Cole Dishington <Cole.Dishington@xxxxxxxxxxxxxxxxxxx> wrote: > FTP port selection ignores specified port ranges (with iptables > masquerade --to-ports) when creating an expectation, based on > FTP commands PORT or PASV, for the data connection. > > For masquerading, this issue allows an FTP client to use unassigned > source ports for their data connection (in both the PORT and PASV > cases). This can cause problems in setups that allocate different > masquerade port ranges for each client. > > The proposed fix involves storing a port range (on nf_conn_nat) to: > - Fix FTP PORT data connections using the stored port range to select a > port number in nf_conntrack_ftp. > - Fix FTP PASV data connections using the stored port range to specify a > port range on source port in nf_nat_helper if the FTP PORT/PASV packet > comes from the client. Looks much simpler now, thanks. Acked-by: Florian Westphal <fw@xxxxxxxxx>