[PATCH] ip_nat_tftp: Fix expectation NAT.

[PATCH] ip_nat_tftp: Fix expectation NAT.

[Marcus Sundberg]

[-- Attachment #1: Type: text/plain, Size: 366 bytes --]

Hi,

this patch fixes the case where the port in an initial TFTP packet
is SNATed. Previously the port was never DNATed back for the expected
connection.

//Marcus
-- 
---------------------------------------+--------------------------
  Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
 Software Developer, Ingate Systems AB |  http://www.ingate.com/

[-- Attachment #2: tftp-nat-fix.diff --]
[-- Type: text/x-patch, Size: 810 bytes --]

[NETFILTER] ip_nat_tftp: Fix expectation NAT.

When a TFTP client is SNATed so that the port is also changed, the
port is never changed back for the expected connection.

Signed-off-by: Marcus Sundberg <marcus@ingate.com>

--- linux.current/net/ipv4/netfilter/ip_nat_tftp.c	2005/12/05 18:58:22	1.1
+++ linux.current/net/ipv4/netfilter/ip_nat_tftp.c	2005/12/05 19:01:05
@@ -42,7 +42,10 @@ static unsigned int help(struct sk_buff 
 			 enum ip_conntrack_info ctinfo,
 			 struct ip_conntrack_expect *exp)
 {
-	exp->saved_proto.udp.port = exp->tuple.dst.u.tcp.port;
+	struct ip_conntrack *ct = exp->master;
+
+	exp->saved_proto.udp.port
+		= ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
 	exp->dir = IP_CT_DIR_REPLY;
 	exp->expectfn = ip_nat_follow_master;
 	if (ip_conntrack_expect_related(exp) != 0)

Re: [PATCH] ip_nat_tftp: Fix expectation NAT.

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1026 bytes --]

On Thu, Dec 08, 2005 at 11:49:14AM +0100, Marcus Sundberg wrote:
> Hi,
> 
> this patch fixes the case where the port in an initial TFTP packet
> is SNATed. Previously the port was never DNATed back for the expected
> connection.

Thanks!

This is one of the cases where I'd really appreciate having a nfsim
test for the testsuite to 
1) help understanding the problem
2) prevent further regressions

Would you be willing to provide us with a testcase for nfsim-testsuite?
Unfortunately we cannot offer anything but bonus points ;)

Patrick: I'm still not back from Bangalore, so I'm still relying on you
picking up all the patches ;)

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] ip_nat_tftp: Fix expectation NAT.

[Marcus Sundberg]

Harald Welte wrote:
> On Thu, Dec 08, 2005 at 11:49:14AM +0100, Marcus Sundberg wrote:
> 
>>this patch fixes the case where the port in an initial TFTP packet
>>is SNATed. Previously the port was never DNATed back for the expected
>>connection.
> 
> This is one of the cases where I'd really appreciate having a nfsim
> test for the testsuite to 
> 1) help understanding the problem
> 2) prevent further regressions
> 
> Would you be willing to provide us with a testcase for nfsim-testsuite?
> Unfortunately we cannot offer anything but bonus points ;)

Well, I'm currently looking at the RTSP patch for 2.6.15, so getting
familiar with nfsim might be useful in any case. I'll have a look.

//Marcus
-- 
---------------------------------------+--------------------------
  Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
 Software Developer, Ingate Systems AB |  http://www.ingate.com/

Re: [PATCH] ip_nat_tftp: Fix expectation NAT.

[Marcus Sundberg]

Harald Welte wrote:
> This is one of the cases where I'd really appreciate having a nfsim
> test for the testsuite to 
> 1) help understanding the problem
> 2) prevent further regressions
> 
> Would you be willing to provide us with a testcase for nfsim-testsuite?
> Unfortunately we cannot offer anything but bonus points ;)

Hi,

How about the following simple test?

//Marcus

--- /dev/null	2004-02-23 22:02:56.000000000 +0100
+++ nfsim-testsuite/03NAT/67tftp.sim	2005-12-09 17:21:25.817527981 +0100
@@ -0,0 +1,46 @@
+# Setup SNAT with port NAT.
+iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1:30000-40000
+
+# Issue TFTP read request.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 21 17 30000 69 DATA \0\x01/nicefile\0netascii\0}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 21 17 1051 69 DATA \0\x01/nicefile\0netascii\0
+
+# Show expectation.
+proc cat /proc/net/ip_conntrack_expect
+
+# First data packet.
+expect gen_ip send:eth0 {IPv4 192.168.1.2 192.168.0.2 524 17 4711 1051}
+gen_ip IF=eth1 192.168.1.2 192.168.1.1 524 17 4711 30000
+# First ACK.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 12 17 30000 4711}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 12 17 1051 4711
+# Second data packet.
+expect gen_ip send:eth0 {IPv4 192.168.1.2 192.168.0.2 87 17 4711 1051}
+gen_ip IF=eth1 192.168.1.2 192.168.1.1 87 17 4711 30000
+# Second ACK.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 12 17 30000 4711}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 12 17 1051 4711
+
+# Issue TFTP read request again from a new port.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 28 17 30001 69 DATA \0\x01/anothernicefile\0netascii\0}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 28 17 1052 69 DATA \0\x01/anothernicefile\0netascii\0
+
+# Show expectation.
+proc cat /proc/net/ip_conntrack_expect
+
+# First data packet.
+expect gen_ip send:eth0 {IPv4 192.168.1.2 192.168.0.2 524 17 4711 1052}
+gen_ip IF=eth1 192.168.1.2 192.168.1.1 524 17 4711 30001
+# First ACK.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 12 17 30001 4711}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 12 17 1052 4711
+# Second data packet.
+expect gen_ip send:eth0 {IPv4 192.168.1.2 192.168.0.2 233 17 4711 1052}
+gen_ip IF=eth1 192.168.1.2 192.168.1.1 233 17 4711 30001
+# Second ACK.
+expect gen_ip send:eth1 {IPv4 192.168.1.1 192.168.1.2 12 17 30001 4711}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 12 17 1052 4711
+
+# Show conntracks and expectations.
+proc cat /proc/net/ip_conntrack
+proc cat /proc/net/ip_conntrack_expect


-- 
---------------------------------------+--------------------------
  Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
 Software Developer, Ingate Systems AB |  http://www.ingate.com/

Re: [PATCH] ip_nat_tftp: Fix expectation NAT.

[Patrick McHardy]

Marcus Sundberg wrote:
> this patch fixes the case where the port in an initial TFTP packet
> is SNATed. Previously the port was never DNATed back for the expected
> connection.

Took me some time to understand why this works for other helpers and
not this one, but finally applied :) Thanks.