diff options
| author | Pfeil Daniel <pda@keba.com> | 2024-04-25 12:13:11 +0000 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-06-19 15:07:40 +0200 |
| commit | 5b61acb75b74725d7914b24568023f670ddeff62 (patch) | |
| tree | a37d4fa55bfa3c9639af34f4455d37dc99acc7d1 /examples/cli/favicon.ico | |
| parent | 7372179b9879d8893dcc2a3a8b0555655caade37 (diff) | |
After an RPC call to portmap using the portmap program number (100000),
subsequent RPC calls are not handled correctly by connection tracking.
This results in client connections to ports specified in RPC replies
failing to operate.
This issue arises because after an RPC call to portmap using the
program number 100000, conntrackd adds an expectation table entry
for the portmap port (typically 111). Due to this expectation table
entry, subsequent RPC call connections are treated as sibling
connections. Due to kernel restrictions, the connection helper for
sibling connections cannot be changed. This is enforced in the kernel's
handling in "net/netfilter/nf_conntrack_netlink.c", within the
"ctnetlink_change_helper" function, after the comment:
/* don't change helper of sibling connections */.
Due to this kernel restriction, the private RPC data (struct rpc_info)
sent from conntrackd to kernel-space is discarded by the kernel.
To resolve this, the proposed change is to eliminate the creation of
an expectation table entry for the portmap port. The portmap port has
to be opened via an iptables/nftables rule anyway, so adding an
expectation table entry for the portmap port is unnecessary.
Why do our existing clients make RPC calls using the portmap program
number? They use these calls for cyclic keepalive messages to verify
that the link between the client and server is operational.
Signed-Off-By: Daniel Pfeil <pda@keba.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'examples/cli/favicon.ico')
0 files changed, 0 insertions, 0 deletions