From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Bill Fink <billfink@mindspring.com>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org, fw@strlen.de
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Sat, 6 Jul 2013 15:23:33 +0200 [thread overview]
Message-ID: <20130706132333.GA3279@localhost> (raw)
In-Reply-To: <20130705020312.25783ccd.billfink@mindspring.com>
Hi,
On Fri, Jul 05, 2013 at 02:03:12AM -0400, Bill Fink wrote:
> [not sure whether to send to netfilter or netfilter-devel,
> so sending to both, but trim replies as appropriate]
>
> I am trying to use the ftp ExpectationSync capability of conntrackd
> for both IPv4 and IPv6 for connections through a pair of bridged
> firewalls (primary / hot backup). I have the following config
> snippet in conntrackd.conf:
>
> Options {
> ExpectationSync {
> ftp
> sip
> ras # for H.323
> q.931 # for H.323
> h.245 # for H.323
> }
> }
>
> For IPv4, things work as expected. But when I try the basic
> analogous IPv6 test to the suggested IPv4 test from the
> documentation:
>
> x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21
> 220 FTP Server ready.
> USER anonymous
> 331 Anonymous login ok, send your complete email address as your password
> PASS bill@
> 230-
> *** Welcome to this anonymous ftp server! ***
>
> You are user 1 out of a maximum of 10 authorized anonymous logins.
> The current time here is Thu Jul 04 23:40:51 2013.
> If you experience any problems here, contact : root@localhost
>
>
> 230 Anonymous login ok, restrictions apply.
> EPSV
> 229 Entering Extended Passive Mode (|||1584|)
>
> As soon as I enter the EPSV command, I get the following
> conntrackd segfault:
>
> Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
I have pushed this patch to fix this issue.
http://git.netfilter.org/conntrack-tools/commit/?id=479a37a549abf197ce59a4ae1666d8cba80fe977
Thanks Florian for diagnosing this, and you for reporting.
> I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with
> conntrack-tools-1.4.0-1.fc17.x86_64.
>
> I had to use the attached patch to get "conntrackd -R" to resync
> both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in
> conntrackd.conf). It works well for me for the basic ct table,
> but I'm not sure about the expect table part since I can't really
> exercise it due to the segfault. Note the segfault also occurs
> with the original unpatched conntrackd, so it's not related to
> my patch.
For this, I have applied the following patch:
http://git.netfilter.org/conntrack-tools/commit/?id=e2c6576e775652c35d336afa0551676339c6a793
Let me know.
next prev parent reply other threads:[~2013-07-06 13:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05 8:19 ` Florian Westphal
2013-07-05 19:45 ` Bill Fink
2013-07-05 23:52 ` Bill Fink
2013-07-06 13:23 ` Pablo Neira Ayuso [this message]
2013-07-07 7:04 ` Bill Fink
2013-07-09 5:30 ` Bill Fink
2013-07-09 18:22 ` Pablo Neira Ayuso
2013-07-09 18:22 ` Pablo Neira Ayuso
2013-07-10 9:58 ` Bill Fink
2013-07-10 9:58 ` Bill Fink
2013-07-10 22:08 ` Pablo Neira Ayuso
2013-07-10 22:08 ` Pablo Neira Ayuso
2013-07-11 0:48 ` Pablo Neira Ayuso
2013-07-11 0:48 ` Pablo Neira Ayuso
2013-07-11 15:19 ` Bill Fink
2013-07-12 7:01 ` Bill Fink
2013-07-15 12:49 ` Pablo Neira Ayuso
2013-07-16 5:55 ` Bill Fink
2013-07-16 21:33 ` Pablo Neira Ayuso
2013-07-16 21:37 ` Pablo Neira Ayuso
2013-07-22 7:00 ` Bill Fink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130706132333.GA3279@localhost \
--to=pablo@netfilter.org \
--cc=billfink@mindspring.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.