* [PATCH 2.6] ip_nat_ftp - manip at the right place
@ 2004-09-11 7:53 Julian Anastasov
2004-09-11 21:57 ` Harald Welte
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Julian Anastasov @ 2004-09-11 7:53 UTC (permalink / raw)
To: Harald Welte; +Cc: netdev, Rusty Russell
Hello,
This is a resend/resync for v2.6.9-rc1-bk17: change the
way the ip_nat_ftp helper manipulates the packets:
- no manips => no fixup
- check the direction, do manip once and at the same time when the
headers are changed
This is needed mostly for IPVS setups and I hope we do not
create troubles for other setups or FTP software.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
diff -ur v2.6.9-rc1-bk17/linux/net/ipv4/netfilter/ip_nat_ftp.c linux/net/ipv4/netfilter/ip_nat_ftp.c
--- v2.6.9-rc1-bk17/linux/net/ipv4/netfilter/ip_nat_ftp.c 2004-09-11 09:35:33.000000000 +0300
+++ linux/net/ipv4/netfilter/ip_nat_ftp.c 2004-09-11 10:29:38.343165344 +0300
@@ -237,17 +237,23 @@
unsigned int datalen;
int dir;
struct ip_ct_ftp_expect *exp_ftp_info;
+ int i, do_manip = 0;
if (!exp)
DEBUGP("ip_nat_ftp: no exp!!");
exp_ftp_info = &exp->help.exp_ftp_info;
- /* Only mangle things once: original direction in POST_ROUTING
- and reply direction on PRE_ROUTING. */
+ /* Only mangle things once: for the first manip in this direction. */
dir = CTINFO2DIR(ctinfo);
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
+ for (i = 0; i < info->num_manips; i++) {
+ if (info->manips[i].direction == dir) {
+ if (info->manips[i].hooknum == hooknum)
+ do_manip = 1;
+ break;
+ }
+ }
+ if (!do_manip) {
DEBUGP("nat_ftp: Not touching dir %s at hook %s\n",
dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-11 7:53 [PATCH 2.6] ip_nat_ftp - manip at the right place Julian Anastasov
@ 2004-09-11 21:57 ` Harald Welte
2004-10-24 12:27 ` Julian Anastasov
2004-09-13 0:03 ` David S. Miller
2004-09-13 23:30 ` David S. Miller
2 siblings, 1 reply; 8+ messages in thread
From: Harald Welte @ 2004-09-11 21:57 UTC (permalink / raw)
To: Julian Anastasov; +Cc: Netfilter Development Mailinglist, netdev, Rusty Russell
[-- Attachment #1: Type: text/plain, Size: 1001 bytes --]
On Sat, Sep 11, 2004 at 10:53:53AM +0300, Julian Anastasov wrote:
> Hello,
>
> This is a resend/resync for v2.6.9-rc1-bk17: change the
> way the ip_nat_ftp helper manipulates the packets:
>
> - no manips => no fixup
>
> - check the direction, do manip once and at the same time when the
> headers are changed
I agree with this change, but shouldn't we make it consistently over all
NAT helpers? In case you didn't check yet, and assuming that this is
applicable to other helpers as well: Please include patches for other
protocol helpers as well.
Thanks!
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-11 7:53 [PATCH 2.6] ip_nat_ftp - manip at the right place Julian Anastasov
2004-09-11 21:57 ` Harald Welte
@ 2004-09-13 0:03 ` David S. Miller
2004-09-14 7:12 ` Harald Welte
2004-09-13 23:30 ` David S. Miller
2 siblings, 1 reply; 8+ messages in thread
From: David S. Miller @ 2004-09-13 0:03 UTC (permalink / raw)
To: Julian Anastasov; +Cc: laforge, netdev, rusty
On Sat, 11 Sep 2004 10:53:53 +0300 (EEST)
Julian Anastasov <ja@ssi.bg> wrote:
> This is a resend/resync for v2.6.9-rc1-bk17: change the
> way the ip_nat_ftp helper manipulates the packets:
>
> - no manips => no fixup
>
> - check the direction, do manip once and at the same time when the
> headers are changed
>
> This is needed mostly for IPVS setups and I hope we do not
> create troubles for other setups or FTP software.
>
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
Harald and/or Rusty, please ACK/NACK this for me.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-11 7:53 [PATCH 2.6] ip_nat_ftp - manip at the right place Julian Anastasov
2004-09-11 21:57 ` Harald Welte
2004-09-13 0:03 ` David S. Miller
@ 2004-09-13 23:30 ` David S. Miller
2004-09-15 22:13 ` Rusty Russell
2 siblings, 1 reply; 8+ messages in thread
From: David S. Miller @ 2004-09-13 23:30 UTC (permalink / raw)
To: Julian Anastasov; +Cc: laforge, netdev, rusty
On Sat, 11 Sep 2004 10:53:53 +0300 (EEST)
Julian Anastasov <ja@ssi.bg> wrote:
> This is a resend/resync for v2.6.9-rc1-bk17: change the
> way the ip_nat_ftp helper manipulates the packets:
>
> - no manips => no fixup
>
> - check the direction, do manip once and at the same time when the
> headers are changed
>
> This is needed mostly for IPVS setups and I hope we do not
> create troubles for other setups or FTP software.
I'm still waiting for ACK/NACK of this. I know Rusty is travelling
and Harald is probably busy too, so I know the delay in response is not
because these guys are slackers :-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-13 0:03 ` David S. Miller
@ 2004-09-14 7:12 ` Harald Welte
2004-09-20 7:46 ` Julian Anastasov
0 siblings, 1 reply; 8+ messages in thread
From: Harald Welte @ 2004-09-14 7:12 UTC (permalink / raw)
To: David S. Miller; +Cc: Julian Anastasov, netdev, rusty
[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]
On Sun, Sep 12, 2004 at 05:03:23PM -0700, David S. Miller wrote:
> On Sat, 11 Sep 2004 10:53:53 +0300 (EEST)
> Julian Anastasov <ja@ssi.bg> wrote:
>
> > This is a resend/resync for v2.6.9-rc1-bk17: change the
> > way the ip_nat_ftp helper manipulates the packets:
> >
> > - no manips => no fixup
> >
> > - check the direction, do manip once and at the same time when the
> > headers are changed
> >
> > This is needed mostly for IPVS setups and I hope we do not
> > create troubles for other setups or FTP software.
> >
> > Signed-off-by: Julian Anastasov <ja@ssi.bg>
>
> Harald and/or Rusty, please ACK/NACK this for me.
I agree with the change (although I didn't test it here on my systems so
far). However, as indicated in private mail to Julian, the change
should be made consistent over all helpers.
So please hold back the patch until I get back to you, thanks.
> Thanks.
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-13 23:30 ` David S. Miller
@ 2004-09-15 22:13 ` Rusty Russell
0 siblings, 0 replies; 8+ messages in thread
From: Rusty Russell @ 2004-09-15 22:13 UTC (permalink / raw)
To: David S. Miller; +Cc: Julian Anastasov, Harald Welte, netdev
On Tue, 2004-09-14 at 09:30, David S. Miller wrote:
> On Sat, 11 Sep 2004 10:53:53 +0300 (EEST)
> Julian Anastasov <ja@ssi.bg> wrote:
>
> > This is a resend/resync for v2.6.9-rc1-bk17: change the
> > way the ip_nat_ftp helper manipulates the packets:
> >
> > - no manips => no fixup
> >
> > - check the direction, do manip once and at the same time when the
> > headers are changed
> >
> > This is needed mostly for IPVS setups and I hope we do not
> > create troubles for other setups or FTP software.
>
> I'm still waiting for ACK/NACK of this. I know Rusty is travelling
> and Harald is probably busy too, so I know the delay in response is not
> because these guys are slackers :-)
Mine is because I'm porting the existing FTP testsuite to nfsim, so I
can test the patch doesn't break anything. As far as I can tell, this
change isn't vital, so I'm not losing sleep to do it...
Thanks,
Rusty.
--
Anyone who quotes me in their signature is an idiot -- Rusty Russell
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-14 7:12 ` Harald Welte
@ 2004-09-20 7:46 ` Julian Anastasov
0 siblings, 0 replies; 8+ messages in thread
From: Julian Anastasov @ 2004-09-20 7:46 UTC (permalink / raw)
To: Harald Welte; +Cc: David S. Miller, netdev, rusty
Hello,
On Tue, 14 Sep 2004, Harald Welte wrote:
> I agree with the change (although I didn't test it here on my systems so
> far). However, as indicated in private mail to Julian, the change
> should be made consistent over all helpers.
No private mail received yet. But I agree, it should work
for other helpers, eg. similar change can go in do_bindings instead.
Regards
--
Julian Anastasov <ja@ssi.bg>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2.6] ip_nat_ftp - manip at the right place
2004-09-11 21:57 ` Harald Welte
@ 2004-10-24 12:27 ` Julian Anastasov
0 siblings, 0 replies; 8+ messages in thread
From: Julian Anastasov @ 2004-10-24 12:27 UTC (permalink / raw)
To: Harald Welte; +Cc: netdev, Rusty Russell, Netfilter Development Mailinglist
Hello,
On Sat, 11 Sep 2004, Harald Welte wrote:
> I agree with this change, but shouldn't we make it consistently over all
> NAT helpers? In case you didn't check yet, and assuming that this is
> applicable to other helpers as well: Please include patches for other
> protocol helpers as well.
I can live with the appended patch, I hope it is correct.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
diff -ur v2.6.9/linux/net/ipv4/netfilter/ip_nat_core.c linux/net/ipv4/netfilter/ip_nat_core.c
--- v2.6.9/linux/net/ipv4/netfilter/ip_nat_core.c 2004-10-19 10:00:36.000000000 +0300
+++ linux/net/ipv4/netfilter/ip_nat_core.c 2004-10-24 14:52:39.334958976 +0300
@@ -728,7 +728,7 @@
struct sk_buff **pskb)
{
unsigned int i;
- struct ip_nat_helper *helper;
+ struct ip_nat_helper *helper = NULL;
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
int proto = (*pskb)->nh.iph->protocol;
@@ -751,9 +751,9 @@
READ_UNLOCK(&ip_nat_lock);
return NF_DROP;
}
+ helper = info->helper;
}
}
- helper = info->helper;
READ_UNLOCK(&ip_nat_lock);
if (helper) {
diff -ur v2.6.9/linux/net/ipv4/netfilter/ip_nat_ftp.c linux/net/ipv4/netfilter/ip_nat_ftp.c
--- v2.6.9/linux/net/ipv4/netfilter/ip_nat_ftp.c 2004-10-19 10:00:36.000000000 +0300
+++ linux/net/ipv4/netfilter/ip_nat_ftp.c 2004-10-24 14:52:39.335958824 +0300
@@ -54,6 +54,8 @@
IP_NF_ASSERT(master);
IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum))));
+ if (!(info->initialized & (1<<HOOK2MANIP(hooknum))))
+ return NF_ACCEPT;
DEBUGP("nat_expected: We have a connection!\n");
exp_ftp_info = &ct->master->help.exp_ftp_info;
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-10-24 12:27 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-11 7:53 [PATCH 2.6] ip_nat_ftp - manip at the right place Julian Anastasov
2004-09-11 21:57 ` Harald Welte
2004-10-24 12:27 ` Julian Anastasov
2004-09-13 0:03 ` David S. Miller
2004-09-14 7:12 ` Harald Welte
2004-09-20 7:46 ` Julian Anastasov
2004-09-13 23:30 ` David S. Miller
2004-09-15 22:13 ` Rusty Russell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).