conntrackd not replicating NATted FTP connection properly?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Adam Gundy <arg@cyberscience.com>
To: netfilter@vger.kernel.org
Subject: conntrackd not replicating NATted FTP connection properly?
Date: Mon, 12 Jul 2010 08:40:24 -0600	[thread overview]
Message-ID: <4C3B2958.20708@cyberscience.com> (raw)

I've set up a pair of redundant routers using keepalived and conntrackd.
Part of their job is to handle routing to an FTP server in a NATted DMZ.

both servers are running Ubuntu Lucid, but for other reasons I've switched
to a stock 2.6.33.5 kernel. I've also tried building the 0.9.14 version of
conntrack to see if it fixed the problem (lucid ships with 0.9.13).

this works great, except that an existing FTP connection gets 'broken' when
the master flips to the other machine. the data connection is fine, but the
control connection seems to have broken sequence numbers - the leading four
(or eight) bytes in the next packet sent is ignored. (example packet trace
available off list).

looking at the conntrack source code, it seems to suggest that the NAT
'sequence offset' should be replicated... but it clearly isn't being?

am I supposed to match a particular version of conntrackd to the kernel?

is NATted FTP not supported by conntrackd?

next             reply	other threads:[~2010-07-12 14:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-12 14:40 Adam Gundy [this message]
2010-07-13 10:39 ` conntrackd not replicating NATted FTP connection properly? Pablo Neira Ayuso
2010-07-13 17:10   ` Adam Gundy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C3B2958.20708@cyberscience.com \
    --to=arg@cyberscience.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox