From: Florian Westphal <fw@strlen.de>
To: Andrii Melnychenko <a.melnychenko@vyos.io>
Cc: pablo@netfilter.org, kadlec@netfilter.org, phil@nwl.cc,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/1] nf_conntrack_ftp: Added nfct_seqadj_ext_add() for ftp's conntrack.
Date: Mon, 20 Oct 2025 16:20:36 +0200 [thread overview]
Message-ID: <aPZFNBNXlyq0Q5dM@strlen.de> (raw)
In-Reply-To: <CANhDHd-k2Ros8nFo4fNi=-Mu1DxkK4A2MgLYjuDqPwpfJYYfdw@mail.gmail.com>
Andrii Melnychenko <a.melnychenko@vyos.io> wrote:
> I've researched the issue a bit. Despite the fact that in `nf_nat_ftp()`
> the helper for the expected connection is installed, it isn't executed in
> the following functions - `nf_nat_mangle_tcp_packet()`. Also, shouldn't the
> logic of `nf_nat_follow_master` affect the "upcoming" passive FTP
> connection?
Yes, but we need the seqadj extension on the control connection to
rewrite the announced address to connect to/from.
nf_nat_setup_info() takes care of this but only for template-based
helper assignment, not for the explicit assign done via
nft_ct_helper_obj_eval().
> I've also checked the setup of `nfct_seqadj_ext_add()` in the
> `ft_ct_helper_obj_eval()` routine - it works. However, now the seqadj would
> be added to all "NATed" conntrack helpers.
Yes.
> Maybe it's better to leave the
> seqadj setup in `nf_conntrack_ftp`, so it would apply explicitly to FTP
> traffic, but with an additional `(ct->status & IPS_NAT_MASK)` check?
As-is, almost all the helpers are broken when used with nat and assignment
via nft objref infra. We could add some annotation to those that don't
need seqadj, but afaics thats just the netbios helper.
> I can prepare a new patch with changes in either `nft_ct` or
> `nf_conntrack_ftp`.
> Any suggestions?
Thanks, please fix nft_ct infra. Does the above make sense to you?
prev parent reply other threads:[~2025-10-20 14:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 10:48 [PATCH v2 0/1] nf_conntrack_ftp: Added nfct_seqadj_ext_add() Andrii Melnychenko
2025-10-16 10:48 ` [PATCH v2 1/1] nf_conntrack_ftp: Added nfct_seqadj_ext_add() for ftp's conntrack Andrii Melnychenko
2025-10-16 11:20 ` Florian Westphal
[not found] ` <CANhDHd-k2Ros8nFo4fNi=-Mu1DxkK4A2MgLYjuDqPwpfJYYfdw@mail.gmail.com>
2025-10-20 14:20 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPZFNBNXlyq0Q5dM@strlen.de \
--to=fw@strlen.de \
--cc=a.melnychenko@vyos.io \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).