Re: [PATCH] netfilter: Only call ftp alg when needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The data connection with the FTP alg does not seem to respect the masquerade --to-ports option. 

e.g 
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
iptables -t nat -I POSTROUTING -o enp0 -j MASQUERADE -p tcp --to-ports 20000-21000
Send ftp (EPSV) query

The control connection is changed from port 21 -> port 20001
The data connection is changed from port 22912 -> port 54292 

We know which way the flow is going and whether we are port forwarding or masquerading, so we can avoid mangling if we don't need to.
____________________________________
From: Florian Westphal <fw@xxxxxxxxx>
Sent: Wednesday, November 7, 2018 12:51 PM
To: Felix Jia
Cc: Pablo Neira Ayuso; Jason Rippon; netfilter-devel@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] netfilter: Only call ftp alg when needed

Felix Jia <felix.jia@xxxxxxxxxxxxxxxxxxx> wrote:
> From: Jason Rippon <jason.rippon@xxxxxxxxxxxxxxxxxxx>
>
> This ensures that port range masquerade rules work with the ftp alg.
> Previously the tfp data flow was not following the iptables rules.

The data connections are supposed to inherit the NAT transformation
of the master connection (connection created the expectation, i.e. FTP
control connection).

> diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
> index a11c304fb771..33324c67036c 100644
> --- a/net/netfilter/nf_conntrack_ftp.c
> +++ b/net/netfilter/nf_conntrack_ftp.c
> @@ -521,7 +521,8 @@ static int help(struct sk_buff *skb,
>       /* Now, NAT might want to mangle the packet, and register the
>        * (possibly changed) expectation itself. */
>       nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
> -     if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
> +     if (nf_nat_ftp && (((ct->status & IPS_DST_NAT) && dir) ||
> +                        ((ct->status & IPS_SRC_NAT) && !dir)))

I don't understand this patch.

IPS_NAT_MASK is (IPS_DST_NAT|IPS_SRC_NAT), so, if anything,
this avoids calling the nat payload mangling function when
we have dst nat and direction is reply (and src nat for original).

How is that correct?

Moreover, the line is from 2006 so I would be very surprised if it was
flat out broken.




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux