Re: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Ron Lai <ronlai@cs.stanford.edu>
Cc: netfilter@vger.kernel.org,
	Netfilter Development Mailinglist
	<netfilter-devel@vger.kernel.org>
Subject: Re: Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6
Date: Tue, 23 Oct 2007 15:17:11 +0200	[thread overview]
Message-ID: <471DF457.3010404@trash.net> (raw)
In-Reply-To: <001f01c8142e$e6a67960$ea50f53c@FireEye.com>

Please send bugreports to netfilter-devel.

Ron Lai wrote:
> Hi all,
> My 2.6.22.6 Linux box is acting as a NAT device. I found that a NATted 
> FTP client is having problem using active mode to connect to a outside 
> FTP server. (Passive mode works fine.)
> 
>> From the trace I could see that the PORT command from the FTP client is 
> correctly modified by the Linux box to use the converted NAT address. 
> However, the confirmation from the server never makes it to the client 
> and the client just keeps retransmitting the PORT command packet.


Do you mean it never makes it to the FTP client or to the machine
where the client is running?

> The interesting part is that active mode can work if the length of the 
> actual IP address of the client is the same as the length of the 
> converted NAT address. It looks like if there is no TCP sequence number 
> modification by the Linux box, the FTP connection can work properly in 
> active mode. I am suspecting that there may a problem in the TCP 
> sequence number tracking in the kernel modules.
> 
> The same settings work fine when I try with Linux 2.6.15 loading 
> ip_nat_ftp.ko and ip_conntrack_ftp.ko. Did I miss anything in 
> configuring the Linux 2.6.22.6 box?


Works fine here. Please post the dump, ideally from a box in the
middle.

next      parent reply	other threads:[~2007-10-23 13:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <001f01c8142e$e6a67960$ea50f53c@FireEye.com>
2007-10-23 13:17 ` Patrick McHardy [this message]
2007-10-24 12:24   ` Problems with nf_nat_ftp.ko and nf_conntrack_ftp.ko in 2.6.22.6 Ron Lai
2007-10-29 12:51     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=471DF457.3010404@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    --cc=ronlai@cs.stanford.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).