Page MenuHomeVyOS Platform
Create Task
Maniphest T5376

Conntrack FTP helper does not work properly
Closed, ResolvedPublicBUG
Actions

Description

I'm using local FTP server. My NAT and System config:

nat {

destination {
    rule 26 {
        destination {
            port 21
        }
        inbound-interface eth1
        protocol tcp
        translation {
            address 192.168.13.44
        }
    }
}
source {
    rule 10 {
        outbound-interface eth1
        translation {
            address masquerade
        }
    }
}

}

system {

conntrack {
    modules {
        ftp
        h323
        nfs
        pptp
        sip
        sqlnet
        tftp
    }
}

}

Conntrack FTP helper does not work properly:

  1. It doesn't forward related connections
  2. It doesn't replace local IP to NAT-ed WAN address in the "Entering Passive Mode" command string.

This worked right in older builds (now I'm using the January build).

Details

Version
vyos-1.4-rolling-202307161346-amd64
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

svd135 created this task.Jul 19 2023, 7:37 PM
pasik subscribed.Jul 19 2023, 7:44 PM
swanduron subscribed.Sep 4 2023, 1:36 PM

From @Zamp

Unless there is something wrong with the firewall ruleset in VyOS any malfunctions in the FTP helper itself will mainly be fixed upstream at the Linux kernel or in this particular case the netfilter team:

https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers 1

https://bugzilla.netfilter.org/

Hopefully, some VyOS maintainer will look at this shortly and can figure out if this is a config error in VyOS or if the error must be reported upstream to get fixed.

swanduron added a comment.Sep 5 2023, 2:55 PM

Please help to assign a dev to work with this problem, thanks a lot!

sarthurdev subscribed.Sep 5 2023, 7:31 PM

@svd135 Can you provide a version string when you last had it working? Seeing the firewall config might also be helpful.

svd135 added a comment.Sep 5 2023, 8:01 PM

Now I'm using this build: VyOS 1.4-rolling-202301071830
It's working fine as with active as with passive FTP.

svd135 added a comment.Sep 5 2023, 9:48 PM

Firewall can be turned off. It does not affect the result.

swanduron added a comment.Sep 10 2023, 3:19 PM

Sorry to bother you @sdev , the latest releases of 1.5-rolling-202309080021 and 1.4-rolling-202309070021 still have this problem.

sarthurdev added a comment.Sep 10 2023, 6:06 PM

Can we see the output of sudo nft list table ip raw on an affected router?

svd135 added a comment.Sep 10 2023, 7:31 PM

table ip raw {

ct helper rpc_tcp {
        type "rpc" protocol tcp
        l3proto ip
}

ct helper rpc_udp {
        type "rpc" protocol udp
        l3proto ip
}

ct helper tns_tcp {
        type "tns" protocol tcp
        l3proto ip
}

chain VYOS_TCP_MSS {
        type filter hook forward priority raw; policy accept;
}

chain PREROUTING {
        type filter hook prerouting priority -200; policy accept;
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_IGNORE
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_HELPER
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_TIMEOUT
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_PREROUTING_HOOK
        counter packets 12628080 bytes 2502739226 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain OUTPUT {
        type filter hook output priority -200; policy accept;
        counter packets 1845387 bytes 130946386 jump VYOS_CT_IGNORE
        counter packets 1845387 bytes 130946386 jump VYOS_CT_HELPER
        counter packets 1845387 bytes 130946386 jump VYOS_CT_TIMEOUT
        counter packets 1845387 bytes 130946386 jump VYOS_CT_OUTPUT_HOOK
        counter packets 1845387 bytes 130946386 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain VYOS_CT_HELPER {
        ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
        ct helper set "rpc_udp" udp dport 111 return
        ct helper set "rpc_tcp" tcp dport 111 return
        return
}

chain VYOS_CT_IGNORE {
        return
}

chain VYOS_CT_TIMEOUT {
        return
}

chain VYOS_CT_PREROUTING_HOOK {
        return
}

chain VYOS_CT_OUTPUT_HOOK {
        return
}

chain FW_CONNTRACK {
        accept
}

chain NAT_CONNTRACK {
        counter packets 14473467 bytes 2633685612 accept
}

}

swanduron added a comment.EditedSep 11 2023, 1:15 PM

The same situation as @svd135 . The passive FTP data connection now is stopped by the problem with FTP ALG.

vyos@vyos# run show version
Version:          VyOS 1.5-rolling-202309080021
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Fri 08 Sep 2023 01:34 UTC
Build UUID:       d3dc8e6e-d7cd-4eeb-95fd-987625dc7b0c
Build commit ID:  343a33108b9b08

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware20,1
Hardware S/N:     VMware-56 4d d0 a0 5b 44 ed 02-60 f5 0e 9b 72 4d 60 e9
Hardware UUID:    a0d04d56-445b-02ed-60f5-0e9b724d60e9

Copyright:        VyOS maintainers and contributors
vyos@vyos# sudo nft list table ip raw
table ip raw {
	ct helper rpc_tcp {
		type "rpc" protocol tcp
		l3proto ip
	}

	ct helper rpc_udp {
		type "rpc" protocol udp
		l3proto ip
	}

	ct helper tns_tcp {
		type "tns" protocol tcp
		l3proto ip
	}

	chain VYOS_TCP_MSS {
		type filter hook forward priority raw; policy accept;
	}

	chain vyos_global_rpfilter {
		return
	}

	chain vyos_rpfilter {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump vyos_global_rpfilter
	}

	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump VYOS_CT_IGNORE
		counter packets 2641 bytes 626825 jump VYOS_CT_HELPER
		counter packets 3131 bytes 665944 jump VYOS_CT_TIMEOUT
		counter packets 3131 bytes 665944 jump VYOS_CT_PREROUTING_HOOK
		counter packets 2641 bytes 626825 jump NAT_CONNTRACK
		counter packets 490 bytes 39119 jump FW_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
		counter packets 580 bytes 61379 jump VYOS_CT_IGNORE
		counter packets 218 bytes 21228 jump VYOS_CT_HELPER
		counter packets 580 bytes 61379 jump VYOS_CT_TIMEOUT
		counter packets 580 bytes 61379 jump VYOS_CT_OUTPUT_HOOK
		counter packets 218 bytes 21228 jump NAT_CONNTRACK
		counter packets 362 bytes 40151 jump FW_CONNTRACK
		notrack
	}

	chain VYOS_CT_HELPER {
		ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
		ct helper set "rpc_udp" udp dport 111 return
		ct helper set "rpc_tcp" tcp dport 111 return
		return
	}

	chain VYOS_CT_IGNORE {
		return
	}

	chain VYOS_CT_TIMEOUT {
		return
	}

	chain VYOS_CT_PREROUTING_HOOK {
		return
	}

	chain VYOS_CT_OUTPUT_HOOK {
		return
	}

	chain FW_CONNTRACK {
		return
	}

	chain NAT_CONNTRACK {
		counter packets 2859 bytes 648053 accept
	}
}
[edit]
vyos@vyos#
swanduron added a comment.EditedSep 19 2023, 1:33 AM

Hello @sdev Sorry to bother you. The issue hasn't been fixed in the recent rolling release: VyOS 1.5-rolling-202309170024

vyos@vyos:~$ sudo nft list table ip raw
table ip raw {
        ct helper rpc_tcp {
                type "rpc" protocol tcp
                l3proto ip
        }

        ct helper rpc_udp {
                type "rpc" protocol udp
                l3proto ip
        }

        ct helper tns_tcp {
                type "tns" protocol tcp
                l3proto ip
        }

        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
        }

        chain vyos_global_rpfilter {
                return
        }

        chain vyos_rpfilter {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump vyos_global_rpfilter
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump VYOS_CT_IGNORE
                counter packets 5871 bytes 5703850 jump VYOS_CT_HELPER
                counter packets 5871 bytes 5703850 jump VYOS_CT_TIMEOUT
                counter packets 5871 bytes 5703850 jump VYOS_CT_PREROUTING_HOOK
                counter packets 5871 bytes 5703850 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                counter packets 94 bytes 11511 jump VYOS_CT_IGNORE
                counter packets 94 bytes 11511 jump VYOS_CT_HELPER
                counter packets 94 bytes 11511 jump VYOS_CT_TIMEOUT
                counter packets 94 bytes 11511 jump VYOS_CT_OUTPUT_HOOK
                counter packets 94 bytes 11511 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain VYOS_CT_HELPER {
                ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
                ct helper set "rpc_udp" udp dport 111 return
                ct helper set "rpc_tcp" tcp dport 111 return
                return
        }

        chain VYOS_CT_IGNORE {
                return
        }

        chain VYOS_CT_TIMEOUT {
                return
        }

        chain VYOS_CT_PREROUTING_HOOK {
                return
        }

        chain VYOS_CT_OUTPUT_HOOK {
                return
        }

        chain FW_CONNTRACK {
                return
        }

        chain NAT_CONNTRACK {
                counter packets 5965 bytes 5715361 accept
        }
}
sarthurdev changed the task status from Open to Confirmed.Sep 21 2023, 9:49 AM
sarthurdev claimed this task.
sarthurdev mentioned this in T5598: unknown parameter 'nf_conntrack_helper' ignored.
sarthurdev changed the task status from Confirmed to Needs testing.Sep 24 2023, 11:44 AM
sarthurdev moved this task from Open to In Progress on the VyOS 1.4 Sagitta board.

PR: https://github.com/vyos/vyos-1x/pull/2304

Restricted Repository Identity mentioned this in rVYOSONEX5bcd00a2ee5e: Merge pull request #2304 from sarthurdev/conntrack_helpers.Sep 28 2023, 2:54 PM
sarthurdev mentioned this in rVYOSONEX5acf5acedbf7: conntrack: T5376: Use vyos.configdep to call conntrack-sync.Sep 28 2023, 2:54 PM
sarthurdev mentioned this in rVYOSONEXfd0bcaf120bc: conntrack: T5376: T5598: Fix for kernel conntrack helpers.
Restricted Repository Identity mentioned this in rVYOSONEXb37b0fceb491: Merge pull request #2324 from sarthurdev/fw_configdep.Sep 29 2023, 1:39 PM
sarthurdev mentioned this in rVYOSONEX42ff4d8a7ba7: conntrack: T5376: Fixes for conntrack-sync configdep.Sep 29 2023, 1:39 PM
swanduron added a comment.Oct 6 2023, 4:24 AM

Hello @sdev , could you please help to check if the fix can resolve the problem with FTP ALG? I tested the newest rolling release but the PASV command still causes the data connection gets failed. My testing FTP server and client are both Filezilla product, please correct me if any mistakes I made during the test.

vyos@vyos# run show version 
Version:          VyOS 1.5-rolling-202310060022
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Fri 06 Oct 2023 01:44 UTC
Build UUID:       12aff08b-756f-45c0-a485-afa0b7bd7c24
Build commit ID:  3639462b57b96f

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware20,1
Hardware S/N:     VMware-56 4d d0 a0 5b 44 ed 02-60 f5 0e 9b 72 4d 60 e9
Hardware UUID:    a0d04d56-445b-02ed-60f5-0e9b724d60e9

Copyright:        VyOS maintainers and contributors

vyos@vyos# show nat
 destination {
     rule 100 {
         destination {
             port 21
         }
         inbound-interface eth1
         protocol tcp
         translation {
             address 192.168.100.220
         }
     }
 }
 source {
     rule 100 {
         outbound-interface eth1
         translation {
             address masquerade
         }
     }
 }

vyos@vyos:~$ sudo nft list table ip raw
table ip raw {
        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
        }

        chain vyos_global_rpfilter {
                return
        }

        chain vyos_rpfilter {
                type filter hook prerouting priority raw; policy accept;
                counter packets 721495 bytes 798003939 jump vyos_global_rpfilter
        }

        chain VYOS_PREROUTING_HOOK {
                type filter hook prerouting priority raw; policy accept;
        }
}
dmbaturin triaged this task as High priority.Jan 9 2024, 6:04 PM
c-po mentioned this in rVYOSONEX840f82a3dbe6: conntrack: T5376: T5779: backport from current.Jan 18 2024, 9:07 PM
c-po mentioned this in rVYOSONEX80068c8ce453: conntrack: T5376: T5779: backport from current.
Viacheslav subscribed.Feb 13 2024, 3:47 PM

@svd135 Can you recheck?

Viacheslav changed the task status from Needs testing to Needs reporter action.Feb 13 2024, 3:47 PM
svd135 added a comment.Feb 14 2024, 10:13 AM
In T5376#176691, @Viacheslav wrote:

@svd135 Can you recheck?

I have now checked the build vyos-1.5-rolling-202402140022.
Unfortunately, everything is the same.

Viacheslav added a comment.Feb 14 2024, 1:26 PM

As I understand changes as in this example
https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers

svd135 added a comment.Feb 14 2024, 1:57 PM

The data channels are not established.
As I understand it, the problem is that the required related ports are not forwarded dynamically to translated address

swanduron added a comment.Feb 17 2024, 9:32 AM
In T5376#176807, @svd135 wrote:

The data channels are not established.
As I understand it, the problem is that the required related ports are not forwarded dynamically to translated address

I agree with you. By the commercial implementation, the FTP ALG can dynamically create the NAT pinhole for the data connection. I can't discuss the code, but I have used many vendors of commercial firewalls, the FTP ALG is a common function listed in the support feature list. To compare the FTP conntrack with the VYOS 1.3 should be a good idea to find out the root cause.

sarthurdev changed the task status from Needs reporter action to Needs testing.Feb 21 2024, 3:05 PM
sarthurdev added a project: VyOS 1.5 Circinus.

PR: https://github.com/vyos/vyos-1x/pull/3037

sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.Feb 21 2024, 3:05 PM
Restricted Repository Identity mentioned this in rVYOSONEX9e65bc9dfcc2: conntrack: T5376: Fix priority for CT helpers.Feb 22 2024, 11:02 AM
Restricted Repository Identity mentioned this in rVYOSONEX72e597d5c258: Merge pull request #3037 from sarthurdev/T5376.Feb 22 2024, 11:02 AM
sarthurdev mentioned this in rVYOSONEX538aeeccc46d: conntrack: T5376: Fix priority for CT helpers.Feb 22 2024, 11:02 AM
Restricted Repository Identity mentioned this in rVYOSONEX29a15608caf3: Merge pull request #3038 from vyos/mergify/bp/sagitta/pr-3037.Feb 22 2024, 12:31 PM
sarthurdev added a comment.Feb 23 2024, 9:02 AM

@svd135 can you try on latest rolling?

svd135 added a comment.Feb 23 2024, 11:53 AM
In T5376#177587, @sarthurdev wrote:

@svd135 can you try on latest rolling?

The build 1.5-rolling-202402230022 works well in passive mode.
For me this long-standing problem is solved.
Active mode does not work, but no one uses it anymore.

swanduron added a comment.Feb 23 2024, 11:58 AM

It's a good news for me. I will shift from SRX320 to Vyos system. In FTP active mode, the FTP server will push the data channel to the client, the Vyos deems it as a new connection and there is no need with FTP ALG.

I will try it again. Thanks @svd135 and @sarthurdev

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 23 2024, 12:19 PM
syncer moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-epa1) board.
sarthurdev closed this task as Resolved.Feb 23 2024, 12:22 PM
sarthurdev moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.0-epa1) board.

Glad to hear it @svd135 @swanduron

sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.Feb 23 2024, 12:23 PM
terinjokes mentioned this in T6788: FTP PASV breaks control connection.Oct 18 2024, 7:24 PM