Conntrack FTP helper does not work properly
Needs testing, Requires assessmentPublicBUG
Actions

Assigned To

Authored By

	svd135
	Jul 19 2023, 7:37 PM

Description

I'm using local FTP server. My NAT and System config:

nat {

destination {
    rule 26 {
        destination {
            port 21
        }
        inbound-interface eth1
        protocol tcp
        translation {
            address 192.168.13.44
        }
    }
}
source {
    rule 10 {
        outbound-interface eth1
        translation {
            address masquerade
        }
    }
}

}

system {

conntrack {
    modules {
        ftp
        h323
        nfs
        pptp
        sip
        sqlnet
        tftp
    }
}

}

Conntrack FTP helper does not work properly:

It doesn't forward related connections
It doesn't replace local IP to NAT-ed WAN address in the "Entering Passive Mode" command string.

This worked right in older builds (now I'm using the January build).

Details

Difficulty level: Unknown (require assessment)
Version: vyos-1.4-rolling-202307161346-amd64
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Behavior change
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: T5598: unknown parameter 'nf_conntrack_helper' ignored

Event Timeline

svd135 created this task.Jul 19 2023, 7:37 PM

pasik added a subscriber: pasik.Jul 19 2023, 7:44 PM

From @Zamp

Unless there is something wrong with the firewall ruleset in VyOS any malfunctions in the FTP helper itself will mainly be fixed upstream at the Linux kernel or in this particular case the netfilter team:

https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers 1

https://bugzilla.netfilter.org/

Hopefully, some VyOS maintainer will look at this shortly and can figure out if this is a config error in VyOS or if the error must be reported upstream to get fixed.

Please help to assign a dev to work with this problem, thanks a lot!

@svd135 Can you provide a version string when you last had it working? Seeing the firewall config might also be helpful.

Now I'm using this build: VyOS 1.4-rolling-202301071830
It's working fine as with active as with passive FTP.

Firewall can be turned off. It does not affect the result.

Sorry to bother you @sdev , the latest releases of 1.5-rolling-202309080021 and 1.4-rolling-202309070021 still have this problem.

Can we see the output of sudo nft list table ip raw on an affected router?

table ip raw {

ct helper rpc_tcp {
        type "rpc" protocol tcp
        l3proto ip
}

ct helper rpc_udp {
        type "rpc" protocol udp
        l3proto ip
}

ct helper tns_tcp {
        type "tns" protocol tcp
        l3proto ip
}

chain VYOS_TCP_MSS {
        type filter hook forward priority raw; policy accept;
}

chain PREROUTING {
        type filter hook prerouting priority -200; policy accept;
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_IGNORE
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_HELPER
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_TIMEOUT
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_PREROUTING_HOOK
        counter packets 12628080 bytes 2502739226 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain OUTPUT {
        type filter hook output priority -200; policy accept;
        counter packets 1845387 bytes 130946386 jump VYOS_CT_IGNORE
        counter packets 1845387 bytes 130946386 jump VYOS_CT_HELPER
        counter packets 1845387 bytes 130946386 jump VYOS_CT_TIMEOUT
        counter packets 1845387 bytes 130946386 jump VYOS_CT_OUTPUT_HOOK
        counter packets 1845387 bytes 130946386 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain VYOS_CT_HELPER {
        ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
        ct helper set "rpc_udp" udp dport 111 return
        ct helper set "rpc_tcp" tcp dport 111 return
        return
}

chain VYOS_CT_IGNORE {
        return
}

chain VYOS_CT_TIMEOUT {
        return
}

chain VYOS_CT_PREROUTING_HOOK {
        return
}

chain VYOS_CT_OUTPUT_HOOK {
        return
}

chain FW_CONNTRACK {
        accept
}

chain NAT_CONNTRACK {
        counter packets 14473467 bytes 2633685612 accept
}

}

The same situation as @svd135 . The passive FTP data connection now is stopped by the problem with FTP ALG.

vyos@vyos# run show version
Version:          VyOS 1.5-rolling-202309080021
Release train:    current

Built by:         [email protected]
Built on:         Fri 08 Sep 2023 01:34 UTC
Build UUID:       d3dc8e6e-d7cd-4eeb-95fd-987625dc7b0c
Build commit ID:  343a33108b9b08

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware20,1
Hardware S/N:     VMware-56 4d d0 a0 5b 44 ed 02-60 f5 0e 9b 72 4d 60 e9
Hardware UUID:    a0d04d56-445b-02ed-60f5-0e9b724d60e9

Copyright:        VyOS maintainers and contributors

vyos@vyos# sudo nft list table ip raw
table ip raw {
	ct helper rpc_tcp {
		type "rpc" protocol tcp
		l3proto ip
	}

	ct helper rpc_udp {
		type "rpc" protocol udp
		l3proto ip
	}

	ct helper tns_tcp {
		type "tns" protocol tcp
		l3proto ip
	}

	chain VYOS_TCP_MSS {
		type filter hook forward priority raw; policy accept;
	}

	chain vyos_global_rpfilter {
		return
	}

	chain vyos_rpfilter {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump vyos_global_rpfilter
	}

	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump VYOS_CT_IGNORE
		counter packets 2641 bytes 626825 jump VYOS_CT_HELPER
		counter packets 3131 bytes 665944 jump VYOS_CT_TIMEOUT
		counter packets 3131 bytes 665944 jump VYOS_CT_PREROUTING_HOOK
		counter packets 2641 bytes 626825 jump NAT_CONNTRACK
		counter packets 490 bytes 39119 jump FW_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
		counter packets 580 bytes 61379 jump VYOS_CT_IGNORE
		counter packets 218 bytes 21228 jump VYOS_CT_HELPER
		counter packets 580 bytes 61379 jump VYOS_CT_TIMEOUT
		counter packets 580 bytes 61379 jump VYOS_CT_OUTPUT_HOOK
		counter packets 218 bytes 21228 jump NAT_CONNTRACK
		counter packets 362 bytes 40151 jump FW_CONNTRACK
		notrack
	}

	chain VYOS_CT_HELPER {
		ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
		ct helper set "rpc_udp" udp dport 111 return
		ct helper set "rpc_tcp" tcp dport 111 return
		return
	}

	chain VYOS_CT_IGNORE {
		return
	}

	chain VYOS_CT_TIMEOUT {
		return
	}

	chain VYOS_CT_PREROUTING_HOOK {
		return
	}

	chain VYOS_CT_OUTPUT_HOOK {
		return
	}

	chain FW_CONNTRACK {
		return
	}

	chain NAT_CONNTRACK {
		counter packets 2859 bytes 648053 accept
	}
}
[edit]
vyos@vyos#

Hello @sdev Sorry to bother you. The issue hasn't been fixed in the recent rolling release: VyOS 1.5-rolling-202309170024

vyos@vyos:~$ sudo nft list table ip raw
table ip raw {
        ct helper rpc_tcp {
                type "rpc" protocol tcp
                l3proto ip
        }

        ct helper rpc_udp {
                type "rpc" protocol udp
                l3proto ip
        }

        ct helper tns_tcp {
                type "tns" protocol tcp
                l3proto ip
        }

        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
        }

        chain vyos_global_rpfilter {
                return
        }

        chain vyos_rpfilter {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump vyos_global_rpfilter
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump VYOS_CT_IGNORE
                counter packets 5871 bytes 5703850 jump VYOS_CT_HELPER
                counter packets 5871 bytes 5703850 jump VYOS_CT_TIMEOUT
                counter packets 5871 bytes 5703850 jump VYOS_CT_PREROUTING_HOOK
                counter packets 5871 bytes 5703850 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                counter packets 94 bytes 11511 jump VYOS_CT_IGNORE
                counter packets 94 bytes 11511 jump VYOS_CT_HELPER
                counter packets 94 bytes 11511 jump VYOS_CT_TIMEOUT
                counter packets 94 bytes 11511 jump VYOS_CT_OUTPUT_HOOK
                counter packets 94 bytes 11511 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain VYOS_CT_HELPER {
                ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
                ct helper set "rpc_udp" udp dport 111 return
                ct helper set "rpc_tcp" tcp dport 111 return
                return
        }

        chain VYOS_CT_IGNORE {
                return
        }

        chain VYOS_CT_TIMEOUT {
                return
        }

        chain VYOS_CT_PREROUTING_HOOK {
                return
        }

        chain VYOS_CT_OUTPUT_HOOK {
                return
        }

        chain FW_CONNTRACK {
                return
        }

        chain NAT_CONNTRACK {
                counter packets 5965 bytes 5715361 accept
        }
}

sdev changed the task status from Open to Confirmed.Thu, Sep 21, 9:49 AM

sdev claimed this task.

sdev mentioned this in T5598: unknown parameter 'nf_conntrack_helper' ignored.

PR: https://github.com/vyos/vyos-1x/pull/2304

Conntrack FTP helper does not work properlyNeeds testing, Requires assessmentPublicBUGActions

Description

Details

Related Objects

Event Timeline

Conntrack FTP helper does not work properly
Needs testing, Requires assessmentPublicBUG
Actions