* [helper PATCH] Preserve conntrack helper bound through CT rule
@ 2014-03-26 12:34 Alin Năstac
2014-03-26 13:04 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Alin Năstac @ 2014-03-26 12:34 UTC (permalink / raw)
To: netfilter-devel
Hi,
I've discovered that MASQUERADE target overwrites the CT --helper settings.
The setup I used is the following:
iptables -t raw -A PREROUTING -i lan -p tcp --dport 2121 -j CT --helper ftp
iptables -t nat -A POSTROUTING -o wan -s 192.168.1.0/24 -j MASQUERADE
I found out the problem, the helper set in the conntrack template is
overwritten by MASQUERADE target.
This patch fixes the issue:
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index bba14a7..ab7cd3e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1445,7 +1445,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
nf_ct_dump_tuple(newreply);
ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
- if (ct->master || (help && !hlist_empty(&help->expectations)))
+ if (ct->master || help)
return;
rcu_read_lock();
I didn't used the latest kernel, but seems the problem is still present.
Best regs,
Alin
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [helper PATCH] Preserve conntrack helper bound through CT rule
2014-03-26 12:34 [helper PATCH] Preserve conntrack helper bound through CT rule Alin Năstac
@ 2014-03-26 13:04 ` Florian Westphal
2014-03-26 13:18 ` Alin Năstac
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2014-03-26 13:04 UTC (permalink / raw)
To: Alin Năstac; +Cc: netfilter-devel
Alin Năstac <alin.nastac@gmail.com> wrote:
> Hi,
>
> I've discovered that MASQUERADE target overwrites the CT --helper settings.
> The setup I used is the following:
> iptables -t raw -A PREROUTING -i lan -p tcp --dport 2121 -j CT --helper ftp
> iptables -t nat -A POSTROUTING -o wan -s 192.168.1.0/24 -j MASQUERADE
>
> I found out the problem, the helper set in the conntrack template is
> overwritten by MASQUERADE target.
> This patch fixes the issue:
>
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index bba14a7..ab7cd3e 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1445,7 +1445,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
> nf_ct_dump_tuple(newreply);
>
> ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
> - if (ct->master || (help && !hlist_empty(&help->expectations)))
> + if (ct->master || help)
This is confusing. This forces re-ookup of helper even if
expectations have been setup (i.e., helper is being used).
IOW, this increases __nf_ct_try_assign_helper() call count...
Would you mind letting us know what kernel version is having problems,
and wheter helper autoassignments are enabled?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [helper PATCH] Preserve conntrack helper bound through CT rule
2014-03-26 13:04 ` Florian Westphal
@ 2014-03-26 13:18 ` Alin Năstac
2014-03-26 16:57 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Alin Năstac @ 2014-03-26 13:18 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
Quite the contrary, the new code would be
if (ct->master || help)
return;
This will relax the if statement condition, which will decrease the
__nf_ct_try_assing_helper() call count.
Anyway, I use a Broadcom patched 3.4.11, but I checked the origin of
the call, it does not originate from their patches, in comes from
nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC) call found in
masquerade_tg().
Helper auto assignments are enabled (in that version is not possible
to inhibit them outside loading nf_conntrack_ftp with ports=0).
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [helper PATCH] Preserve conntrack helper bound through CT rule
2014-03-26 13:18 ` Alin Năstac
@ 2014-03-26 16:57 ` Florian Westphal
2014-03-26 20:59 ` Alin Năstac
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2014-03-26 16:57 UTC (permalink / raw)
To: Alin Năstac; +Cc: Florian Westphal, netfilter-devel
Alin Năstac <alin.nastac@gmail.com> wrote:
> Hi Florian,
>
> Quite the contrary, the new code would be
> if (ct->master || help)
> return;
> This will relax the if statement condition, which will decrease the
> __nf_ct_try_assing_helper() call count.
Right.
> Anyway, I use a Broadcom patched 3.4.11, but I checked the origin of
> the call, it does not originate from their patches, in comes from
> nf_nat_setup_info(ct, &newrange, NF_NAT_MANIP_SRC) call found in
> masquerade_tg().
I guess this was fixed by
commit 6714cf5465d2803a21c6a46c1ea747795a8889fa
'netfilter: nf_conntrack: fix explicit helper attachment and NAT').
in 3.5 kernel.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-03-26 20:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-26 12:34 [helper PATCH] Preserve conntrack helper bound through CT rule Alin Năstac
2014-03-26 13:04 ` Florian Westphal
2014-03-26 13:18 ` Alin Năstac
2014-03-26 16:57 ` Florian Westphal
2014-03-26 20:59 ` Alin Năstac
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.