lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aO5BKQwvvDHdPnDm@strlen.de>
Date: Tue, 14 Oct 2025 14:25:13 +0200
From: Florian Westphal <fw@...len.de>
To: Andrii Melnychenko <a.melnychenko@...s.io>
Cc: pablo@...filter.org, kadlec@...filter.org, phil@....cc,
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
	pabeni@...hat.com, horms@...nel.org,
	netfilter-devel@...r.kernel.org, coreteam@...filter.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] netfilter: Added nfct_seqadj_ext_add() for ftp's
 conntrack.

Andrii Melnychenko <a.melnychenko@...s.io> wrote:
> There was an issue with NAT'ed ftp and replaced messages
> for PASV/EPSV mode. "New" IP in the message may have a
> different length that would require sequence adjustment.

This needs a 'Fixes' tag.

And it needs an explanation why this bug is specific to ftp.

Lastly, why is this needed in the first place?

nf_nat_ftp() sets up the expectation callback to 'nf_nat_follow_master'.
That calls nf_nat_setup_info() which is supposed to add the seqadj extension
since connection has helper and is subject to nat.

And if nat isn't active, why do we need to seqadj extension?
No NAT, no command channel address rewrites.

It would be good to have a test case for this too, the nat helpers
have 0 coverage.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ