netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] netfilter: nf_conntrack_ftp: Fix debug output
@ 2019-08-21 14:14 Thomas Jarosch
  2019-08-23 12:34 ` Pablo Neira Ayuso
  2019-08-27 11:00 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 5+ messages in thread
From: Thomas Jarosch @ 2019-08-21 14:14 UTC (permalink / raw)
  To: netfilter-devel

The find_pattern() debug output was printing the 'skip' character.
This can be a NULL-byte and messes up further pr_debug() output.

Output without the fix:
kernel: nf_conntrack_ftp: Pattern matches!
kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8
kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8

Output with the fix:
kernel: nf_conntrack_ftp: Pattern matches!
kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter!
kernel: nf_conntrack_ftp: Match succeeded!
kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645)
kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
---
 net/netfilter/nf_conntrack_ftp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 0ecb3e289ef2..8d96738b7dfd 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -322,7 +322,7 @@ static int find_pattern(const char *data, size_t dlen,
 		i++;
 	}
 
-	pr_debug("Skipped up to `%c'!\n", skip);
+	pr_debug("Skipped up to 0x%hhx delimiter!\n", skip);
 
 	*numoff = i;
 	*numlen = getnum(data + i, dlen - i, cmd, term, numoff);
-- 
2.17.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: nf_conntrack_ftp: Fix debug output
  2019-08-21 14:14 [PATCH] netfilter: nf_conntrack_ftp: Fix debug output Thomas Jarosch
@ 2019-08-23 12:34 ` Pablo Neira Ayuso
  2019-08-23 12:50   ` Thomas Jarosch
  2019-08-27 11:00 ` Pablo Neira Ayuso
  1 sibling, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-23 12:34 UTC (permalink / raw)
  To: Thomas Jarosch; +Cc: netfilter-devel

Hi Thomas,

On Wed, Aug 21, 2019 at 04:14:28PM +0200, Thomas Jarosch wrote:
> The find_pattern() debug output was printing the 'skip' character.
> This can be a NULL-byte and messes up further pr_debug() output.
> 
> Output without the fix:
> kernel: nf_conntrack_ftp: Pattern matches!
> kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8
> kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8
> 
> Output with the fix:
> kernel: nf_conntrack_ftp: Pattern matches!
> kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter!
> kernel: nf_conntrack_ftp: Match succeeded!
> kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645)
> kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8

Do you use this debugging? I haven't use it for years.

Asking because an alternative patch would be to remove this.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: nf_conntrack_ftp: Fix debug output
  2019-08-23 12:34 ` Pablo Neira Ayuso
@ 2019-08-23 12:50   ` Thomas Jarosch
  2019-08-28 12:13     ` Thomas Jarosch
  0 siblings, 1 reply; 5+ messages in thread
From: Thomas Jarosch @ 2019-08-23 12:50 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

You wrote on Fri, Aug 23, 2019 at 02:34:42PM +0200:
> On Wed, Aug 21, 2019 at 04:14:28PM +0200, Thomas Jarosch wrote:
> > The find_pattern() debug output was printing the 'skip' character.
> > This can be a NULL-byte and messes up further pr_debug() output.
> > 
> > Output without the fix:
> > kernel: nf_conntrack_ftp: Pattern matches!
> > kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8
> > kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8
> > 
> > Output with the fix:
> > kernel: nf_conntrack_ftp: Pattern matches!
> > kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter!
> > kernel: nf_conntrack_ftp: Match succeeded!
> > kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645)
> > kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8
> 
> Do you use this debugging? I haven't use it for years.

unfortunately, yes :)

One customer site is having FTP NAT problems after migrating from 3.14 to 4.19.
The tcpdump traces look normal to me. Still IP addresses for passive FTP
don't get rewritten with 4.19, it instantly works with 3.14.
It works fine with 4.19 for me using test VMs.

It sounds a bit like this:
https://bugzilla.netfilter.org/show_bug.cgi?id=1164

Florian's slides about the NAT helper were helpful in general:
https://strlen.de/talks/nfdebug.pdf

-> NAT helpers are best effort, but like I said, it should
work given the packets dumps I have seen so far.

I hope to install a kernel with this debug output at the customer site soon.
As it's the central gateway of a township, I can't reboot the machine
easily and they have quite strict working hours. I'll keep nagging them ;)

Cheers,
Thomas

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: nf_conntrack_ftp: Fix debug output
  2019-08-21 14:14 [PATCH] netfilter: nf_conntrack_ftp: Fix debug output Thomas Jarosch
  2019-08-23 12:34 ` Pablo Neira Ayuso
@ 2019-08-27 11:00 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-27 11:00 UTC (permalink / raw)
  To: Thomas Jarosch; +Cc: netfilter-devel

On Wed, Aug 21, 2019 at 04:14:28PM +0200, Thomas Jarosch wrote:
> The find_pattern() debug output was printing the 'skip' character.
> This can be a NULL-byte and messes up further pr_debug() output.

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter: nf_conntrack_ftp: Fix debug output
  2019-08-23 12:50   ` Thomas Jarosch
@ 2019-08-28 12:13     ` Thomas Jarosch
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Jarosch @ 2019-08-28 12:13 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

> One customer site is having FTP NAT problems after migrating from 3.14 to 4.19.
> The tcpdump traces look normal to me. Still IP addresses for passive FTP
> don't get rewritten with 4.19, it instantly works with 3.14.
> It works fine with 4.19 for me using test VMs.

quick follow up: Everything is working out of the box in the kernel. I finally 
had access to the machine and the FTP conntrack helper was not set up correctly.

Still it's good to have working debug code now.

Cheers,
Thomas

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-08-28 12:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-21 14:14 [PATCH] netfilter: nf_conntrack_ftp: Fix debug output Thomas Jarosch
2019-08-23 12:34 ` Pablo Neira Ayuso
2019-08-23 12:50   ` Thomas Jarosch
2019-08-28 12:13     ` Thomas Jarosch
2019-08-27 11:00 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).