Bug 179890 - ip_conntrack_ftp fails over IPSec tunnel
Summary: ip_conntrack_ftp fails over IPSec tunnel
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel   
(Show other bugs)
Version: 5
Hardware: i686 Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2006-02-03 17:12 UTC by Chris Hapgood
Modified: 2015-01-04 22:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-24 23:09:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris Hapgood 2006-02-03 17:12:02 UTC
When using passive ftp, I can successfully transfer files using passive mode 
ftp from an FC4 server to an FC4 client (also 2.6.14-1.1656_FC4smp with 
ip_conntrack_ftp loaded).  If, however, the same client connects to the same 
server over an IPSec tunnel, the ftp session fails transferring the same file 
and produces the following error message:

   ftp: connect: No route to host.

Both the client and the server are running kernel 2.6.14-1.1656_FC4smp, and 
both have ip_conntrack_ftp loaded.

**Steps to Reproduce
1. Install vsftp on FC4 server.  Install iptables firewalls on both client and 
server.  Load ip_conntrack_ftp on server.  Poke holes in firewalls for ftp.  
Confirm proper operation of ftp passive mode.
2. Build IPSec tunnel between FC4 server and FC4 client (NAT, Kame/racoon, pre-
shared keys, ESP).  Add iptables rule ACCEPTing all forwarded traffic between 
server and client.  Confirm proper operation of tunnel with many, many other 
protocols and months of observation.
3. transfer file from client to server using standard ftp command line utility.
4. Attempt to transfer same file from client to server in same fashion, but 
specify the server's IP address such that a direct connection is used instead 
of the IPSec tunnel.

**Observed Behavior
The ftp client reports:
   ftp: connect: No route to host.
and the file is not transferred.

**Expected Behavior
The file should have been transferred.

**Additional Information
If I immediately unload iptables on the ftp server and again attempt the 
transfer, everything works beautifully.

This problem is VERY similar to Bugzilla 172845.  Both are examples of 
iptables helper modules failing to work over and IPSec tunnel but working 
perfectly across a standard link.

Unfortunately, the only workaround (in both cases) is to transmit in the clear 
or disable the firewall.

Comment 1 Thomas Woerner 2006-02-06 17:07:08 UTC
Assigning to kernel - iptables is the userland configuration tool.

Comment 2 Dave Jones 2006-09-17 03:23:14 UTC
[This comment added as part of a mass-update to all open FC4 kernel bugs]

FC4 has now transitioned to the Fedora legacy project, which will continue to
release security related updates for the kernel.  As this bug is not security
related, it is unlikely to be fixed in an update for FC4, and has been migrated
to FC5.

Please retest with Fedora Core 5.

Thank you.

Comment 3 Dave Jones 2006-10-17 00:45:25 UTC
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.

Comment 4 Dave Jones 2006-11-24 23:09:07 UTC
This bug has been mass-closed along with all other bugs that
have been in NEEDINFO state for several months.

Due to the large volume of inactive bugs in bugzilla, this
is the only method we have of cleaning out stale bug reports
where the reporter has disappeared.

If you can reproduce this bug after installing all the
current updates, please reopen this bug.

If you are not the reporter, you can add a comment requesting
it be reopened, and someone will get to it asap.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.