* 2.6.11 corrupting FTP session
@ 2005-03-18 20:11 Michel Pereira
2005-03-20 16:16 ` Patrick McHardy
0 siblings, 1 reply; 9+ messages in thread
From: Michel Pereira @ 2005-03-18 20:11 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 505 bytes --]
Hi, after a upgrade to 2.6.11 I'm experiencing a corruption on the commands
send from the user and to the user like this:
"500 'R'" Command understood.
Thank you
--
Michel Pereira
michel.pereira@eurorscg.com
+55 11 5105 0570
+55 11 5105 0569
www.eurorscg4d.com.br
Euro RSCG 4D
Unix Sex: unzip;strip;touch;finger;mount;fsck;more;yes;umount;sleep
----------------------------------------------------------------
Conectcor - velocidade com qualidade
www.conectcor.com.br
[-- Attachment #2: FtpWithOutNat.bz2 --]
[-- Type: application/octet-stream, Size: 459805 bytes --]
[-- Attachment #3: FtpWithOutNat.bz2.md5 --]
[-- Type: application/octet-stream, Size: 52 bytes --]
9b1235586ea3c03dae53101bae724ac6 FtpWithOutNat.bz2
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-03-18 20:11 2.6.11 corrupting FTP session Michel Pereira
@ 2005-03-20 16:16 ` Patrick McHardy
2005-03-20 17:58 ` Michel Pereira
0 siblings, 1 reply; 9+ messages in thread
From: Patrick McHardy @ 2005-03-20 16:16 UTC (permalink / raw)
To: Michel Pereira; +Cc: netfilter-devel
Michel Pereira wrote:
> Hi, after a upgrade to 2.6.11 I'm experiencing a corruption on the commands
> send from the user and to the user like this:
> "500 'R'" Command understood.
What is your setup (NAT rules, network topology between client and
server)?
Regards
Patrick
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-03-20 16:16 ` Patrick McHardy
@ 2005-03-20 17:58 ` Michel Pereira
2005-04-01 6:02 ` Harald Welte
0 siblings, 1 reply; 9+ messages in thread
From: Michel Pereira @ 2005-03-20 17:58 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Quoting Patrick McHardy <kaber@trash.net>:
> What is your setup (NAT rules, network topology between client and
> server)?
Firewall (a) -> Server on DMZ. (NAT of internal network connections)
Firewall (b) -> Internal Network (without NAT of connections)
b - iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
b - iptables -A FORWARD -s myip -d 0/0 -m state --state NEW -j ACCEPT
a - iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 200.162.38.71 --dport 21
-j DNAT --to IPonDMZ
Thank you
--
Michel Pereira
michel.pereira@eurorscg.com
+55 11 5105 0570
+55 11 5105 0569
www.eurorscg4d.com.br
Euro RSCG 4D
Unix Sex: unzip;strip;touch;finger;mount;fsck;more;yes;umount;sleep
----------------------------------------------------------------
Conectcor - velocidade com qualidade
www.conectcor.com.br
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-03-20 17:58 ` Michel Pereira
@ 2005-04-01 6:02 ` Harald Welte
2005-04-02 19:31 ` Milos Wimmer
2005-04-03 15:58 ` Patrick McHardy
0 siblings, 2 replies; 9+ messages in thread
From: Harald Welte @ 2005-04-01 6:02 UTC (permalink / raw)
To: Michel Pereira; +Cc: netfilter-devel, Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 1196 bytes --]
On Sun, Mar 20, 2005 at 02:58:23PM -0300, Michel Pereira wrote:
> Quoting Patrick McHardy <kaber@trash.net>:
> > What is your setup (NAT rules, network topology between client and
> > server)?
>
> Firewall (a) -> Server on DMZ. (NAT of internal network connections)
> Firewall (b) -> Internal Network (without NAT of connections)
>
> b - iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> b - iptables -A FORWARD -s myip -d 0/0 -m state --state NEW -j ACCEPT
>
> a - iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 200.162.38.71 --dport 21
> -j DNAT --to IPonDMZ
this sounds pretty straight forward, still i can't reproduce the problem
at all. which ftp server and client are you using?
I suppose both firewalls have loaded ip_conntrack_ftp, and 'b' has
ip_nat_ftp ?
--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-04-01 6:02 ` Harald Welte
@ 2005-04-02 19:31 ` Milos Wimmer
2005-04-02 19:57 ` Phil Oester
2005-04-03 15:58 ` Patrick McHardy
1 sibling, 1 reply; 9+ messages in thread
From: Milos Wimmer @ 2005-04-02 19:31 UTC (permalink / raw)
To: netfilter-devel
On Fri, 1 Apr 2005, Harald Welte wrote:
> this sounds pretty straight forward, still i can't reproduce the problem
> at all. which ftp server and client are you using?
I have same problem (see Bug #308).
I'm using command line ftp client on Linux machines and command line ftp
client on Windows XP.
And any of ftp serveres which I tried (e.g.
ftp://ftp.zcu.cz/pub/doc/rfc/,
ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/,
ftp.cesnet.cz, ...)
I'm using Linux firewalls with shorewall package on many sites and I
found this problem on any of them.
For simplification - I build test configuration with 1 firewall box and 1
client box on my office now. Firewall has 2 interfaces - one to Internet,
second to local network - client. Client box is connected to firewall with
crosswired twisted pair cable.
Client uses no iptables and when it is connected to Internet, it transfers
all files via active ftp session without problems.
On the firewall I use vanilla Shorewall (2.x.x) configuration with
"loc net ACCEPT" global policy, no any other specialities.
When I'm running kernel 2.4.x and 2.6.0-2.6.10 kernel on the firewall,
active ftp session on the client works fine. When I'm running 2.6.11,
2.6.11.x and 2.6.12-rc1 kernel on the firewall box, active ftp session
with "mget *" command fails after 6 transfered files.
Passive ftp session works fine on any kernel.
I used vanilla kernel without patches (I could send you my kernel config
file).
Milos Wimmer
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: 2.6.11 corrupting FTP session
2005-04-02 19:31 ` Milos Wimmer
@ 2005-04-02 19:57 ` Phil Oester
0 siblings, 0 replies; 9+ messages in thread
From: Phil Oester @ 2005-04-02 19:57 UTC (permalink / raw)
To: Milos Wimmer; +Cc: netfilter-devel
On Sat, Apr 02, 2005 at 09:31:13PM +0200, Milos Wimmer wrote:
> I have same problem (see Bug #308).
>
> When I'm running kernel 2.4.x and 2.6.0-2.6.10 kernel on the firewall,
> active ftp session on the client works fine. When I'm running 2.6.11,
> 2.6.11.x and 2.6.12-rc1 kernel on the firewall box, active ftp session
> with "mget *" command fails after 6 transfered files.
> Passive ftp session works fine on any kernel.
I'll post a patch for this shortly -- I've tracked it down to a TCP
sequence adjustment problem.
Phil
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-04-01 6:02 ` Harald Welte
2005-04-02 19:31 ` Milos Wimmer
@ 2005-04-03 15:58 ` Patrick McHardy
2005-04-03 16:12 ` Phil Oester
1 sibling, 1 reply; 9+ messages in thread
From: Patrick McHardy @ 2005-04-03 15:58 UTC (permalink / raw)
To: Harald Welte; +Cc: Michel Pereira, netfilter-devel
Harald Welte wrote:
> this sounds pretty straight forward, still i can't reproduce the problem
> at all. which ftp server and client are you using?
Me neither. I could trigger it totally unreliable, but couldn't figure
out what the problem is. My guess so far is that it is somehow related
to retransmissions.
Regards
Patrick
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 2.6.11 corrupting FTP session
2005-04-03 15:58 ` Patrick McHardy
@ 2005-04-03 16:12 ` Phil Oester
2005-04-03 16:18 ` Patrick McHardy
0 siblings, 1 reply; 9+ messages in thread
From: Phil Oester @ 2005-04-03 16:12 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Harald Welte, Michel Pereira, netfilter-devel
On Sun, Apr 03, 2005 at 05:58:17PM +0200, Patrick McHardy wrote:
> Harald Welte wrote:
> >this sounds pretty straight forward, still i can't reproduce the problem
> >at all. which ftp server and client are you using?
>
> Me neither. I could trigger it totally unreliable, but couldn't figure
> out what the problem is. My guess so far is that it is somehow related
> to retransmissions.
It is caused by TCP sequence adjustment problems -- see my email with subject
'[PATCH] Fix NAT TCP sequence adjustment'
Phil
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-04-03 16:18 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-18 20:11 2.6.11 corrupting FTP session Michel Pereira
2005-03-20 16:16 ` Patrick McHardy
2005-03-20 17:58 ` Michel Pereira
2005-04-01 6:02 ` Harald Welte
2005-04-02 19:31 ` Milos Wimmer
2005-04-02 19:57 ` Phil Oester
2005-04-03 15:58 ` Patrick McHardy
2005-04-03 16:12 ` Phil Oester
2005-04-03 16:18 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.