Hi Pablo, the portmap port must be opened via static iptables/nftables rule anyway, so adding an expectation table entry for the portmap port is unnecessary. BR Daniel -----Ursprüngliche Nachricht----- Von: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Gesendet: Mittwoch, 19. Juni 2024 13:08 An: pda Pfeil Daniel <pda@xxxxxxxx> Cc: netfilter-devel@xxxxxxxxxxxxxxx Betreff: Re: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port ACHTUNG: Das Mail kommt von einer anderen Organisation ! Links nicht anklicken und Anhänge nicht öffnen, außer der Absender ist bekannt und der Inhalt der Anlage ist sicher. Im Zweifelsfall bitte mit der <https://collaboration.keba.com/trustedurls> Liste vertrauenswürdiger Absender<https://collaboration.keba.com/trustedurls> gegenprüfen, oder den KEBA IT-Servicedesk kontaktieren! CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. In case of doubt please verify with the <https://collaboration.keba.com/trustedurls> list of trustworthy senders<https://collaboration.keba.com/trustedurls>, or contact the IT-Servicedesk! On Wed, Jun 19, 2024 at 01:03:20PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 25, 2024 at 12:13:11PM +0000, pda Pfeil Daniel wrote: > > After an RPC call to portmap using the portmap program number > > (100000), subsequent RPC calls are not handled correctly by connection tracking. > > This results in client connections to ports specified in RPC replies > > failing to operate. > > Applied, thanks Wait, program 100000 usually runs on the portmapper port (tcp,udp/111), which is the one where you install the helper to add expectations: 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper How is this working?
