Migrating from hardened-sources-4.4.8 to 4.7.6 or 4.7.10 breaks FTP CONNTRACK to FTP servers. I'm using working config and CONNTRACK is built into the kernel. Here is specific CONNTRACK portion of the broken kernel version (4.7.10) CONFIG_NF_CONNTRACK=y CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_PROCFS=y CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_TIMEOUT=y CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_LABELS=y # CONFIG_NF_CONNTRACK_AMANDA is not set CONFIG_NF_CONNTRACK_FTP=y # CONFIG_NF_CONNTRACK_H323 is not set CONFIG_NF_CONNTRACK_IRC=y # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SANE is not set # CONFIG_NF_CONNTRACK_SIP is not set CONFIG_NF_CONNTRACK_TFTP=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_PROC_COMPAT=y Here is complete Net Filter section. I tried adding multiple CONNTRACK features, but still unable to connect to passive FTP servers. Again, rolling back to 4.4.8, everything works again.. CONFIG_NF_CONNTRACK=y CONFIG_NF_LOG_COMMON=y CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_PROCFS=y CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_TIMEOUT=y CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_LABELS=y CONFIG_NF_CT_PROTO_DCCP=y CONFIG_NF_CT_PROTO_SCTP=y CONFIG_NF_CT_PROTO_UDPLITE=y # CONFIG_NF_CONNTRACK_AMANDA is not set CONFIG_NF_CONNTRACK_FTP=y # CONFIG_NF_CONNTRACK_H323 is not set CONFIG_NF_CONNTRACK_IRC=y # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SANE is not set # CONFIG_NF_CONNTRACK_SIP is not set CONFIG_NF_CONNTRACK_TFTP=y CONFIG_NF_CT_NETLINK=y # CONFIG_NF_CT_NETLINK_TIMEOUT is not set CONFIG_NF_NAT=y CONFIG_NF_NAT_NEEDED=y CONFIG_NF_NAT_PROTO_DCCP=y CONFIG_NF_NAT_PROTO_UDPLITE=y CONFIG_NF_NAT_PROTO_SCTP=y # CONFIG_NF_NAT_AMANDA is not set CONFIG_NF_NAT_FTP=y CONFIG_NF_NAT_IRC=y # CONFIG_NF_NAT_SIP is not set CONFIG_NF_NAT_TFTP=y CONFIG_NF_NAT_REDIRECT=y # CONFIG_NF_TABLES is not set CONFIG_NF_DEFRAG_IPV4=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_PROC_COMPAT=y # CONFIG_NF_DUP_IPV4 is not set # CONFIG_NF_LOG_ARP is not set CONFIG_NF_LOG_IPV4=y CONFIG_NF_REJECT_IPV4=y CONFIG_NF_NAT_IPV4=y # CONFIG_NF_NAT_MASQUERADE_IPV4 is not set # CONFIG_NF_NAT_PPTP is not set # CONFIG_NF_NAT_H323 is not set CONFIG_IP_NF_IPTABLES=y # CONFIG_IP_NF_MATCH_AH is not set CONFIG_IP_NF_MATCH_ECN=y # CONFIG_IP_NF_MATCH_RPFILTER is not set CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y # CONFIG_IP_NF_TARGET_SYNPROXY is not set CONFIG_IP_NF_NAT=y # CONFIG_IP_NF_TARGET_MASQUERADE is not set # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_REDIRECT is not set CONFIG_IP_NF_MANGLE=y # CONFIG_IP_NF_TARGET_CLUSTERIP is not set CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_TTL=y CONFIG_IP_NF_RAW=y # CONFIG_IP_NF_SECURITY is not set CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y # CONFIG_BRIDGE_NF_EBTABLES is not set
can you test hardened-sources-4.8.10
Hello Anthony I just tried with 4.8.10. Same problem. ERROR:> [11/30/2016 7:27:51 AM] PASV failed, trying PORT. STATUS:> [11/30/2016 7:27:52 AM] This site can resume broken downloads. COMMAND:> [11/30/2016 7:27:52 AM] REST 0 [11/30/2016 7:27:52 AM] 350 Restarting at 0 COMMAND:> [11/30/2016 7:27:52 AM] PORT 10,0,0,xxx,18,83 [11/30/2016 7:27:52 AM] 500 I won't open a connection to 10.0.0.xx (only to 69.xxx.xxx.xxx) ERROR:> [11/30/2016 7:27:52 AM] Syntax error: command unrecognized. ERROR:> [11/30/2016 7:27:52 AM] Failed to establish data socket. 10.0.0.xx is internal IP 69.xxx.xxx.xxx is public NAT IP It loses my NAT it appears when FTPing. I can hit the internet fine, etc. Notice the ERROR .. PASV failed. Again, this is not a problem with 4.4.8 and older and started in 4.7 Also, in the logs, I'm seeing FORWARD drops.. Nov 30 07:25:30 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35766 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 30 07:25:33 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35783 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 30 07:25:39 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35808 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0 I'm guessing that the PASV connection
Also during the build phase I do see this warning. Not sure if this is related... In file included from ./include/linux/list.h:8:0, from ./include/linux/module.h:9, from net/ipv4/inet_hashtables.c:16: net/ipv4/inet_hashtables.c: In function 'inet_ehash_locks_alloc': ./include/linux/kernel.h:748:17: warning: comparison of distinct pointer types lacks a cast (void) (&_max1 == &_max2); \ ^ net/ipv4/inet_hashtables.c:688:13: note: in expansion of macro 'max' nblocks = max(2U * L1_CACHE_BYTES / locksz, 1U); ^
I also disabled PAX and GRSEC.. same problem.
This is a feature in the kernel, see https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_conntrack_helper.c?h=v4.7&id=3bb398d925ec73e42b778cf823c8f4aecae359ea Or for more info: http://www.firewalld.org/2016/10/automatic-helper-assignment and http://www.spinics.net/lists/netfilter/msg56874.html For now you can use: # echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper But that may eventually be dropped out of the kernel too. @blueness you probably want to close this one as WONTFIX unless you feel like reverting that commit.
> @blueness you probably want to close this one as WONTFIX unless you feel > like reverting that commit. we're moving towards 4.8 next, where I presume this isn't a problem. please reopen the bug if the same issue arises in hardened-sources-4.8.11 or above.
(In reply to Anthony Basile from comment #6) > > @blueness you probably want to close this one as WONTFIX unless you feel > > like reverting that commit. > > we're moving towards 4.8 next, where I presume this isn't a problem. please > reopen the bug if the same issue arises in hardened-sources-4.8.11 or above. ah never mind, this is a permanent change in the kernel, so i guess we're going to have to live with it. i'm not going to carry forward a patch and also i think we should stick with upstream's decision and bug them if you just can't live with their choice.