From: Bill Fink <billfink@mindspring.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org, fw@strlen.de
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Thu, 11 Jul 2013 11:19:16 -0400 [thread overview]
Message-ID: <20130711111916.8a9b9d73.billfink@mindspring.com> (raw)
In-Reply-To: <20130711004827.GA5500@localhost>
On Thu, 11 Jul 2013, Pablo Neira Ayuso wrote:
> On Thu, Jul 11, 2013 at 12:08:20AM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jul 10, 2013 at 05:58:15AM -0400, Bill Fink wrote:
> > > Almost there. With the above patch, I now successfully get
> > > IPv6 expectations on the backup firewall. Unfortunately they're
> > > not quite right. On the backup firewall, the expectation src-IP
> > > is the same as the dst-IP (either IPv4 or IPv6).
> > >
> > > Primary firewall:
> > >
> > > [root@sen-fw1 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect
> > > 251 proto=6 src=192.168.218.199 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp
> > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown.
> > >
> > > Backup firewall:
> > >
> > > [root@sen-fw2 linux-3.7.3-101.fc17.x86_64]# conntrack -L expect
> > > 245 proto=6 src=192.168.28.198 dst=192.168.28.198 sport=0 dport=54705 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.218.199 master-dst=192.168.28.198 sport=56877 dport=21 class=0 helper=ftp
> > > conntrack v1.4.0 (conntrack-tools): 1 expectations have been shown.
> > >
> > > This was an unfortunate side affect of the patch to fix the
> > > conntrackd segfault problem. If I use Florian's version
> > > of the fix segfault patch rather than Pablo's then all is
> > > good.
> >
> > Thanks for the information, however, we still need to get working back
> > the filtering support.
> >
> > Could you give a try to the following patch, please?
> >
> > It applies on top of conntrack-tools master branch, thanks.
>
> There are still some downsides in the previous solution, please, give
> a try to this patch instead.
The firewalls are now in production, so I don't have the same freedom
I did previously. I'll check the patch out sometime after hours.
Normally, this weekend would be a good time, but I'm going to be
away this weekend. So it might be a few days until I get a chance.
Thanks again for all your (and Florian's) great help!
-Bill
next prev parent reply other threads:[~2013-07-11 15:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05 8:19 ` Florian Westphal
2013-07-05 19:45 ` Bill Fink
2013-07-05 23:52 ` Bill Fink
2013-07-06 13:23 ` Pablo Neira Ayuso
2013-07-07 7:04 ` Bill Fink
2013-07-09 5:30 ` Bill Fink
2013-07-09 18:22 ` Pablo Neira Ayuso
2013-07-10 9:58 ` Bill Fink
2013-07-10 22:08 ` Pablo Neira Ayuso
2013-07-11 0:48 ` Pablo Neira Ayuso
2013-07-11 15:19 ` Bill Fink [this message]
2013-07-12 7:01 ` Bill Fink
2013-07-15 12:49 ` Pablo Neira Ayuso
2013-07-16 5:55 ` Bill Fink
2013-07-16 21:33 ` Pablo Neira Ayuso
2013-07-16 21:37 ` Pablo Neira Ayuso
2013-07-22 7:00 ` Bill Fink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130711111916.8a9b9d73.billfink@mindspring.com \
--to=billfink@mindspring.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox