All of lore.kernel.org
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: Andrii Melnychenko <a.melnychenko@vyos.io>
Cc: pablo@netfilter.org, kadlec@netfilter.org, phil@nwl.cc,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 0/1] nf_conntrack_ftp: Added nfct_seqadj_ext_add().
Date: Tue, 21 Oct 2025 16:35:47 +0200	[thread overview]
Message-ID: <aPeaQ3BnCRLQ1wNm@strlen.de> (raw)
In-Reply-To: <20251021133918.500380-1-a.melnychenko@vyos.io>

Andrii Melnychenko <a.melnychenko@vyos.io> wrote:
> There is an issue with FTP SNAT/DNAT. When the PASV/EPSV message is altered
> The sequence adjustment is required, and there is an issue that seqadj is
> not set up at that moment.
> 
> During the patch v2 discussion, it was decided to implement the fix
> in the nft_ct. Apparently, missed seqadj is the issue of nft nat helpers.
> The current fix would set up the seqadj extension for all NAT'ed conntrack
> helpers.
> 
> The easiest way to reproduce this issue is with PASV mode.
> Topoloy:
> ```
>  +-------------------+     +----------------------------------+
>  | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
>  +-------------------+     +----------------------------------+
>                                      |
>                          +-----------------------+
>                          | Client: 192.168.100.2 |
>                          +-----------------------+
> ```
> 
> nft ruleset:
> ```
> nft flush ruleset
> sudo nft add table inet ftp_nat
> sudo nft add ct helper inet ftp_nat ftp_helper { type \"ftp\" protocol tcp\; }
> sudo nft add chain inet ftp_nat prerouting { type filter hook prerouting priority 0 \; policy accept \; }
> sudo nft add rule inet ftp_nat prerouting tcp dport 21 ct state new ct helper set "ftp_helper"
> nft add table ip nat
> nft add chain ip nat prerouting { type nat hook prerouting priority dstnat \; policy accept \; }
> nft add chain ip nat postrouting { type nat hook postrouting priority srcnat \; policy accept \; }
> nft add rule ip nat prerouting tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 }
> nft add rule ip nat postrouting tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 }
> 
> # nft -s list ruleset
> table inet ftp_nat {
>         ct helper ftp_helper {
>                 type "ftp" protocol tcp
>                 l3proto inet
>         }
> 
>         chain prerouting {
>                 type filter hook prerouting priority filter; policy accept;
>                 tcp dport 21 ct state new ct helper set "ftp_helper"
>         }
> }
> table ip nat {
>         chain prerouting {
>                 type nat hook prerouting priority dstnat; policy accept;
>                 tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 }
>         }
> 
>         chain postrouting {
>                 type nat hook postrouting priority srcnat; policy accept;
>                 tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 }
>         }
> }
> 

Any chance you'd be willing to turn this into a selftest for
tools/testing/selftests/net/netfilter ?

I think it would add value.
Not a hard requirement of course.

      parent reply	other threads:[~2025-10-21 14:35 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-21 13:39 [PATCH v3 0/1] nf_conntrack_ftp: Added nfct_seqadj_ext_add() Andrii Melnychenko
2025-10-21 13:39 ` [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack Andrii Melnychenko
2025-10-21 14:34   ` Florian Westphal
2025-10-21 16:24     ` Andrii Melnychenko
2025-10-21 16:34       ` Florian Westphal
2025-10-22  0:11     ` Pablo Neira Ayuso
2025-10-22 11:14       ` Florian Westphal
2025-10-22 13:01         ` Andrii Melnychenko
2025-10-23 12:28           ` Andrii Melnychenko
2025-10-23 12:42             ` Florian Westphal
2025-10-24 12:26               ` Andrii Melnychenko
2025-10-24 12:58                 ` Florian Westphal
2025-10-21 14:35 ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aPeaQ3BnCRLQ1wNm@strlen.de \
    --to=fw@strlen.de \
    --cc=a.melnychenko@vyos.io \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.