Is there anything more you need from me? I have tested this with old Kernel releases, as well as Net-next and the FTP alg does not seem to respect the masquerade --to-ports option. e.g echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper iptables -t nat -I POSTROUTING -o enp0 -j MASQUERADE -p tcp --to-ports 20000-21000 Send ftp (EPSV) query The control connection is changed from port 21 -> port 20001 The data connection is changed from port 22912 -> port 54292 ________________________________________ From: Jason Rippon Sent: Thursday, November 8, 2018 2:15 PM To: Florian Westphal; Felix Jia Cc: Pablo Neira Ayuso; netfilter-devel@xxxxxxxxxxxxxxx Subject: Re: [PATCH] netfilter: Only call ftp alg when needed The data connection with the FTP alg does not seem to respect the masquerade --to-ports option. e.g echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper iptables -t nat -I POSTROUTING -o enp0 -j MASQUERADE -p tcp --to-ports 20000-21000 Send ftp (EPSV) query The control connection is changed from port 21 -> port 20001 The data connection is changed from port 22912 -> port 54292 We know which way the flow is going and whether we are port forwarding or masquerading, so we can avoid mangling if we don't need to. ____________________________________ From: Florian Westphal <fw@xxxxxxxxx> Sent: Wednesday, November 7, 2018 12:51 PM To: Felix Jia Cc: Pablo Neira Ayuso; Jason Rippon; netfilter-devel@xxxxxxxxxxxxxxx Subject: Re: [PATCH] netfilter: Only call ftp alg when needed Felix Jia <felix.jia@xxxxxxxxxxxxxxxxxxx> wrote: > From: Jason Rippon <jason.rippon@xxxxxxxxxxxxxxxxxxx> > > This ensures that port range masquerade rules work with the ftp alg. > Previously the tfp data flow was not following the iptables rules. The data connections are supposed to inherit the NAT transformation of the master connection (connection created the expectation, i.e. FTP control connection). > diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c > index a11c304fb771..33324c67036c 100644 > --- a/net/netfilter/nf_conntrack_ftp.c > +++ b/net/netfilter/nf_conntrack_ftp.c > @@ -521,7 +521,8 @@ static int help(struct sk_buff *skb, > /* Now, NAT might want to mangle the packet, and register the > * (possibly changed) expectation itself. */ > nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); > - if (nf_nat_ftp && ct->status & IPS_NAT_MASK) > + if (nf_nat_ftp && (((ct->status & IPS_DST_NAT) && dir) || > + ((ct->status & IPS_SRC_NAT) && !dir))) I don't understand this patch. IPS_NAT_MASK is (IPS_DST_NAT|IPS_SRC_NAT), so, if anything, this avoids calling the nat payload mangling function when we have dst nat and direction is reply (and src nat for original). How is that correct? Moreover, the line is from 2006 so I would be very surprised if it was flat out broken.