Hi Florian On Thu, Feb 14, 2019 at 12:30:41PM +0100, Florian Tham wrote: > Hello, > > after upgrading our amanda servers from version 3.3.9 to 3.5.1, the > servers could no longer pull backups from the clients. The clients are > located behind iptables firewalls with NAT. > > Apparently, amanda 3.4 modified the CONNECT command used by > nf_conntrack_amanda to discover related connections [0]. > > The patch updates nf_conntrack_amanda accordingly. Client-server > communication works again across all amanda versions. Thanks for submitting your patch. I need a few changes: 1) You have to add your Signed-off-by tag to your patches to fulfill DCO [1]. 2) Please, create your patch in git-format-patch, so I can apply this here via git am. 3) Optional, not a deal breaker: A bit detailed description on this new STATE parameter in the Amanda protocol. [1] https://developercertificate.org/ More questions below regarding the code. > [0] > https://github.com/zmanda/amanda/commit/3b8384fc9f2941e2427f44c3aee29f561ed67894#diff-711e502fc81a65182c0954765b42919eR456 > > Best regards, > > Florian > --- a/net/netfilter/nf_conntrack_amanda.c 2019-02-12 12:58:01.984724711 +0100 > +++ b/net/netfilter/nf_conntrack_amanda.c 2019-02-12 12:57:41.104816972 +0100 > @@ -54,6 +54,7 @@ > SEARCH_DATA, > SEARCH_MESG, > SEARCH_INDEX, > + SEARCH_STATE, > }; > > static struct { > @@ -81,6 +82,10 @@ > .string = "INDEX ", > .len = 6, > }, > + [SEARCH_STATE] = { > + .string = "STATE ", > + .len = 6, > + }, > }; > > static int amanda_help(struct sk_buff *skb, > @@ -124,7 +129,7 @@ > goto out; > stop += start; > > - for (i = SEARCH_DATA; i <= SEARCH_INDEX; i++) { > + for (i = SEARCH_DATA; i <= SEARCH_STATE; i++) { > off = skb_find_text(skb, start, stop, search[i].ts); > if (off == UINT_MAX) > continue; > @@ -168,7 +173,7 @@ > } > > static const struct nf_conntrack_expect_policy amanda_exp_policy = { > - .max_expected = 3, > + .max_expected = 4, Why rise this to 4? This is the maximum number of active expectation. Expectations go away as soon as they are confirmed by a matching connection. Thanks!
