Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bill Fink <billfink@mindspring.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org, fw@strlen.de
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Thu, 11 Jul 2013 11:19:16 -0400	[thread overview]
Message-ID: <20130711111916.8a9b9d73.billfink@mindspring.com> (raw)
In-Reply-To: <20130711004827.GA5500@localhost>

On Thu, 11 Jul 2013, Pablo Neira Ayuso wrote:

> On Thu, Jul 11, 2013 at 12:08:20AM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jul 10, 2013 at 05:58:15AM -0400, Bill Fink wrote:
> > > Almost there.  With the above patch, I now successfully get
> > > IPv6 expectations on the backup firewall.  Unfortunately they're
> > > not quite right.  On the backup firewall, the expectation src-IP
> > > is the same as the dst-IP (either IPv4 or IPv6).
> > > 
> > > Primary firewall:
> > > 
> > > [root@sen-fw1 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect
> > > 251 proto=6 src=192.168.218.199 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp
> > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown.
> > > 
> > > Backup firewall:
> > > 
> > > [root@sen-fw2 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect
> > > 245 proto=6 src=192.168.28.198 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp
> > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown.
> > > 
> > > This was an unfortunate side affect of the patch to fix the
> > > conntrackd segfault problem.  If I use Florian's version
> > > of the fix segfault patch rather than Pablo's then all is
> > > good.
> > 
> > Thanks for the information, however, we still need to get working back
> > the filtering support.
> > 
> > Could you give a try to the following patch, please?
> > 
> > It applies on top of conntrack-tools master branch, thanks.
> 
> There are still some downsides in the previous solution, please, give
> a try to this patch instead.

The firewalls are now in production, so I don't have the same freedom
I did previously.  I'll check the patch out sometime after hours.
Normally, this weekend would be a good time, but I'm going to be
away this weekend.  So it might be a few days until I get a chance.

Thanks again for all your (and Florian's) great help!

						-Bill

next prev parent reply	other threads:[~2013-07-11 15:19 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-05  6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05  8:19 ` Florian Westphal
2013-07-05 19:45 ` Bill Fink
2013-07-05 23:52   ` Bill Fink
2013-07-06 13:23 ` Pablo Neira Ayuso
2013-07-07  7:04   ` Bill Fink
2013-07-09  5:30     ` Bill Fink
2013-07-09 18:22       ` Pablo Neira Ayuso
2013-07-09 18:22         ` Pablo Neira Ayuso
2013-07-10  9:58         ` Bill Fink
2013-07-10  9:58           ` Bill Fink
2013-07-10 22:08           ` Pablo Neira Ayuso
2013-07-10 22:08             ` Pablo Neira Ayuso
2013-07-11  0:48             ` Pablo Neira Ayuso
2013-07-11  0:48               ` Pablo Neira Ayuso
2013-07-11 15:19               ` Bill Fink [this message]
2013-07-12  7:01               ` Bill Fink
2013-07-15 12:49                 ` Pablo Neira Ayuso
2013-07-16  5:55                   ` Bill Fink
2013-07-16 21:33                     ` Pablo Neira Ayuso
2013-07-16 21:37                       ` Pablo Neira Ayuso
2013-07-22  7:00                       ` Bill Fink

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130711111916.8a9b9d73.billfink@mindspring.com \
    --to=billfink@mindspring.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.