e. FTP control connection). > diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c > index a11c304fb771..33324c67036c 100644 > --- a/net/netfilter/nf_conntrack_ftp.c > +++ b/net/netfilter/nf_conntrack_ftp.c > @@ -521,7 +521,8 @@ static int help(struct sk_buff *skb, > /* Now, NAT might want to mangle the packet, and register the > * (possibly changed) expectation itself. */ > nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); > - if (nf_nat_ftp && ct->status & IPS_NAT_MASK) > + if (nf_nat_ftp && (((ct->status & IPS_DST_NAT) && dir) || > + ((ct->status & IPS_SRC_NAT) && !dir))) I don't understand this patch. IPS_NAT_MASK is (IPS_DST_NAT|IPS_SRC_NAT), so, if anything, this avoids calling the nat payload mangling function when we have dst nat and direction is reply (and src nat for original). How is that correct? Moreover, the line is from 2006 so I would be very surprised if it was flat out broken.