https://bugzilla.novell.com/show_bug.cgi?id=747660 https://bugzilla.novell.com/show_bug.cgi?id=747660#c0 Summary: FTP passive mode fails Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: i686 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: dbtopas@dbtopas.lt QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 After upgrading from openSUSE 11.3 to 11.4, I can not connect from internal network (openSUSE machine works as router with NAT) to FTP server using passive mode. I suspect, it is a nt_conntrack_ftp problem. FTP client get an invalid response to PASV command, ex.: 227 Entering Passive Mode 84,32,116,230,137,115116,230,137,115). 227 response syntax is invalid. Missing '(' and '116,230,137,115' is duplicated. Looks like some string buffer overflow etc. Invalid response is not a problem of remote FTP server. If I connect to remote server form openSUSE NAT machine itself, i get correct response, ex.: 227 Entering Passive Mode (84,32,116,230,137,115). So, I suspect packet is changed (and made invalid) by nf_conntrack_ftp. This is also indicated by tcpdump log. Here is log for the same connection on my eth2 (WAN interface) and eth0 (LAN interface): # tcpdump -X -n -i eth2 host 84.32.116.230 .. 16:18:12.933435 IP 84.32.116.230.21 > 217.147.33.203.63474: Flags [P.], seq 96:148, ack 34, win 5840, length 52 0x0000: 4500 005c 2f3c 4000 3806 4efb 5420 74e6 E..\/<@.8.N.T.t. 0x0010: d993 21cb 0015 f7f2 fc9f 05df ae83 39bd ..!...........9. 0x0020: 5018 16d0 4dd9 0000 3232 3720 456e 7465 P...M...227.Ente 0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod 0x0040: 6520 2838 342c 3332 2c31 3136 2c32 3330 e.(84,32,116,230 0x0050: 2c31 3337 2c31 3135 292e 0d0a ,137,115)... # tcpdump -X -n -i eth0 host 84.32.116.230 .. 16:18:12.933465 IP 84.32.116.230.21 > 192.168.1.4.63474: Flags [P.], seq 96:148, ack 34, win 5840, length 52 0x0000: 4500 005c 2f3c 4000 3706 89ad 5420 74e6 E..\/<@.7...T.t. 0x0010: c0a8 0104 0015 f7f2 fc9f 05df ae83 39bd ..............9. 0x0020: 5018 16d0 8b01 0000 3232 3720 456e 7465 P.......227.Ente 0x0030: 7269 6e67 2038 342c 3332 2c31 3136 2c32 ring.84,32,116,2 0x0040: 3330 2c31 3337 2c31 3135 3136 2c32 3330 30,137,11516,230 0x0050: 2c31 3337 2c31 3135 292e 0d0a ,137,115)... The same problem is described at http://lists.opensuse.org/opensuse/2011-07/msg00268.html Reproducible: Always Steps to Reproduce: 1. Configure openSUSE as NAT machine (iptables -t nat, -A POSTROUTING -o eth2 -j MASQUERADE, etc.) 2. From internal network connect to any FTP server in the internet:
ftp 84.32.116.230 Connected to 84.32.116.230. 220 ProFTPD 1.3.3c Server ready. User (84.32.116.230:(none)): ****** 331 Password required for ****** Password: ****** 230 User ****** logged in ftp> quote pasv 227 Entering 84,32,116,230,138,44116,230,138,44).
Actual Results:
227 Entering 84,32,116,230,138,44116,230,138,44).
Expected Results:
227 Entering (84,32,116,230,138,44).
openSUSE 11.4 updates does not solve the problem. Some version info:
# uname -a
Linux linux 2.6.37.6-0.11-pae #1 SMP 2011-12-19 23:39:38 +0100 i686 i686 i386
GNU/Linux
# modinfo nf_conntrack_ftp
filename:
/lib/modules/2.6.37.6-0.11-pae/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell