[Bug 59] sparc64 conntrack issue with expecting related connections, FTP
bugzilla-daemon@netfilter.org
bugzilla-daemon@netfilter.org
Tue, 01 Apr 2003 10:15:07 +0200
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=59
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From laforge@netfilter.org 2003-04-01 10:15 -------
>From Chris:
I believe this problem only shows up when the PPTP NAT patch is
applied. That particular patch changed some of the fields to 32 bits
or 64 bits in ip_conntrack_manip_proto and ip_conntrack_tuple in
ip_conntrack_tuple.h. When setting the mask for the expectation
of related connections for FTP, the code in ip_conntrack_ftp.c didn't
specify the individual fields when building the mask structure. I
believe I have sent a patch to the mailing list in early February
regarding this, but I don't know if the later patches from others that
changed the structure initializations to use C99 style would have
covered this off.
To test it, I would put these very simple rules sets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
and test out FTP. I personally have added some logging rules and
have modified the code to dump the tuples when trying to match up
the incoming packet with the expected connection hash.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.