Patchwork [1/2] ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper

login
register
mail settings
Submitter Simon Horman
Date July 11, 2012, 12:25 a.m.
Message ID <1341966327-16606-2-git-send-email-horms@verge.net.au>
Download mbox | patch
Permalink /patch/170315/
State Superseded
Headers show

Comments

Simon Horman - July 11, 2012, 12:25 a.m.
From: Julian Anastasov <ja@ssi.bg>

	The FTP application indirectly depends on the
nf_conntrack_ftp helper for proper NAT support. If the
module is not loaded, IPVS can resize the packets for the
command connection, eg. PASV response but the SEQ adjustment
logic in ipv4_confirm is not called without helper.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/Kconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Pablo Neira - July 12, 2012, 3:39 p.m.
On Wed, Jul 11, 2012 at 09:25:26AM +0900, Simon Horman wrote:
> From: Julian Anastasov <ja@ssi.bg>
> 
> 	The FTP application indirectly depends on the
> nf_conntrack_ftp helper for proper NAT support. If the
> module is not loaded, IPVS can resize the packets for the
> command connection, eg. PASV response but the SEQ adjustment
> logic in ipv4_confirm is not called without helper.
> 
> Signed-off-by: Julian Anastasov <ja@ssi.bg>
> Signed-off-by: Simon Horman <horms@verge.net.au>
> ---
>  net/netfilter/ipvs/Kconfig | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> index f987138..8b2cffd 100644
> --- a/net/netfilter/ipvs/Kconfig
> +++ b/net/netfilter/ipvs/Kconfig
> @@ -250,7 +250,8 @@ comment 'IPVS application helper'
>  
>  config	IP_VS_FTP
>    	tristate "FTP protocol helper"
> -        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
> +	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
> +		NF_CONNTRACK_FTP

If you require FTP NAT support, then this depends on NF_NAT_FTP
instead of NF_CONNTRACK_FTP.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Julian Anastasov - July 12, 2012, 7:43 p.m.
Hello,

On Thu, 12 Jul 2012, Pablo Neira Ayuso wrote:

> On Wed, Jul 11, 2012 at 09:25:26AM +0900, Simon Horman wrote:
> > From: Julian Anastasov <ja@ssi.bg>
> > 
> > 	The FTP application indirectly depends on the
> > nf_conntrack_ftp helper for proper NAT support. If the
> > module is not loaded, IPVS can resize the packets for the
> > command connection, eg. PASV response but the SEQ adjustment
> > logic in ipv4_confirm is not called without helper.
> > 
> > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > Signed-off-by: Simon Horman <horms@verge.net.au>
> > ---
> >  net/netfilter/ipvs/Kconfig | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> > index f987138..8b2cffd 100644
> > --- a/net/netfilter/ipvs/Kconfig
> > +++ b/net/netfilter/ipvs/Kconfig
> > @@ -250,7 +250,8 @@ comment 'IPVS application helper'
> >  
> >  config	IP_VS_FTP
> >    	tristate "FTP protocol helper"
> > -        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
> > +	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
> > +		NF_CONNTRACK_FTP
> 
> If you require FTP NAT support, then this depends on NF_NAT_FTP
> instead of NF_CONNTRACK_FTP.

	No, I just checked again, it works without nf_nat_ftp,
only nf_nat, nf_conntrack_ftp and iptable_nat are needed.
We use packet mangling part from nf_nat (nf_nat_mangle_tcp_packet).

Regards

--
Julian Anastasov <ja@ssi.bg>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Simon Horman - July 23, 2012, 6:48 a.m.
On Thu, Jul 12, 2012 at 10:43:22PM +0300, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Thu, 12 Jul 2012, Pablo Neira Ayuso wrote:
> 
> > On Wed, Jul 11, 2012 at 09:25:26AM +0900, Simon Horman wrote:
> > > From: Julian Anastasov <ja@ssi.bg>
> > > 
> > > 	The FTP application indirectly depends on the
> > > nf_conntrack_ftp helper for proper NAT support. If the
> > > module is not loaded, IPVS can resize the packets for the
> > > command connection, eg. PASV response but the SEQ adjustment
> > > logic in ipv4_confirm is not called without helper.
> > > 
> > > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > > Signed-off-by: Simon Horman <horms@verge.net.au>
> > > ---
> > >  net/netfilter/ipvs/Kconfig | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> > > index f987138..8b2cffd 100644
> > > --- a/net/netfilter/ipvs/Kconfig
> > > +++ b/net/netfilter/ipvs/Kconfig
> > > @@ -250,7 +250,8 @@ comment 'IPVS application helper'
> > >  
> > >  config	IP_VS_FTP
> > >    	tristate "FTP protocol helper"
> > > -        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
> > > +	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
> > > +		NF_CONNTRACK_FTP
> > 
> > If you require FTP NAT support, then this depends on NF_NAT_FTP
> > instead of NF_CONNTRACK_FTP.
> 
> 	No, I just checked again, it works without nf_nat_ftp,
> only nf_nat, nf_conntrack_ftp and iptable_nat are needed.
> We use packet mangling part from nf_nat (nf_nat_mangle_tcp_packet).

Is there a consensus on this?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - July 23, 2012, 5:39 p.m.
On Mon, Jul 23, 2012 at 03:48:18PM +0900, Simon Horman wrote:
> On Thu, Jul 12, 2012 at 10:43:22PM +0300, Julian Anastasov wrote:
> > 
> > 	Hello,
> > 
> > On Thu, 12 Jul 2012, Pablo Neira Ayuso wrote:
> > 
> > > On Wed, Jul 11, 2012 at 09:25:26AM +0900, Simon Horman wrote:
> > > > From: Julian Anastasov <ja@ssi.bg>
> > > > 
> > > > 	The FTP application indirectly depends on the
> > > > nf_conntrack_ftp helper for proper NAT support. If the
> > > > module is not loaded, IPVS can resize the packets for the
> > > > command connection, eg. PASV response but the SEQ adjustment
> > > > logic in ipv4_confirm is not called without helper.
> > > > 
> > > > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > > > Signed-off-by: Simon Horman <horms@verge.net.au>
> > > > ---
> > > >  net/netfilter/ipvs/Kconfig | 3 ++-
> > > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > > 
> > > > diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> > > > index f987138..8b2cffd 100644
> > > > --- a/net/netfilter/ipvs/Kconfig
> > > > +++ b/net/netfilter/ipvs/Kconfig
> > > > @@ -250,7 +250,8 @@ comment 'IPVS application helper'
> > > >  
> > > >  config	IP_VS_FTP
> > > >    	tristate "FTP protocol helper"
> > > > -        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
> > > > +	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
> > > > +		NF_CONNTRACK_FTP
> > > 
> > > If you require FTP NAT support, then this depends on NF_NAT_FTP
> > > instead of NF_CONNTRACK_FTP.
> > 
> > 	No, I just checked again, it works without nf_nat_ftp,
> > only nf_nat, nf_conntrack_ftp and iptable_nat are needed.
> > We use packet mangling part from nf_nat (nf_nat_mangle_tcp_packet).
> 
> Is there a consensus on this?

Fine with me, just wanted to make sure this what you wanted. Thanks
Simon.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Simon Horman - July 23, 2012, 11:11 p.m.
On Mon, Jul 23, 2012 at 07:39:06PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jul 23, 2012 at 03:48:18PM +0900, Simon Horman wrote:
> > On Thu, Jul 12, 2012 at 10:43:22PM +0300, Julian Anastasov wrote:
> > > 
> > > 	Hello,
> > > 
> > > On Thu, 12 Jul 2012, Pablo Neira Ayuso wrote:
> > > 
> > > > On Wed, Jul 11, 2012 at 09:25:26AM +0900, Simon Horman wrote:
> > > > > From: Julian Anastasov <ja@ssi.bg>
> > > > > 
> > > > > 	The FTP application indirectly depends on the
> > > > > nf_conntrack_ftp helper for proper NAT support. If the
> > > > > module is not loaded, IPVS can resize the packets for the
> > > > > command connection, eg. PASV response but the SEQ adjustment
> > > > > logic in ipv4_confirm is not called without helper.
> > > > > 
> > > > > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > > > > Signed-off-by: Simon Horman <horms@verge.net.au>
> > > > > ---
> > > > >  net/netfilter/ipvs/Kconfig | 3 ++-
> > > > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> > > > > index f987138..8b2cffd 100644
> > > > > --- a/net/netfilter/ipvs/Kconfig
> > > > > +++ b/net/netfilter/ipvs/Kconfig
> > > > > @@ -250,7 +250,8 @@ comment 'IPVS application helper'
> > > > >  
> > > > >  config	IP_VS_FTP
> > > > >    	tristate "FTP protocol helper"
> > > > > -        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
> > > > > +	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
> > > > > +		NF_CONNTRACK_FTP
> > > > 
> > > > If you require FTP NAT support, then this depends on NF_NAT_FTP
> > > > instead of NF_CONNTRACK_FTP.
> > > 
> > > 	No, I just checked again, it works without nf_nat_ftp,
> > > only nf_nat, nf_conntrack_ftp and iptable_nat are needed.
> > > We use packet mangling part from nf_nat (nf_nat_mangle_tcp_packet).
> > 
> > Is there a consensus on this?
> 
> Fine with me, just wanted to make sure this what you wanted. Thanks
> Simon.

Thanks. I'll include this in a pull request after rebasing ipvs-next.
I plan to do that today.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index f987138..8b2cffd 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -250,7 +250,8 @@  comment 'IPVS application helper'
 
 config	IP_VS_FTP
   	tristate "FTP protocol helper"
-        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
+	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
+		NF_CONNTRACK_FTP
 	select IP_VS_NFCT
 	---help---
 	  FTP is a protocol that transfers IP address and/or port number in