From owner-freebsd-net@freebsd.org Sat Aug 11 15:42:17 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 402071070EBD for ; Sat, 11 Aug 2018 15:42:17 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CFE1484369 for ; Sat, 11 Aug 2018 15:42:16 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id B924936CD for ; Sat, 11 Aug 2018 17:42:08 +0200 (CEST) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id 9S1dvDQLYg0L for ; Sat, 11 Aug 2018 17:42:07 +0200 (CEST) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id DBD9236CE for ; Sat, 11 Aug 2018 17:42:06 +0200 (CEST) Received: from bsdmhs.longwitz (unknown [192.168.99.6]) by mail.local.incore (Postfix) with ESMTP id C0D26189 for ; Sat, 11 Aug 2018 17:42:06 +0200 (CEST) Message-ID: <5B6F03CE.8090105@incore.de> Date: Sat, 11 Aug 2018 17:42:06 +0200 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: natd sends wrong sequence number when a retransmitted PASV packet comes in References: <5B6B2725.9030306@incore.de> In-Reply-To: <5B6B2725.9030306@incore.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2018 15:42:17 -0000 At first I have to correct a typo in my former post: "must have sequence number 465" (not 455). In the meantime I have build a complete test environment to debug this problem and I am rather sure, there is a bug in natd. For every ftp connection natd creates a little table (struct ack_data_record ack) of size N_LINK_TCP_DATA to save the information about altered length for TCP packets. This table is filled in function AddSeq() in a circular list each time when "227 Entering Passive Mode" is sent out to the ftp client. In TcpAliasOut there is a lookup in this table by calling GetDelteSeqOut() to get the correct delta value to create the value of seq for the outgoing packet. GetDeltaSeqOut searches the table in a sequential manner and looks for the biggest ack_old value not bigger than the actual seq and returns delta from the matching table line. As long as all ack_old in the table are different, there is no problem with this procedure. But if for what reason ever one of the "227 Entering" packets must be retransmitted, then we have two entries in the table with the same value of ack_old and maybe different delta because of port numbers with different decimal lenght. In this case if the delta information of the original "227 Entering" packet is placed in the table before the information of the replayed "227 Entering" packet the function GetDeltaSeqOut() returns for the next outgoing packet the wrong old delta value and the connection to the ftp client breaks. I think the function GetDeltaSeqOut() should also treat the table in a circular manner, so we can search the table from newer to older entries. Especially if there are identical ack_new values in the table, we can take the delta value of the last entry. The following patch solved the problem for me: --- alias_db.c.orig 2015-07-03 16:40:03.000000000 +0200 +++ alias_db.c 2018-08-10 23:31:09.242105000 +0200 @@ -2031,14 +2035,18 @@ packet size was altered is searched. */ - int i; + int i, j; int delta, seq_diff_min; delta = 0; seq_diff_min = -1; - for (i = 0; i < N_LINK_TCP_DATA; i++) { + i = lnk->data.tcp->state.index; + for (j = 0; j < N_LINK_TCP_DATA; j++) { struct ack_data_record x; + if (i == 0) + i = N_LINK_TCP_DATA; + i--; x = lnk->data.tcp->ack[i]; if (x.active == 1) { int seq_diff; Please can somebody review this patch. I am not sure if the same modification should also be done in the function GetDeltaAckIn(). -- Andreas Longwitz