NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/39520: IPNAT fails to consistently handle FTP sessions



The following reply was made to PR bin/39520; it has been noted by GNATS.

From: Peter Eisch <peter%boku.net@localhost>
To: <gnats-bugs%NetBSD.org@localhost>
Cc: 
Subject: Re: bin/39520: IPNAT fails to consistently handle FTP sessions
Date: Tue, 16 Sep 2008 14:02:38 -0500

 Here is a trace of the offending packet.
 
 13:51:46.838452 IP (tos 0x0, ttl  63, id 36513, offset 0, flags [DF],
 length: 67) BB.BB.BBB.BBB.58359 > CCC.CCC.CC.C.21: P [tcp sum ok] 30:57(27)
 ack 120 win 5840
         0x0000:  4500 0043 8ea1 4000 3f06 9b94 205b f382  E..C..@.?....[..
         0x0010:  9d9a 6007 e3f7 0015 a702 697e 320e c650  ..`.......i~2..P
         0x0020:  5018 16d0 e2ce 0000 504f 5254 2032 3036  P.......PORT.AAA
         0x0030:  2c39 2c33 342c 3135 302c 3232 372c 3235  ,A,AA,AAA,227,25
         0x0040:  310d 0a                                  1..
 13:51:46.949262 IP (tos 0x0, ttl  57, id 7011, offset 0, flags [none],
 length: 66) CCC.CCC.CC.C.21 > BB.BB.BBB.BBB.58359: P [tcp sum ok]
 120:146(26) ack 57 win 11468
         0x0000:  4500 0042 1b63 0000 3906 54d4 9d9a 6007  E..B.c..9.T...`.
         0x0010:  205b f382 0015 e3f7 320e c650 a702 6999  .[......2..P..i.
         0x0020:  5018 2ccc 7a97 0000 3530 3020 496c 6c65  P.,.z...500.Ille
         0x0030:  6761 6c20 504f 5254 2043 6f6d 6d61 6e64  gal.PORT.Command
         0x0040:  0d0a                                     ..
 
 The NAT rules for this are:
 
 map vlan150 from AAA.A.AA.AAA/32 to CCC.CCC.CC.C/32 -> BB.BB.BBB.BBB/32
 proxy port ftp ftp/tcp
 map vlan150 from AAA.A.AA.AAA/32 to CCC.CCC.CC.C/32 -> BB.BB.BBB.BBB/32
 portmap tcp/udp 40000:60000
 map vlan150 from AAA.A.AA.AAA/32 to CCC.CCC.CC.C/32 -> BB.BB.BBB.BBB/32
 
 The topology for this is:
 
              (wm1)   (wm2)
 +--------+  vlan154-vlan150   +--------+
 | client |---->| nbrtr |----->| server |
 +--------+     +------NAT     +--------+
 
 Again, this problem only happens for one out of every 5-8 sessions.  The
 successful sessions correctly insert the BB.BB.BBB.BBB address in the PORT
 command.
 
 
 


Home | Main Index | Thread Index | Old Index