helpers register for a specific port, but work anyway

helpers register for a specific port, but work anyway

[Jan Engelhardt]

Hi,


in nf_conntrack_ftp.c for example we find

             ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);

assuming the user does not specify any ports on modprobe, the default 
port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
But even ftp connections to non-21 ports are inspected for PORT 
commands. So, where is the magic that actually ignores the port and 
makes it work, given that __nf_ct_helper_find/helper_hash hashes on the 
port?

Re: helpers register for a specific port, but work anyway

[Jozsef Kadlecsik]

Hi Jan,

On Wed, 27 Feb 2008, Jan Engelhardt wrote:

> in nf_conntrack_ftp.c for example we find
> 
>              ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
> 
> assuming the user does not specify any ports on modprobe, the default 
> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
> But even ftp connections to non-21 ports are inspected for PORT 
> commands. 

Why do you think so? Ports not specified as FTP command ports are not 
parsed.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: helpers register for a specific port, but work anyway

[Jan Engelhardt]

On Feb 27 2008 15:36, Jozsef Kadlecsik wrote:
>
>On Wed, 27 Feb 2008, Jan Engelhardt wrote:
>
>> in nf_conntrack_ftp.c for example we find
>> 
>>              ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
>> 
>> assuming the user does not specify any ports on modprobe, the default 
>> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
>> But even ftp connections to non-21 ports are inspected for PORT 
>> commands. 
>
>Why do you think so? Ports not specified as FTP command ports are not 
>parsed.

Yes, I find it strange. On the router (192.168.222.1), I do:

# iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
	-j DNAT --to 134.76.12.5:21

and on the client (192.168.222.24),:

# conntrack -E expect &
# ftp 134.76.12.5 2121
Connected to ftp5.gwdg.de.
220 "Welcome to FTP5.GWDG.DE."
Name (ftp5.gwdg.de:jengelh): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
229 Entering Extended Passive Mode (|||32238|)
150 Here comes the directory listing.
drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
226 Directory send OK.
ftp>

The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
does not parse streams to port 2121 by default, how could it have
set up the expectation?

Case 2. On the router:
# iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21
# rcvsftpd start

On the client:
# ftp 192.168.222.1 2121
Connected to 192.168.222.1.
220 (vsFTPd 2.0.5)
Name (192.168.222.1:jengelh): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||7366|)
150 Here comes the directory listing.
226 Directory send OK.

and this does not analyze ftp, just as I would have guessed from the C code.
But what's with case 1?

Re: helpers register for a specific port, but work anyway

[Patrick McHardy]

Jan Engelhardt wrote:
> On Feb 27 2008 15:36, Jozsef Kadlecsik wrote:
>> On Wed, 27 Feb 2008, Jan Engelhardt wrote:
>>
>>> in nf_conntrack_ftp.c for example we find
>>>
>>>              ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
>>>
>>> assuming the user does not specify any ports on modprobe, the default 
>>> port list defaults to {21}, so ftp[0][x].tuple.src will contain port 21. 
>>> But even ftp connections to non-21 ports are inspected for PORT 
>>> commands. 
>> Why do you think so? Ports not specified as FTP command ports are not 
>> parsed.
> 
> Yes, I find it strange. On the router (192.168.222.1), I do:
> 
> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
> 	-j DNAT --to 134.76.12.5:21
> 
> and on the client (192.168.222.24),:
> 
> # conntrack -E expect &
> # ftp 134.76.12.5 2121
> Connected to ftp5.gwdg.de.
> 220 "Welcome to FTP5.GWDG.DE."
> Name (ftp5.gwdg.de:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
> 229 Entering Extended Passive Mode (|||32238|)
> 150 Here comes the directory listing.
> drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
> drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
> 226 Directory send OK.
> ftp>
> 
> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
> does not parse streams to port 2121 by default, how could it have
> set up the expectation?


When NATing packets the helper lookup is repeated based
on the final tuple.

> Case 2. On the router:
> # iptables -t nat -A PREROUTING -p tcp --dport 2121 -j REDIRECT --to-ports 21
> # rcvsftpd start
> 
> On the client:
> # ftp 192.168.222.1 2121
> Connected to 192.168.222.1.
> 220 (vsFTPd 2.0.5)
> Name (192.168.222.1:jengelh): ftp
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 229 Entering Extended Passive Mode (|||7366|)
> 150 Here comes the directory listing.
> 226 Directory send OK.
> 
> and this does not analyze ftp, just as I would have guessed from the C code.

It should. Are you sure you had the proper modules loaded?

Re: helpers register for a specific port, but work anyway

[Jan Engelhardt]

On Feb 27 2008 18:12, Patrick McHardy wrote:
>> > Why do you think so? Ports not specified as FTP command ports are not
>> > parsed.
>> 
>> Yes, I find it strange. On the router (192.168.222.1), I do:
>> 
>> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
>>  -j DNAT --to 134.76.12.5:21
>> 
>> and on the client (192.168.222.24),:
>> 
>> # conntrack -E expect &
>> # ftp 134.76.12.5 2121
>> Connected to ftp5.gwdg.de.
>> 220 "Welcome to FTP5.GWDG.DE."
>> Name (ftp5.gwdg.de:jengelh): ftp
>> 331 Please specify the password.
>> Password:
>> 230 Login successful.
>> Remote system type is UNIX.
>> Using binary mode to transfer files.
>> ftp> dir
>> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
>> 229 Entering Extended Passive Mode (|||32238|)
>> 150 Here comes the directory listing.
>> drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
>> drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
>> 226 Directory send OK.
>> ftp>
>> 
>> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
>> does not parse streams to port 2121 by default, how could it have
>> set up the expectation?
>
> When NATing packets the helper lookup is repeated based
> on the final tuple.

But the machine I am running conntrack -E and ftp from do not
see the NATting taking place higher up in the routing chain, do they?

Re: helpers register for a specific port, but work anyway

[Jozsef Kadlecsik]

On Wed, 27 Feb 2008, Jan Engelhardt wrote:

> >> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
> >>  -j DNAT --to 134.76.12.5:21
> >> 
> >> and on the client (192.168.222.24),:
> >> 
> >> # conntrack -E expect &
> >> # ftp 134.76.12.5 2121
> >> Connected to ftp5.gwdg.de.
> >> 220 "Welcome to FTP5.GWDG.DE."
> >> Name (ftp5.gwdg.de:jengelh): ftp
> >> 331 Please specify the password.
> >> Password:
> >> 230 Login successful.
> >> Remote system type is UNIX.
> >> Using binary mode to transfer files.
> >> ftp> dir
> >> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
> >> 229 Entering Extended Passive Mode (|||32238|)
> >> 150 Here comes the directory listing.
> >> drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
> >> drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
> >> 226 Directory send OK.
> >> ftp>
> >> 
> >> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
> >> does not parse streams to port 2121 by default, how could it have
> >> set up the expectation?
> >
> > When NATing packets the helper lookup is repeated based
> > on the final tuple.
> 
> But the machine I am running conntrack -E and ftp from do not
> see the NATting taking place higher up in the routing chain, do they?

You had to load the nf_conntrack_ftp module on the client machine too.
By which module parameters was it loaded?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: helpers register for a specific port, but work anyway

[Jan Engelhardt]

On Feb 28 2008 08:18, Jozsef Kadlecsik wrote:

>> >> on a router between 192.168.222.24 and 134.76.12.5:
>> >> # iptables -t nat -A PREROUTING -d 134.76.12.5 -p tcp --dport 2121
>> >>  -j DNAT --to 134.76.12.5:21
>> >> 
>> >> and on the client (192.168.222.24),:
>> >> 
>> >> # conntrack -E expect &
>> >> # ftp 134.76.12.5 2121
>> >> Connected to ftp5.gwdg.de.
>> >> 220 "Welcome to FTP5.GWDG.DE."
>> >> Name (ftp5.gwdg.de:jengelh): ftp
>> >> 331 Please specify the password.
>> >> Password:
>> >> 230 Login successful.
>> >> Remote system type is UNIX.
>> >> Using binary mode to transfer files.
>> >> ftp> dir
>> >> 300 proto=6 src=192.168.222.24 dst=134.76.12.5 sport=0 dport=32238
>> >> 229 Entering Extended Passive Mode (|||32238|)
>> >> 150 Here comes the directory listing.
>> >> drwx------    2 ftp      ftp         16384 Apr 20  2006 lost+found
>> >> drwxr-xr-x   33 ftp      ftp          4096 Feb 27 00:58 pub
>> >> 226 Directory send OK.
>> >> ftp>
>> >> 
>> >> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
>> >> does not parse streams to port 2121 by default, how could it have
>> >> set up the expectation?
>> >
>> > When NATing packets the helper lookup is repeated based
>> > on the final tuple.
>> 
>> But the machine I am running conntrack -E and ftp from do not
>> see the NATting taking place higher up in the routing chain, do they?
>
>You had to load the nf_conntrack_ftp module on the client machine too.
>By which module parameters was it loaded?

The module was certainly loaded, otherwise `conntrack -E` would
not have printed anything.
No parameters were specified, just `modprobe nf_conntrack_ftp`,
like I said. There is no way it should have analyzed port 2121 ftp.

Re: helpers register for a specific port, but work anyway

[Jozsef Kadlecsik]

On Thu, 28 Feb 2008, Jan Engelhardt wrote:

> >> >> The 300 proto=6 line comes from conntrack -E --- but if nf_conntrack_ftp
> >> >> does not parse streams to port 2121 by default, how could it have
> >> >> set up the expectation?
> >> >
> >> > When NATing packets the helper lookup is repeated based
> >> > on the final tuple.
> >> 
> >> But the machine I am running conntrack -E and ftp from do not
> >> see the NATting taking place higher up in the routing chain, do they?
> >
> >You had to load the nf_conntrack_ftp module on the client machine too.
> >By which module parameters was it loaded?
> 
> The module was certainly loaded, otherwise `conntrack -E` would
> not have printed anything.
> No parameters were specified, just `modprobe nf_conntrack_ftp`,
> like I said. There is no way it should have analyzed port 2121 ftp.

Any long forgotten nf_conntrack_ftp related option setting under 
/etc/modprobe.d/ or in /etc/modprobe.conf?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: helpers register for a specific port, but work anyway

[Jan Engelhardt]

On Feb 28 2008 10:42, Jozsef Kadlecsik wrote:
>> 
>> The module was certainly loaded, otherwise `conntrack -E` would
>> not have printed anything.
>> No parameters were specified, just `modprobe nf_conntrack_ftp`,
>> like I said. There is no way it should have analyzed port 2121 ftp.
>
>Any long forgotten nf_conntrack_ftp related option setting under 
>/etc/modprobe.d/ or in /etc/modprobe.conf?

I looked into /sys/module/nf_conntrack_ftp/parameters/ports
which only contains "21". I'm gonna stacktrace it now...

Re: helpers register for a specific port, but work anyway

[Jan Engelhardt]

On Feb 28 2008 11:36, Jan Engelhardt wrote:
>>> The module was certainly loaded, otherwise `conntrack -E` would
>>> not have printed anything.
>>> No parameters were specified, just `modprobe nf_conntrack_ftp`,
>>> like I said. There is no way it should have analyzed port 2121 ftp.
>>
>>Any long forgotten nf_conntrack_ftp related option setting under 
>>/etc/modprobe.d/ or in /etc/modprobe.conf?
>
>I looked into /sys/module/nf_conntrack_ftp/parameters/ports
>which only contains "21". I'm gonna stacktrace it now...
>
Ok issue solved ... a stray DNAT in the *OUTPUT* chain
of the client. Man that one was hidden :) wonder when I added that.
Thanks.