Patchwork conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync

login
register
mail settings
Submitter Bill Fink
Date July 5, 2013, 6:03 a.m.
Message ID <20130705020312.25783ccd.billfink@mindspring.com>
Download mbox | patch
Permalink /patch/257044/
State Superseded
Headers show

Comments

Bill Fink - July 5, 2013, 6:03 a.m.
[not sure whether to send to netfilter or netfilter-devel,
so sending to both, but trim replies as appropriate]

I am trying to use the ftp ExpectationSync capability of conntrackd
for both IPv4 and IPv6 for connections through a pair of bridged
firewalls (primary / hot backup).  I have the following config
snippet in conntrackd.conf:

	Options {
		ExpectationSync {
			ftp
			sip
			ras	# for H.323
			q.931	# for H.323
			h.245	# for H.323
		}
	}

For IPv4, things work as expected.  But when I try the basic
analogous IPv6 test to the suggested IPv4 test from the
documentation:

x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21
220 FTP Server ready.
USER anonymous
331 Anonymous login ok, send your complete email address as your password
PASS bill@
230-
                *** Welcome to this anonymous ftp server! ***
 
     You are user 1 out of a maximum of 10 authorized anonymous logins.
     The current time here is Thu Jul 04 23:40:51 2013.
     If you experience any problems here, contact : root@localhost
 
 
230 Anonymous login ok, restrictions apply.
EPSV
229 Entering Extended Passive Mode (|||1584|)

As soon as I enter the EPSV command, I get the following
conntrackd segfault:

Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]

I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with
conntrack-tools-1.4.0-1.fc17.x86_64.

I had to use the attached patch to get "conntrackd -R" to resync
both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in
conntrackd.conf).  It works well for me for the basic ct table,
but I'm not sure about the expect table part since I can't really
exercise it due to the segfault.  Note the segfault also occurs
with the original unpatched conntrackd, so it's not related to
my patch.

Any help would be greatly appreciated.

					-Thanks

					-Bill

P.S.  I am not subscribed to either netfilter or netfilter-devel.



Patch to add IPv6 to "conntrackd -R":
------------------------------------------------------------------------

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Florian Westphal - July 5, 2013, 8:19 a.m.
Bill Fink <billfink@mindspring.com> wrote:
> 230 Anonymous login ok, restrictions apply.
> EPSV
> 229 Entering Extended Passive Mode (|||1584|)
> 
> As soon as I enter the EPSV command, I get the following
> conntrackd segfault:
> 
> Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]

#0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
../include/jhash.h:99
99                      a += k[0];
(gdb) bt f
#0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
        a = 2654435769 b = 2654435769 c = 0 len = 4
#1  0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
#2  0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
#3  0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0

NULL deref in __ct_filter_test_ipv6.  Doesn't happen for ipv4 because
nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.

@@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
		struct nf_conntrack *ct)
        src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
        dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);

-       id_src = hashtable_hash(f->h6, src);
-       id_dst = hashtable_hash(f->h6, dst);
+       id_src = src ? hashtable_hash(f->h6, src) : 0;
+       id_dst = dst ? hashtable_hash(f->h6, dst) : 0;


Not sure if this is enough, there are other callers
of nfct_get_attr() that don't check for NULL.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bill Fink - July 5, 2013, 7:45 p.m.
[Please Cc: me on replies as I am not subscribed]

Florian,

First, many thanks for the quick fix!

On Fri, 5 Jul 2013, Florian Westphal wrote:

> Bill Fink <billfink@xxxxxxxxxxxxxx> wrote:
> > 230 Anonymous login ok, restrictions apply.
> > EPSV
> > 229 Entering Extended Passive Mode (|||1584|)
> > 
> > As soon as I enter the EPSV command, I get the following
> > conntrackd segfault:
> > 
> > Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> 
> #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
> ../include/jhash.h:99
> 99                      a += k[0];
> (gdb) bt f
> #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
>         a = 2654435769 b = 2654435769 c = 0 len = 4
> #1  0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> #2  0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> #3  0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
> 
> NULL deref in __ct_filter_test_ipv6.  Doesn't happen for ipv4 because
> nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.
> 
> @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
> 		struct nf_conntrack *ct)
>         src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
>         dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
> 
> -       id_src = hashtable_hash(f->h6, src);
> -       id_dst = hashtable_hash(f->h6, dst);
> +       id_src = src ? hashtable_hash(f->h6, src) : 0;
> +       id_dst = dst ? hashtable_hash(f->h6, dst) : 0;
> 
> 
> Not sure if this is enough, there are other callers
> of nfct_get_attr() that don't check for NULL.

This cured my immediate problem.  conntrackd no longer segfaults
and I now get IPv6 expectations.

[root@sen-fw1 ~]# conntrackd -i expect
proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s]

I will now continue further testing.

I did need my patch to successfully resync the IPv6 expectations
from the kernel via "conntrackd -R" after flushing the conntrackd
cache via "conntrackd -f".

I guess I should submit my patch as an RFC patch to get
comments on it.

					-Thanks

					-Bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bill Fink - July 5, 2013, 11:52 p.m.
On Fri, 5 Jul 2013, Bill Fink wrote:

> [Please Cc: me on replies as I am not subscribed]
> 
> On Fri, 5 Jul 2013, Florian Westphal wrote:
> 
> > Bill Fink <billfink@xxxxxxxxxxxxxx> wrote:
> > > 230 Anonymous login ok, restrictions apply.
> > > EPSV
> > > 229 Entering Extended Passive Mode (|||1584|)
> > > 
> > > As soon as I enter the EPSV command, I get the following
> > > conntrackd segfault:
> > > 
> > > Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> > 
> > #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
> > ../include/jhash.h:99
> > 99                      a += k[0];
> > (gdb) bt f
> > #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
> >         a = 2654435769 b = 2654435769 c = 0 len = 4
> > #1  0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> > #2  0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> > #3  0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
> > 
> > NULL deref in __ct_filter_test_ipv6.  Doesn't happen for ipv4 because
> > nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.
> > 
> > @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
> > 		struct nf_conntrack *ct)
> >         src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
> >         dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
> > 
> > -       id_src = hashtable_hash(f->h6, src);
> > -       id_dst = hashtable_hash(f->h6, dst);
> > +       id_src = src ? hashtable_hash(f->h6, src) : 0;
> > +       id_dst = dst ? hashtable_hash(f->h6, dst) : 0;
> > 
> > 
> > Not sure if this is enough, there are other callers
> > of nfct_get_attr() that don't check for NULL.
> 
> This cured my immediate problem.  conntrackd no longer segfaults
> and I now get IPv6 expectations.
> 
> [root@sen-fw1 ~]# conntrackd -i expect
> proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s]
> 
> I will now continue further testing.

While definitely making progress, the next problem is that while
the active firewall sees the IPv6 ftp expectation, it is not
successfully synced to the backup firewall, and the following
error appears in the conntrackd.log on the backup firewall:

[Fri Jul  5 16:28:50 2013] (pid=5128) [ERROR] inject-add2: Invalid argument
Fri Jul  5 16:28:50 2013	300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp

I don't see anything wrong with the above, which matches exactly
the IPv6 ftp expectation seen on the primary firewall:

[root@sen-fw1 ~]# conntrackd -i expect
proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp [active since 185s]

I started looking at external_inject_exp_new() in external_inject.c,
where the inject-add2 error presumably comes from, but I haven't
gotten too far yet since I'm not that familiar with the code.
Anyone have any ideas about what might be wrong?

						-Thanks

						-Bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - July 6, 2013, 1:23 p.m.
Hi,

On Fri, Jul 05, 2013 at 02:03:12AM -0400, Bill Fink wrote:
> [not sure whether to send to netfilter or netfilter-devel,
> so sending to both, but trim replies as appropriate]
> 
> I am trying to use the ftp ExpectationSync capability of conntrackd
> for both IPv4 and IPv6 for connections through a pair of bridged
> firewalls (primary / hot backup).  I have the following config
> snippet in conntrackd.conf:
> 
> 	Options {
> 		ExpectationSync {
> 			ftp
> 			sip
> 			ras	# for H.323
> 			q.931	# for H.323
> 			h.245	# for H.323
> 		}
> 	}
> 
> For IPv4, things work as expected.  But when I try the basic
> analogous IPv6 test to the suggested IPv4 test from the
> documentation:
> 
> x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21
> 220 FTP Server ready.
> USER anonymous
> 331 Anonymous login ok, send your complete email address as your password
> PASS bill@
> 230-
>                 *** Welcome to this anonymous ftp server! ***
>  
>      You are user 1 out of a maximum of 10 authorized anonymous logins.
>      The current time here is Thu Jul 04 23:40:51 2013.
>      If you experience any problems here, contact : root@localhost
>  
>  
> 230 Anonymous login ok, restrictions apply.
> EPSV
> 229 Entering Extended Passive Mode (|||1584|)
> 
> As soon as I enter the EPSV command, I get the following
> conntrackd segfault:
> 
> Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]

I have pushed this patch to fix this issue.

http://git.netfilter.org/conntrack-tools/commit/?id=479a37a549abf197ce59a4ae1666d8cba80fe977

Thanks Florian for diagnosing this, and you for reporting.

> I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with
> conntrack-tools-1.4.0-1.fc17.x86_64.
> 
> I had to use the attached patch to get "conntrackd -R" to resync
> both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in
> conntrackd.conf).  It works well for me for the basic ct table,
> but I'm not sure about the expect table part since I can't really
> exercise it due to the segfault.  Note the segfault also occurs
> with the original unpatched conntrackd, so it's not related to
> my patch.

For this, I have applied the following patch:

http://git.netfilter.org/conntrack-tools/commit/?id=e2c6576e775652c35d336afa0551676339c6a793

Let me know.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bill Fink - July 7, 2013, 7:04 a.m.
On Sat, 6 Jul 2013, Pablo Neira Ayuso wrote:

> On Fri, Jul 05, 2013 at 02:03:12AM -0400, Bill Fink wrote:
> > [not sure whether to send to netfilter or netfilter-devel,
> > so sending to both, but trim replies as appropriate]
> > 
> > I am trying to use the ftp ExpectationSync capability of conntrackd
> > for both IPv4 and IPv6 for connections through a pair of bridged
> > firewalls (primary / hot backup).  I have the following config
> > snippet in conntrackd.conf:
> > 
> > 	Options {
> > 		ExpectationSync {
> > 			ftp
> > 			sip
> > 			ras	# for H.323
> > 			q.931	# for H.323
> > 			h.245	# for H.323
> > 		}
> > 	}
> > 
> > For IPv4, things work as expected.  But when I try the basic
> > analogous IPv6 test to the suggested IPv4 test from the
> > documentation:
> > 
> > x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21
> > 220 FTP Server ready.
> > USER anonymous
> > 331 Anonymous login ok, send your complete email address as your password
> > PASS bill@
> > 230-
> >                 *** Welcome to this anonymous ftp server! ***
> >  
> >      You are user 1 out of a maximum of 10 authorized anonymous logins.
> >      The current time here is Thu Jul 04 23:40:51 2013.
> >      If you experience any problems here, contact : root@localhost
> >  
> >  
> > 230 Anonymous login ok, restrictions apply.
> > EPSV
> > 229 Entering Extended Passive Mode (|||1584|)
> > 
> > As soon as I enter the EPSV command, I get the following
> > conntrackd segfault:
> > 
> > Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> 
> I have pushed this patch to fix this issue.
> 
> http://git.netfilter.org/conntrack-tools/commit/?id=479a37a549abf197ce59a4ae1666d8cba80fe977
> 
> Thanks Florian for diagnosing this, and you for reporting.

Thanks!  I have tested this and it does fix the segfault.

> > I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with
> > conntrack-tools-1.4.0-1.fc17.x86_64.
> > 
> > I had to use the attached patch to get "conntrackd -R" to resync
> > both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in
> > conntrackd.conf).  It works well for me for the basic ct table,
> > but I'm not sure about the expect table part since I can't really
> > exercise it due to the segfault.  Note the segfault also occurs
> > with the original unpatched conntrackd, so it's not related to
> > my patch.
> 
> For this, I have applied the following patch:
> 
> http://git.netfilter.org/conntrack-tools/commit/?id=e2c6576e775652c35d336afa0551676339c6a793

I also tested this and it fixes the IPv6 kernel resync issue.

> Let me know.

I still have the remaining problem that the IPv6 expectation
is not successfully synced from the primary firewall to the
backup firewall.  I see the following error in conntrackd.log
on the backup firewall:

[Sun Jul  7 01:56:38 2013] (pid=24763) [ERROR] inject-add2: Invalid argument
Sun Jul  7 01:56:38 2013	300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp

This exactly matches the IPv6 expectation on the primary firewall:

[root@sen-fw1 ~]# conntrackd -i expect
proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp [active since 9s]

IPv4 expectations are working fine.

I tried to track down the error, and followed the error path:

	external_inject_exp_new() ->
	  nl_create_expect()->
	    nfexp_query() ->
	      nfnl_query() ->
		nfnl_catch() ->
		  nfnl_process() ->
		    nfnl_step() ->
		      nfnl_is_error() because
			nlh->nlmsg_type == NLMSG_ERROR

but I wasn't sure how to proceed further.

					-Thanks

					-Bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bill Fink - July 9, 2013, 5:30 a.m.
On Sun, 7 Jul 2013, Bill Fink wrote:

> I still have the remaining problem that the IPv6 expectation
> is not successfully synced from the primary firewall to the
> backup firewall.  I see the following error in conntrackd.log
> on the backup firewall:
> 
> [Sun Jul  7 01:56:38 2013] (pid=24763) [ERROR] inject-add2: Invalid argument
> Sun Jul  7 01:56:38 2013	300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp
> 
> This exactly matches the IPv6 expectation on the primary firewall:
> 
> [root@sen-fw1 ~]# conntrackd -i expect
> proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp [active since 9s]
> 
> IPv4 expectations are working fine.
> 
> I tried to track down the error, and followed the error path:
> 
> 	external_inject_exp_new() ->
> 	  nl_create_expect()->
> 	    nfexp_query() ->
> 	      nfnl_query() ->
> 		nfnl_catch() ->
> 		  nfnl_process() ->
> 		    nfnl_step() ->
> 		      nfnl_is_error() because
> 			nlh->nlmsg_type == NLMSG_ERROR
> 
> but I wasn't sure how to proceed further.

I made some more progress, but still haven't found the root
cause.  I put some printks in the nf_conntrack_netlink and
nf_conntrack_ipv6 modules and tracked the error path there:

	ctnetlink_new_expect() ->
	  ctnetlink_create_expect() ->
	    ctnetlink_parse_expect_nat() ->
	      ctnetlink_parse_tuple() ->
		ctnetlink_parse_tuple_ip() ->
		  l3proto->nlattr_to_tuple() ->
		    ipv6_nlattr_to_tuple() which fails

because tb[CTA_IP_V6_SRC] and tb[CTA_IP_V6_DST] are null.

But I'm currently stuck there.  Where are tb[CTA_IP_V6_SRC]
and tb[CTA_IP_V6_DST] supposed to be set?  Is it in conntrackd
during the build of the netlink message, or somewhere in one
of the conntrack kernel modules during processing of the
netlink message?  Is there a map somewhere of the control
flow betwwen conntrackd and the conntrack kernel modules?

I was also a little confused by the call to ctnetlink_parse_expect_nat()
since I'm not using NAT.

					-Thanks

					-Bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff -Nurp conntrack-tools-1.4.0.orig/src/netlink.c conntrack-tools-1.4.0/src/netlink.c
--- conntrack-tools-1.4.0.orig/src/netlink.c	2012-09-21 10:06:07.000000000 -0400
+++ conntrack-tools-1.4.0/src/netlink.c	2013-07-04 23:32:36.302310719 -0400
@@ -148,7 +148,16 @@  void nl_resize_socket_buffer(struct nfct
 
 int nl_dump_conntrack_table(struct nfct_handle *h)
 {
-	return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family));
+	int fam, ret;
+
+	if (!CONFIG(both_ipv4_ipv6))
+		return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family));
+	fam = AF_INET;
+	ret = nfct_query(h, NFCT_Q_DUMP, &fam);
+	if (ret < 0)
+		return ret;
+	fam = AF_INET6;
+	return nfct_query(h, NFCT_Q_DUMP, &fam);
 }
 
 static int
@@ -380,7 +389,16 @@  int nl_get_expect(struct nfct_handle *h,
 
 int nl_dump_expect_table(struct nfct_handle *h)
 {
-	return nfexp_query(h, NFCT_Q_DUMP, &CONFIG(family));
+	int fam, ret;
+
+	if (!CONFIG(both_ipv4_ipv6))
+		return nfexp_query(h, NFCT_Q_DUMP, &CONFIG(family));
+	fam = AF_INET;
+	ret = nfexp_query(h, NFCT_Q_DUMP, &fam);
+	if (ret < 0)
+		return ret;
+	fam = AF_INET6;
+	return nfexp_query(h, NFCT_Q_DUMP, &fam);
 }
 
 int nl_flush_expect_table(struct nfct_handle *h)
diff -Nurp conntrack-tools-1.4.0.orig/src/read_config_yy.y conntrack-tools-1.4.0/src/read_config_yy.y
--- conntrack-tools-1.4.0.orig/src/read_config_yy.y	2012-09-21 10:06:07.000000000 -0400
+++ conntrack-tools-1.4.0/src/read_config_yy.y	2013-03-20 18:47:36.391160857 -0400
@@ -1193,10 +1193,27 @@  scheduler_line : T_PRIO T_NUMBER
 
 family : T_FAMILY T_STRING
 {
-	if (strncmp($2, "IPv6", strlen("IPv6")) == 0)
+	if (strncmp($2, "IPv6-IPv4", strlen("IPv6-IPv4")) == 0) {
 		conf.family = AF_INET6;
-	else
+		conf.both_ipv4_ipv6 = 1;
+	}
+	else if (strncmp($2, "IPv6", strlen("IPv6")) == 0) {
+		conf.family = AF_INET6;
+		conf.both_ipv4_ipv6 = 0;
+	}
+	else if (strncmp($2, "IPv4-IPv6", strlen("IPv4-IPv6")) == 0) {
+		conf.family = AF_INET;
+		conf.both_ipv4_ipv6 = 1;
+	}
+	else if (strncmp($2, "IPv4", strlen("IPv4")) == 0) {
 		conf.family = AF_INET;
+		conf.both_ipv4_ipv6 = 0;
+	}
+	else {
+		print_err(CTD_CFG_WARN, "%s is not a valid Family, "
+					"ignoring", $2);
+		break;
+	}
 };
 
 event_iterations_limit : T_EVENT_ITER_LIMIT T_NUMBER
@@ -1864,8 +1881,10 @@  init_config(char *filename)
 	fclose(fp);
 
 	/* default to IPv4 */
-	if (CONFIG(family) == 0)
+	if (CONFIG(family) == 0) {
 		CONFIG(family) = AF_INET;
+		CONFIG(both_ipv4_ipv6) = 0;
+	}
 
 	/* set to default is not specified */
 	if (strcmp(CONFIG(lockfile), "") == 0)