From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1F9AC4320E for ; Wed, 28 Jul 2021 09:06:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B324B60187 for ; Wed, 28 Jul 2021 09:06:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234348AbhG1JGr convert rfc822-to-8bit (ORCPT ); Wed, 28 Jul 2021 05:06:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230520AbhG1JGq (ORCPT ); Wed, 28 Jul 2021 05:06:46 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C9F7C061757; Wed, 28 Jul 2021 02:06:45 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1m8fWN-00060Q-S5; Wed, 28 Jul 2021 11:06:35 +0200 Date: Wed, 28 Jul 2021 11:06:35 +0200 From: Florian Westphal To: Cole Dishington Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, kuba@kernel.org, shuah@kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, Anthony Lineham , Scott Parlane , Blair Steven Subject: Re: [PATCH] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED Message-ID: <20210728090635.GB15121@breakpoint.cc> References: <20210728032134.21983-1-Cole.Dishington@alliedtelesis.co.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 8BIT In-Reply-To: <20210728032134.21983-1-Cole.Dishington@alliedtelesis.co.nz> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Cole Dishington wrote: > FTP port selection ignores specified port ranges (with iptables > masquerade --to-ports) when creating an expectation, based on > FTP commands PORT or PASV, for the data connection. > > Co-developed-by: Anthony Lineham > Signed-off-by: Anthony Lineham > Co-developed-by: Scott Parlane > Signed-off-by: Scott Parlane > Co-developed-by: Blair Steven > Signed-off-by: Blair Steven > Signed-off-by: Cole Dishington > --- > > Notes: > Currently with iptables -t nat -j MASQUERADE -p tcp --to-ports 10000-10005, > creating a passive ftp connection from a client will result in the control > connection being within the specified port range but the data connection being > outside of the range. This patch fixes this behaviour to have both connections > be in the specified range. > > include/net/netfilter/nf_conntrack.h | 3 +++ > net/netfilter/nf_nat_core.c | 10 ++++++---- > net/netfilter/nf_nat_ftp.c | 26 ++++++++++++-------------- > net/netfilter/nf_nat_helper.c | 12 ++++++++---- > 4 files changed, 29 insertions(+), 22 deletions(-) > > diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h > index cc663c68ddc4..b98d5d04c7ab 100644 > --- a/include/net/netfilter/nf_conntrack.h > +++ b/include/net/netfilter/nf_conntrack.h > @@ -24,6 +24,8 @@ > > #include > > +#include > + > struct nf_ct_udp { > unsigned long stream_ts; > }; > @@ -99,6 +101,7 @@ struct nf_conn { > > #if IS_ENABLED(CONFIG_NF_NAT) > struct hlist_node nat_bysource; > + struct nf_nat_range2 range; > #endif Thats almost a 20% size increase of this structure. Could you try to rework it based on this? diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h --- a/include/net/netfilter/nf_nat.h +++ b/include/net/netfilter/nf_nat.h @@ -27,12 +27,18 @@ union nf_conntrack_nat_help { #endif }; +struct nf_conn_nat_range_info { + union nf_conntrack_man_proto min_proto; + union nf_conntrack_man_proto max_proto; +}; + /* The structure embedded in the conntrack structure. */ struct nf_conn_nat { union nf_conntrack_nat_help help; #if IS_ENABLED(CONFIG_NF_NAT_MASQUERADE) int masq_index; #endif + struct nf_conn_nat_range_info range_info; }; /* Set up the info structure to map into this range. */ ... and then store the range min/max proto iff nf_nat_setup_info had NF_NAT_RANGE_PROTO_SPECIFIED flag set. I don't think there is a need to keep the information in nf_conn.