ftp alg expect function
Hi all,
I have questions about ftp alg expect function nf_nat_follow_master in
Linux kernel 2.6.35.12
if ftp alg is used, then in function init_conntrack,
nf_nat_follow_master would be triggered. My question is the code logic
in that function.
I assume the network topo is like A ---- R ----B.
A is in R's lan side ; B is in R's wan side.
and R does NAT so A has private IP.
ftp server is B.
ftp client is A.
When the data connection from B to R enters R's conntrack system,
the new conntrack would have ORIGINAL tuple B->R and REPLY tuple R->B,
but this is not the right tuple then,
in expect function ( nf_nat_follow_master), it tries to alter
conntrack. The resulting
conntrack should be ORIGINAL B->R, and REPLY A->B after
nf_nat_follow_master is executed.
The following is the codes of nf_nat_follow_master:
void nf_nat_follow_master(struct nf_conn *ct,
struct nf_conntrack_expect *exp)
{
struct nf_nat_range range;
/* This must be a fresh one. */
BUG_ON(ct->status & IPS_NAT_DONE_MASK);
/* Change src to where master sends to */
range.flags = IP_NAT_RANGE_MAP_IPS;
range.min_ip = range.max_ip
= ct->master->tuplehash[!exp->dir].tuple.dst.u3.ip;
nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
/* For DST manip, map port here to where it's expected. */
range.flags = (IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED);
range.min = range.max = exp->saved_proto;
range.min_ip = range.max_ip
= ct->master->tuplehash[!exp->dir].tuple.src.u3.ip;
nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
}
In the function, I am not sure why SNAT should be performed. Although
SNAT is done, it does not change the resulting conntrack.
I've think of another case why SNAT is there.
When ftp server is on LAN side and ftp client is on WAN side.
and there is a port forwarding rule on R that helps to connect to ftp
server on lan side.
In that case, SNAT is performed and changes the conntrack, and DNAT is
performed but does not change the conntrack.
I am not confirmative of my assumption. If you have any idea, please
share with me. Thanks.
Allen
|