[BUG] active ftp doesn't work since 2.6.9-rc1

[BUG] active ftp doesn't work since 2.6.9-rc1

[Vitezslav Samel]

	Hi!

  After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
working. The first kernel, which doesn't work is 2.6.9-rc1.
Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
logs there entries about invalid packets - using
iptables ... -m state --state INVALID -j LOG)

  If you need any extra data point, mail me.

	Cheers,
		Vita Samel

Re: [BUG] active ftp doesn't work since 2.6.9-rc1

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> 	Hi!
> 
>   After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> working. The first kernel, which doesn't work is 2.6.9-rc1.
> Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
> logs there entries about invalid packets - using
> iptables ... -m state --state INVALID -j LOG)

I just tried to reproduce the problem.  Can you confirm the problem
disappears after executing

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

on your NAT box?

> 	Cheers,
> 		Vita Samel

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [BUG] active ftp doesn't work since 2.6.9-rc1

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]

On Fri, Oct 01, 2004 at 03:22:48PM +0200, Harald Welte wrote:
> On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> > 	Hi!
> > 
> >   After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > Sympotms: passive ftp works O.K., active FTP doesn't open data
> > stream (and in logs there entries about invalid packets - using
> > iptables ... -m state --state INVALID -j LOG)

Please use the following (attached) fix:

DaveM: Please apply and push to Linus:

Thanks!


Fix NAT helper code to update TCP window tracking information
if it resizes payload (and thus alrers sequence numbers).

This patchlet was somehow lost during 2.4.x->2.6.x port of TCP 
window tracking :(

Signed-off-by: Harald Welte <laforge@netfilter.org>

--- linux-2.6.9-rc3-plain/net/ipv4/netfilter/ip_nat_helper.c	2004-10-01 12:08:40.000000000 +0000
+++ linux-2.6.9-rc3-test/net/ipv4/netfilter/ip_nat_helper.c	2004-10-01 13:37:05.283639640 +0000
@@ -347,7 +347,7 @@
 	return 1;
 }
 
-/* TCP sequence number adjustment.  Returns true or false.  */
+/* TCP sequence number adjustment.  Returns 1 on success, 0 on failure */
 int
 ip_nat_seq_adjust(struct sk_buff **pskb, 
 		  struct ip_conntrack *ct, 
@@ -396,7 +396,12 @@
 	tcph->seq = newseq;
 	tcph->ack_seq = newack;
 
-	return ip_nat_sack_adjust(pskb, tcph, ct, ctinfo);
+	if (!ip_nat_sack_adjust(pskb, tcph, ct, ctinfo))
+		return 0;
+
+	ip_conntrack_tcp_update(*pskb, ct, dir);
+
+	return 1;
 }
 
 static inline int

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [BUG] active ftp doesn't work since 2.6.9-rc1

[David S. Miller]

On Fri, 1 Oct 2004 16:10:50 +0200
Harald Welte <laforge@netfilter.org> wrote:

> On Fri, Oct 01, 2004 at 03:22:48PM +0200, Harald Welte wrote:
> > On Fri, Oct 01, 2004 at 01:12:01PM +0200, Vitezslav Samel wrote:
> > > 	Hi!
> > > 
> > >   After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > > Sympotms: passive ftp works O.K., active FTP doesn't open data
> > > stream (and in logs there entries about invalid packets - using
> > > iptables ... -m state --state INVALID -j LOG)
> 
> Please use the following (attached) fix:
> 
> DaveM: Please apply and push to Linus:

Will do, thanks Harald.

Re: [BUG] active ftp doesn't work since 2.6.9-rc1

[Vitezslav Samel]

	Hi!

> >   After upgrade to 2.6.9-rc3 on the firewall (with NAT), active ftp stopped
> > working. The first kernel, which doesn't work is 2.6.9-rc1.
> > Sympotms: passive ftp works O.K., active FTP doesn't open data stream (and in
> > logs there entries about invalid packets - using
> > iptables ... -m state --state INVALID -j LOG)
> 
> I just tried to reproduce the problem.  Can you confirm the problem
> disappears after executing
> 
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
> 
> on your NAT box?

[...]

> Please use the following (attached) fix:
> 
> Fix NAT helper code to update TCP window tracking information
> if it resizes payload (and thus alrers sequence numbers).
> 
> This patchlet was somehow lost during 2.4.x->2.6.x port of TCP 
> window tracking :(
> 
> Signed-off-by: Harald Welte <laforge@netfilter.org>
> 
> --- linux-2.6.9-rc3-plain/net/ipv4/netfilter/ip_nat_helper.c	2004-10-01 12:08:40.000000000 +0000
> +++ linux-2.6.9-rc3-test/net/ipv4/netfilter/ip_nat_helper.c	2004-10-01 13:37:05.283639640 +0000
> @@ -347,7 +347,7 @@
>  	return 1;
>  }
>  
> -/* TCP sequence number adjustment.  Returns true or false.  */
> +/* TCP sequence number adjustment.  Returns 1 on success, 0 on failure */
>  int
>  ip_nat_seq_adjust(struct sk_buff **pskb, 
>  		  struct ip_conntrack *ct, 
> @@ -396,7 +396,12 @@
>  	tcph->seq = newseq;
>  	tcph->ack_seq = newack;
>  
> -	return ip_nat_sack_adjust(pskb, tcph, ct, ctinfo);
> +	if (!ip_nat_sack_adjust(pskb, tcph, ct, ctinfo))
> +		return 0;
> +
> +	ip_conntrack_tcp_update(*pskb, ct, dir);
> +
> +	return 1;
>  }
>  
>  static inline int

  Both solutions are working fine here.

	Thanks,
		Vita Samel