Cole Dishington <Cole.Dishington@xxxxxxxxxxxxxxxxxxx> wrote:
> FTP port selection ignores specified port ranges (with iptables
> masquerade --to-ports) when creating an expectation, based on
> FTP commands PORT or PASV, for the data connection.
>
> Co-developed-by: Anthony Lineham <anthony.lineham@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Anthony Lineham <anthony.lineham@xxxxxxxxxxxxxxxxxxx>
> Co-developed-by: Scott Parlane <scott.parlane@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Scott Parlane <scott.parlane@xxxxxxxxxxxxxxxxxxx>
> Co-developed-by: Blair Steven <blair.steven@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Blair Steven <blair.steven@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Cole Dishington <Cole.Dishington@xxxxxxxxxxxxxxxxxxx>
> ---
>
> Notes:
> Currently with iptables -t nat -j MASQUERADE -p tcp --to-ports 10000-10005,
> creating a passive ftp connection from a client will result in the control
> connection being within the specified port range but the data connection being
> outside of the range. This patch fixes this behaviour to have both connections
> be in the specified range.
>
> include/net/netfilter/nf_conntrack.h | 3 +++
> net/netfilter/nf_nat_core.c | 10 ++++++----
> net/netfilter/nf_nat_ftp.c | 26 ++++++++++++--------------
> net/netfilter/nf_nat_helper.c | 12 ++++++++----
> 4 files changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index cc663c68ddc4..b98d5d04c7ab 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -24,6 +24,8 @@
>
> #include <net/netfilter/nf_conntrack_tuple.h>
>
> +#include <uapi/linux/netfilter/nf_nat.h>
> +
> struct nf_ct_udp {
> unsigned long stream_ts;
> };
> @@ -99,6 +101,7 @@ struct nf_conn {
>
> #if IS_ENABLED(CONFIG_NF_NAT)
> struct hlist_node nat_bysource;
> + struct nf_nat_range2 range;
> #endif
Thats almost a 20% size increase of this structure.
Could you try to rework it based on this?
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -27,12 +27,18 @@ union nf_conntrack_nat_help {
#endif
};
+struct nf_conn_nat_range_info {
+ union nf_conntrack_man_proto min_proto;
+ union nf_conntrack_man_proto max_proto;
+};
+
/* The structure embedded in the conntrack structure. */
struct nf_conn_nat {
union nf_conntrack_nat_help help;
#if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE)
int masq_index;
#endif
+ struct nf_conn_nat_range_info range_info;
};
/* Set up the info structure to map into this range. */
... and then store the range min/max proto iff nf_nat_setup_info had
NF_NAT_RANGE_PROTO_SPECIFIED flag set.
I don't think there is a need to keep the information in nf_conn.
