IPfilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ipf 4.1.13 + NAT + FTP proxy = window scaling problem

from [Darren Reed] [Permanent Link][Original]
To: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
Subject: Re: ipf 4.1.13 + NAT + FTP proxy = window scaling problem
From: Darren Reed <darrenr@reed.wattle.id.au>
Date: Wed, 20 Dec 2006 23:11:57 +1100
Cc: Pekka Savola <pekkas@netcore.fi>, ipfilter@coombs.anu.edu.au
Delivered-to: sp-com-lists@consult.net
Delivered-to: ipfilter-list@securepoint.com
In-reply-to: <20061219235136.GC8372@piias899.ms.com>
References: <Pine.LNX.4.64.0612192052410.3711@netcore.fi> <458873B8.5060302@reed.wattle.id.au> <20061219235136.GC8372@piias899.ms.com>
Reply-to: darrenr@reed.wattle.id.au
Sender: owner-ipfilter@coombs.anu.edu.au
User-agent: Thunderbird 1.5.0.5 (Windows/20060719) 
Victor Duchovni wrote:
> On Wed, Dec 20, 2006 at 10:20:24AM +1100, Darren Reed wrote:
>
>   
>> Pekka Savola wrote:
>>     
>>> Hello,
>>>
>>> On FreeBSD 6.2-PRERELEASE (apparently ipfilter ~4.1.13), I'm having a
>>> problem with NATted, FTP-proxied sessions which use Window Scaling.
>>> Session that don't use the FTP proxy (or if the FTP proxy rule is
>>> disabled) or if WS is disabled work OK.
>>>
>>> Maybe FTP proxy doesn't work with Window Scaling, or is there
>>> something I'm missing ?
>>>
>>> IPmon lists the errors like:
>>>
>>> 19/12/2006 20:56:04.982985 15x fxp0 @0:32 b 193.166.3.2,33416 ->
>>> 192.168.1.1,33828 PR tcp len 20 1500 -A IN OOW NAT
>>> 19/12/2006 20:56:08.235987 fxp0 @0:32 b 193.166.3.2,33416 ->
>>> 192.168.1.1,33828 PR tcp len 20 1500 -A IN OOW NAT
>>> 19/12/2006 20:56:09.155467 fxp0 @0:32 b 193.166.3.2,33416 ->
>>> 192.168.1.1,33828 PR tcp len 20 1500 -A IN OOW NAT
>>> 19/12/2006 20:56:10.996694 fxp0 @0:32 b 193.166.3.2,33416 ->
>>> 192.168.1.1,33828 PR tcp len 20 1500 -A IN OOW NAT
>>>       
>> To see if it has properly picked up window scaling, list out the state table
>> entry with "ipfstat -sl".  To me it is looking like the FTP data connection
>> is the one having trouble, yes?
>>     
>
> Historically (not sure which release may have fixed this), the scaling
> code has been wrong, it applies the client's TCP scaling to packets from
> the server and vice versa. If the scale factors differ, you get a problem.
>
> The previously posted fix for the 3.x code train is:
>
> --- ip_state.c        2003/09/30 23:02:47     1.2
> +++ ip_state.c        2003/10/01 00:04:23     1.3
> @@ -956,8 +956,8 @@
>           (SEQ_GE(seq, fdata->td_end - maxwin)) &&
>  /* XXX what about big packets */
>  #define MAXACKWINDOW 66000
> -         (-ackskew <= (MAXACKWINDOW << tdata->td_wscale)) &&
> -         ( ackskew <= (MAXACKWINDOW << tdata->td_wscale))) {
> +         (-ackskew <= (MAXACKWINDOW)) &&
> +         ( ackskew <= (MAXACKWINDOW << fdata->td_wscale))) {
>  
>               /* if ackskew < 0 then this should be due to fragmented
>                * packets. There is no way to know the length of the
>
> The same issue may still be present in 4.13... Note, this only scales
> inside the window (positive ackskew), I don't believe that it is necessary
> to scale negative ackskew.

The same code in 4.1.13 - 4.1.16 is:
        inseq = 0;
        if ((SEQ_GE(fdata->td_maxend, end)) &&
            (SEQ_GE(seq, fdata->td_end - maxwin)) &&
/* XXX what about big packets */
#define MAXACKWINDOW 66000
            (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
            ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
                inseq = 1;

Darren
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPFilter 4.1.16, Darren Reed
Next by Date:  Re: ipf 4.1.13 + NAT + FTP proxy = window scaling problem, Darren Reed
Previous by Thread:  Re: ipf 4.1.13 + NAT + FTP proxy = window scaling problem, Victor Duchovni
Next by Thread:  Re: ipf 4.1.13 + NAT + FTP proxy = window scaling problem, Pekka Savola
Indexes:  [Date] [Thread] [Top] [All Lists]