From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Tomek L <tl-netfilter@gazeta.pl>
Cc: netfilter@vger.kernel.org
Subject: Re: FTP connection tracking doesn't work with nftables
Date: Sun, 17 May 2015 15:32:20 +0200 [thread overview]
Message-ID: <55589864.2010008@plouf.fr.eu.org> (raw)
In-Reply-To: <CANfWn6W0XdeHUwWFWbYsXQta7O4KBZ0CahATetLZ553fHHd-Bg@mail.gmail.com>
Tomek L a écrit :
> Helper doesn't have to look into encrypted payload.
The helper needs to look into the control connection.
> It would be enough
> if helper assumes that in the next ~3 seconds, netfilter can expect
> incoming connection from client on high port, from source port +1
> higher than original source port used when initiating connection.
This assumption is wrong. AFAIK there is no requirement in the RFCs that
the source port for a data connection be +1 higher than the original
source port used for the control connection. I checked my FTP client
(tnftp), it uses random source ports for each data connection. Besides,
source ports may be mangled by any NAT device in the path.
The only requirement is for active mode, the server should use the
control port -1 (usually 21-1 = 20) as the source port for data connections.
next prev parent reply other threads:[~2015-05-17 13:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 21:03 FTP connection tracking doesn't work with nftables Tomek L
2015-05-16 11:47 ` Tomek L
[not found] ` <CAJO99Tm9G3H+jMibWBj2pkAgg1SdFTVS_pqEQ6P=COMqe7Ppcg@mail.gmail.com>
2015-05-16 15:34 ` Tomek L
[not found] ` <CAJO99Tko6zWC8hH64vGJ6cXXNg3rfLQBo+DL-XuF=b8j82OtOA@mail.gmail.com>
2015-05-17 5:48 ` Tomek L
2015-05-17 13:32 ` Pascal Hambourg [this message]
2015-05-17 16:53 ` Tomek L
2015-05-17 20:59 ` Pascal Hambourg
2015-05-18 5:58 ` Tomek L
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55589864.2010008@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
--cc=tl-netfilter@gazeta.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox