Description:
As I see, in RFC there is no accurate definition of the server answer after 227
message during passive mode connection establishing. The kernel module ip_conntrack_ftp search string,
which is used by most of ftp-servers:
227 Entering Passive Mode (xx,xx,xxx,x,yyy,yyy)
where is xx,xx,xxx,x is ip-adress, yyy -- port number, i.e. socket, which server uses to accept connection from client.
The last ")" is required, as I see from ip_conntrack_ftp module source code.
The ftpd program from publicfile-0.52 package send string:
227 =xx,xx,xxx,x,193,62
In general, this isn't a contradiction to RFC, because messages after numbers are intended for operator.
Because of that misunderstanding, module can't determine delivering to client socket and logging kernel facility error to syslog:
kernel: conntrack_ftp: partial 227 4144999967+24
i.e. module supposes that packet is incomplete or corrupted. This trouble can be resolved by changing ftpd.c code.
Original:
void pasv(void)
{
unsigned char x[6];
startlistening(x);
out_puts("227 =");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[0]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[1]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[2]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[3]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[4]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[5]));
out_puts("\r\n");
}
After changing:
void pasv(void)
{
unsigned char x[6];
startlistening(x);
out_puts("227 Entering Passive Mode (");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[0]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[1]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[2]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[3]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[4]));
out_puts(",");
out_put(strnum,fmt_ulong(strnum,(unsigned long) x[5]));
out_puts(")\r\n");
}
Download:
The patch: publicfile-0.52.conntrack-ftp.patch (27.01.03). Was tested only on RH9, but as I see, in the last kernel (2.6.1) nothing was changed. If you have corrections -- write me to article <at> lithium.opennet.ruLinks:
- Publicfile home page.
- Publicfile page on DJB's site.
- Best manual about iptables and connection tracking that I met was.
articles <at> lithium.opennet.ru