Arch Linux

Knur

Member

Registered: 2013-07-12

Posts: 3

Conntrack ctstate RELATED broken ?

Hello,

It seems that the RELATED ctstate in iptables is broken on current archlinux.

With these iptables rules :

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
iptables -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT

and the correct modules loaded, a passive FTP session does not get matched by the filter rule even thought the correct helper is assigned.

[root@archlinux ~]# conntrack -E expect
    [NEW] 300 proto=6 src=10.0.2.15 dst=212.27.60.27 sport=0 dport=45647 \
mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 \
master-src=10.0.2.15 master-dst=212.27.60.27 sport=54004 dport=21 class=0 helper=ftp \
[DESTROY] 300 proto=6 src=10.0.2.15 dst=212.27.60.27 sport=0 dport=45647 \
mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 \
master-src=10.0.2.15 master-dst=212.27.60.27 sport=54004 dport=21 class=0 helper=ftp  \
[NEW] 300 proto=6 src=10.0.2.15 dst=212.27.60.27 sport=0 dport=27314 \
mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 \
master-src=10.0.2.15 master-dst=212.27.60.27 sport=54004 dport=21 class=0 helper=ftp \
[DESTROY] 300 proto=6 src=10.0.2.15 dst=212.27.60.27 sport=0 dport=27314 \
mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 \
master-src=10.0.2.15 master-dst=212.27.60.27 sport=54004 dport=21 class=0 helper=ftp
[root@archlinux ~]# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 175 packets, 16587 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 112 packets, 13182 bytes)
 pkts bytes target     prot opt in     out     source               destination
   19   853 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0         \
tcp dpt:21 CT helper ftp
[root@archlinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 227 packets, 20645 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0         \
ctstate RELATED helper match "ftp"  0     0 ACCEPT     all  --  *      *       \
0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 140 packets, 17006 bytes)
 pkts bytes target     prot opt in     out     source               destination

The exact same rules and ftp session, on a fresh debian testing install, work as intended.
On both archlinux and debian,  iptables is v1.6.1 and conntrack is v1.4.4.
I manage to reproduce this on 2 different installs of archlinux, with different version of kernel, both official and custom compiled.

Either I'm missing something BIG, or there is something very wrong (and I'm beginning to feel paranoid)...
Anyone can confirm this ?

Last edited by Knur (2017-10-25 06:12:36)

cfr

Member

From: Cymru

Registered: 2011-11-27

Posts: 7,132

Re: Conntrack ctstate RELATED broken ?

Please edit your post to use code tags.

---

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Conntrack ctstate RELATED broken ?

Some quick thoughts:

* Why not also match on ESTABLISHED.

* Show the output of "iptables-save", rather than the potentially-ambiguous -L switch.