Conntrack FTP helper does not work properly
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	svd135
	Jul 19 2023, 7:37 PM

Description

I'm using local FTP server. My NAT and System config:

nat {

destination {
    rule 26 {
        destination {
            port 21
        }
        inbound-interface eth1
        protocol tcp
        translation {
            address 192.168.13.44
        }
    }
}
source {
    rule 10 {
        outbound-interface eth1
        translation {
            address masquerade
        }
    }
}

}

system {

conntrack {
    modules {
        ftp
        h323
        nfs
        pptp
        sip
        sqlnet
        tftp
    }
}

}

Conntrack FTP helper does not work properly:

It doesn't forward related connections
It doesn't replace local IP to NAT-ed WAN address in the "Entering Passive Mode" command string.

This worked right in older builds (now I'm using the January build).

Details

Difficulty level: Unknown (require assessment)
Version: vyos-1.4-rolling-202307161346-amd64
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Behavior change
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: T5598: unknown parameter 'nf_conntrack_helper' ignored

Event Timeline

svd135 created this task.Jul 19 2023, 7:37 PM

pasik added a subscriber: pasik.Jul 19 2023, 7:44 PM

From @Zamp

Unless there is something wrong with the firewall ruleset in VyOS any malfunctions in the FTP helper itself will mainly be fixed upstream at the Linux kernel or in this particular case the netfilter team:

https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers 1

https://bugzilla.netfilter.org/

Hopefully, some VyOS maintainer will look at this shortly and can figure out if this is a config error in VyOS or if the error must be reported upstream to get fixed.

Please help to assign a dev to work with this problem, thanks a lot!

@svd135 Can you provide a version string when you last had it working? Seeing the firewall config might also be helpful.

Now I'm using this build: VyOS 1.4-rolling-202301071830
It's working fine as with active as with passive FTP.

Firewall can be turned off. It does not affect the result.

Sorry to bother you @sdev , the latest releases of 1.5-rolling-202309080021 and 1.4-rolling-202309070021 still have this problem.

Can we see the output of sudo nft list table ip raw on an affected router?

table ip raw {

ct helper rpc_tcp {
        type "rpc" protocol tcp
        l3proto ip
}

ct helper rpc_udp {
        type "rpc" protocol udp
        l3proto ip
}

ct helper tns_tcp {
        type "tns" protocol tcp
        l3proto ip
}

chain VYOS_TCP_MSS {
        type filter hook forward priority raw; policy accept;
}

chain PREROUTING {
        type filter hook prerouting priority -200; policy accept;
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_IGNORE
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_HELPER
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_TIMEOUT
        counter packets 12628080 bytes 2502739226 jump VYOS_CT_PREROUTING_HOOK
        counter packets 12628080 bytes 2502739226 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain OUTPUT {
        type filter hook output priority -200; policy accept;
        counter packets 1845387 bytes 130946386 jump VYOS_CT_IGNORE
        counter packets 1845387 bytes 130946386 jump VYOS_CT_HELPER
        counter packets 1845387 bytes 130946386 jump VYOS_CT_TIMEOUT
        counter packets 1845387 bytes 130946386 jump VYOS_CT_OUTPUT_HOOK
        counter packets 1845387 bytes 130946386 jump NAT_CONNTRACK
        counter packets 0 bytes 0 jump FW_CONNTRACK
        notrack
}

chain VYOS_CT_HELPER {
        ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
        ct helper set "rpc_udp" udp dport 111 return
        ct helper set "rpc_tcp" tcp dport 111 return
        return
}

chain VYOS_CT_IGNORE {
        return
}

chain VYOS_CT_TIMEOUT {
        return
}

chain VYOS_CT_PREROUTING_HOOK {
        return
}

chain VYOS_CT_OUTPUT_HOOK {
        return
}

chain FW_CONNTRACK {
        accept
}

chain NAT_CONNTRACK {
        counter packets 14473467 bytes 2633685612 accept
}

}

The same situation as @svd135 . The passive FTP data connection now is stopped by the problem with FTP ALG.

vyos@vyos# run show version
Version:          VyOS 1.5-rolling-202309080021
Release train:    current

Built by:         [email protected]
Built on:         Fri 08 Sep 2023 01:34 UTC
Build UUID:       d3dc8e6e-d7cd-4eeb-95fd-987625dc7b0c
Build commit ID:  343a33108b9b08

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware20,1
Hardware S/N:     VMware-56 4d d0 a0 5b 44 ed 02-60 f5 0e 9b 72 4d 60 e9
Hardware UUID:    a0d04d56-445b-02ed-60f5-0e9b724d60e9

Copyright:        VyOS maintainers and contributors

vyos@vyos# sudo nft list table ip raw
table ip raw {
	ct helper rpc_tcp {
		type "rpc" protocol tcp
		l3proto ip
	}

	ct helper rpc_udp {
		type "rpc" protocol udp
		l3proto ip
	}

	ct helper tns_tcp {
		type "tns" protocol tcp
		l3proto ip
	}

	chain VYOS_TCP_MSS {
		type filter hook forward priority raw; policy accept;
	}

	chain vyos_global_rpfilter {
		return
	}

	chain vyos_rpfilter {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump vyos_global_rpfilter
	}

	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		counter packets 3131 bytes 665944 jump VYOS_CT_IGNORE
		counter packets 2641 bytes 626825 jump VYOS_CT_HELPER
		counter packets 3131 bytes 665944 jump VYOS_CT_TIMEOUT
		counter packets 3131 bytes 665944 jump VYOS_CT_PREROUTING_HOOK
		counter packets 2641 bytes 626825 jump NAT_CONNTRACK
		counter packets 490 bytes 39119 jump FW_CONNTRACK
		notrack
	}

	chain OUTPUT {
		type filter hook output priority raw; policy accept;
		counter packets 580 bytes 61379 jump VYOS_CT_IGNORE
		counter packets 218 bytes 21228 jump VYOS_CT_HELPER
		counter packets 580 bytes 61379 jump VYOS_CT_TIMEOUT
		counter packets 580 bytes 61379 jump VYOS_CT_OUTPUT_HOOK
		counter packets 218 bytes 21228 jump NAT_CONNTRACK
		counter packets 362 bytes 40151 jump FW_CONNTRACK
		notrack
	}

	chain VYOS_CT_HELPER {
		ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
		ct helper set "rpc_udp" udp dport 111 return
		ct helper set "rpc_tcp" tcp dport 111 return
		return
	}

	chain VYOS_CT_IGNORE {
		return
	}

	chain VYOS_CT_TIMEOUT {
		return
	}

	chain VYOS_CT_PREROUTING_HOOK {
		return
	}

	chain VYOS_CT_OUTPUT_HOOK {
		return
	}

	chain FW_CONNTRACK {
		return
	}

	chain NAT_CONNTRACK {
		counter packets 2859 bytes 648053 accept
	}
}
[edit]
vyos@vyos#

Hello @sdev Sorry to bother you. The issue hasn't been fixed in the recent rolling release: VyOS 1.5-rolling-202309170024

vyos@vyos:~$ sudo nft list table ip raw
table ip raw {
        ct helper rpc_tcp {
                type "rpc" protocol tcp
                l3proto ip
        }

        ct helper rpc_udp {
                type "rpc" protocol udp
                l3proto ip
        }

        ct helper tns_tcp {
                type "tns" protocol tcp
                l3proto ip
        }

        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
        }

        chain vyos_global_rpfilter {
                return
        }

        chain vyos_rpfilter {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump vyos_global_rpfilter
        }

        chain PREROUTING {
                type filter hook prerouting priority raw; policy accept;
                counter packets 5871 bytes 5703850 jump VYOS_CT_IGNORE
                counter packets 5871 bytes 5703850 jump VYOS_CT_HELPER
                counter packets 5871 bytes 5703850 jump VYOS_CT_TIMEOUT
                counter packets 5871 bytes 5703850 jump VYOS_CT_PREROUTING_HOOK
                counter packets 5871 bytes 5703850 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain OUTPUT {
                type filter hook output priority raw; policy accept;
                counter packets 94 bytes 11511 jump VYOS_CT_IGNORE
                counter packets 94 bytes 11511 jump VYOS_CT_HELPER
                counter packets 94 bytes 11511 jump VYOS_CT_TIMEOUT
                counter packets 94 bytes 11511 jump VYOS_CT_OUTPUT_HOOK
                counter packets 94 bytes 11511 jump NAT_CONNTRACK
                counter packets 0 bytes 0 jump FW_CONNTRACK
                notrack
        }

        chain VYOS_CT_HELPER {
                ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return
                ct helper set "rpc_udp" udp dport 111 return
                ct helper set "rpc_tcp" tcp dport 111 return
                return
        }

        chain VYOS_CT_IGNORE {
                return
        }

        chain VYOS_CT_TIMEOUT {
                return
        }

        chain VYOS_CT_PREROUTING_HOOK {
                return
        }

        chain VYOS_CT_OUTPUT_HOOK {
                return
        }

        chain FW_CONNTRACK {
                return
        }

        chain NAT_CONNTRACK {
                counter packets 5965 bytes 5715361 accept
        }
}

sarthurdev changed the task status from Open to Confirmed.Sep 21 2023, 9:49 AM

sarthurdev claimed this task.

sarthurdev mentioned this in T5598: unknown parameter 'nf_conntrack_helper' ignored.

PR: https://github.com/vyos/vyos-1x/pull/2304

Hello @sdev , could you please help to check if the fix can resolve the problem with FTP ALG? I tested the newest rolling release but the PASV command still causes the data connection gets failed. My testing FTP server and client are both Filezilla product, please correct me if any mistakes I made during the test.

vyos@vyos# run show version 
Version:          VyOS 1.5-rolling-202310060022
Release train:    current

Built by:         [email protected]
Built on:         Fri 06 Oct 2023 01:44 UTC
Build UUID:       12aff08b-756f-45c0-a485-afa0b7bd7c24
Build commit ID:  3639462b57b96f

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware20,1
Hardware S/N:     VMware-56 4d d0 a0 5b 44 ed 02-60 f5 0e 9b 72 4d 60 e9
Hardware UUID:    a0d04d56-445b-02ed-60f5-0e9b724d60e9

Copyright:        VyOS maintainers and contributors

vyos@vyos# show nat
 destination {
     rule 100 {
         destination {
             port 21
         }
         inbound-interface eth1
         protocol tcp
         translation {
             address 192.168.100.220
         }
     }
 }
 source {
     rule 100 {
         outbound-interface eth1
         translation {
             address masquerade
         }
     }
 }

vyos@vyos:~$ sudo nft list table ip raw
table ip raw {
        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
        }

        chain vyos_global_rpfilter {
                return
        }

        chain vyos_rpfilter {
                type filter hook prerouting priority raw; policy accept;
                counter packets 721495 bytes 798003939 jump vyos_global_rpfilter
        }

        chain VYOS_PREROUTING_HOOK {
                type filter hook prerouting priority raw; policy accept;
        }
}

dmbaturin triaged this task as High priority.Jan 9 2024, 6:04 PM

@svd135 Can you recheck?

Viacheslav changed the task status from Needs testing to Needs reporter action.Feb 13 2024, 3:47 PM

In T5376#176691, @Viacheslav wrote:

@svd135 Can you recheck?

I have now checked the build vyos-1.5-rolling-202402140022.
Unfortunately, everything is the same.

As I understand changes as in this example
https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers

The data channels are not established.
As I understand it, the problem is that the required related ports are not forwarded dynamically to translated address

In T5376#176807, @svd135 wrote:

The data channels are not established.
As I understand it, the problem is that the required related ports are not forwarded dynamically to translated address

I agree with you. By the commercial implementation, the FTP ALG can dynamically create the NAT pinhole for the data connection. I can't discuss the code, but I have used many vendors of commercial firewalls, the FTP ALG is a common function listed in the support feature list. To compare the FTP conntrack with the VYOS 1.3 should be a good idea to find out the root cause.

PR: https://github.com/vyos/vyos-1x/pull/3037

sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.5 Circinus board.Feb 21 2024, 3:05 PM

@svd135 can you try on latest rolling?

In T5376#177587, @sarthurdev wrote:

@svd135 can you try on latest rolling?

The build 1.5-rolling-202402230022 works well in passive mode.
For me this long-standing problem is solved.
Active mode does not work, but no one uses it anymore.

It's a good news for me. I will shift from SRX320 to Vyos system. In FTP active mode, the FTP server will push the data channel to the client, the Vyos deems it as a new connection and there is no need with FTP ALG.

I will try it again. Thanks @svd135 and @sarthurdev

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 23 2024, 12:19 PM

syncer moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-epa1) board.

Glad to hear it @svd135 @swanduron

sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.Feb 23 2024, 12:23 PM

Conntrack FTP helper does not work properlyClosed, ResolvedPublicBUGActions

Description

Details

Related Objects

Event Timeline

Conntrack FTP helper does not work properly
Closed, ResolvedPublicBUG
Actions