Hi!
After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
working. The first kernel, which doesn't work is 2.6.9-rc1.
Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
logs there entries about invalid packets - using
iptables ... -m state --state INVALID -j LOG)
If you need any extra data point, mail me.
Cheers,
Vita Samel
On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> Hi!
>
> After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> working. The first kernel, which doesn't work is 2.6.9-rc1.
> Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
> logs there entries about invalid packets - using
> iptables ... -m state --state INVALID -j LOG)
I just tried to reproduce the problem. Can you confirm the problem
disappears after executing
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
on your NAT box?
> Cheers,
> Vita Samel
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
On Fri, Oct 01, 2004 at 03:22:48PM +0200, Harald Welte wrote:
> On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> > Hi!
> >
> > After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > Sympotms: passive ftp works O.K., active FTP doesn't open data
> > stream (and in logs there entries about invalid packets - using
> > iptables ... -m state --state INVALID -j LOG)
Please use the following (attached) fix:
DaveM: Please apply and push to Linus:
Thanks!
Fix NAT helper code to update TCP window tracking information
if it resizes payload (and thus alrers sequence numbers).
This patchlet was somehow lost during 2.4.x->2.6.x port of TCP
window tracking :(
Signed-off-by: Harald Welte <[email protected]>
--- linux-2.6.9-rc3-plain/net/ipv4/netfilter/ip_nat_helper.c 2004-10-01 12:08:40.000000000 +0000
+++ linux-2.6.9-rc3-test/net/ipv4/netfilter/ip_nat_helper.c 2004-10-01 13:37:05.283639640 +0000
@@ -347,7 +347,7 @@
return 1;
}
-/* TCP sequence number adjustment. Returns true or false. */
+/* TCP sequence number adjustment. Returns 1 on success, 0 on failure */
int
ip_nat_seq_adjust(struct sk_buff **pskb,
struct ip_conntrack *ct,
@@ -396,7 +396,12 @@
tcph->seq = newseq;
tcph->ack_seq = newack;
- return ip_nat_sack_adjust(pskb, tcph, ct, ctinfo);
+ if (!ip_nat_sack_adjust(pskb, tcph, ct, ctinfo))
+ return 0;
+
+ ip_conntrack_tcp_update(*pskb, ct, dir);
+
+ return 1;
}
static inline int
--
- Harald Welte <[email protected]> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
On Fri, 1 Oct 2004 16:10:50 +0200
Harald Welte <[email protected]> wrote:
> On Fri, Oct 01, 2004 at 03:22:48PM +0200, Harald Welte wrote:
> > On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> > > Hi!
> > >
> > > After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > > Sympotms: passive ftp works O.K., active FTP doesn't open data
> > > stream (and in logs there entries about invalid packets - using
> > > iptables ... -m state --state INVALID -j LOG)
>
> Please use the following (attached) fix:
>
> DaveM: Please apply and push to Linus:
Will do, thanks Harald.
Hi!
> > After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
> > logs there entries about invalid packets - using
> > iptables ... -m state --state INVALID -j LOG)
>
> I just tried to reproduce the problem. Can you confirm the problem
> disappears after executing
>
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
>
> on your NAT box?
[...]
> Please use the following (attached) fix:
>
> Fix NAT helper code to update TCP window tracking information
> if it resizes payload (and thus alrers sequence numbers).
>
> This patchlet was somehow lost during 2.4.x->2.6.x port of TCP
> window tracking :(
>
> Signed-off-by: Harald Welte <[email protected]>
>
> --- linux-2.6.9-rc3-plain/net/ipv4/netfilter/ip_nat_helper.c 2004-10-01 12:08:40.000000000 +0000
> +++ linux-2.6.9-rc3-test/net/ipv4/netfilter/ip_nat_helper.c 2004-10-01 13:37:05.283639640 +0000
> @@ -347,7 +347,7 @@
> return 1;
> }
>
> -/* TCP sequence number adjustment. Returns true or false. */
> +/* TCP sequence number adjustment. Returns 1 on success, 0 on failure */
> int
> ip_nat_seq_adjust(struct sk_buff **pskb,
> struct ip_conntrack *ct,
> @@ -396,7 +396,12 @@
> tcph->seq = newseq;
> tcph->ack_seq = newack;
>
> - return ip_nat_sack_adjust(pskb, tcph, ct, ctinfo);
> + if (!ip_nat_sack_adjust(pskb, tcph, ct, ctinfo))
> + return 0;
> +
> + ip_conntrack_tcp_update(*pskb, ct, dir);
> +
> + return 1;
> }
>
> static inline int
Both solutions are working fine here.
Thanks,
Vita Samel