Issue with localy destined connectons with high port number

[matejvrba]

Hi, I'm trying to run an FTP server (pure-ftpd) on a machine that is also running jool. I'm running into an issue where if I try to download a file in passive mode (not extended passive mode) then if one of the random ports for data connection is greater than arround 60_000, the connection times out.

I was able to reproduce this in clean openSUSE Tumbleweed VM with only jool and pure-ftpd installed using this script https://pastebin.com/TQ1nGgKi. I've edited the pure-ftpd config to allow anonymous login and created empty file named test.

Here is kernel log when the packet was received

[  282.689268] Jool NAT64/c0dba0e8/nat64: Step 2: Filtering and Updating
[  282.696037] Jool: => pool4empty_contains
[  282.700162] Jool:   => ret 1
[  282.703177] Jool NAT64/c0dba0e8/nat64: Packet does not belong to pool4.
[  282.710140] Jool: Returning the packet to the kernel.
[  282.715460] find_pattern `PORT': dlen = 6
[  282.719699] find_pattern `EPRT': dlen = 6
[  282.733285] find_pattern `227 ': dlen = 49
[  282.737710] Pattern matches!
[  282.740727] Skipped up to 0x0 delimiter!
[  282.744854] Match succeeded!
[  282.747887] conntrack_ftp: processing `227 Entering Passive Mode (192,168,1,1,246,170)
[  282.747887] '
[  282.757950] conntrack_ftp: match `192,168,1,1,246,170' (19 bytes at 3511845337)
[  282.766513] Jool NAT64/c0dba0e8/nat64: ===============================================
[  282.774858] Jool NAT64/c0dba0e8/nat64: Packet: 192.168.1.2->192.168.1.1
[  282.781847] Jool NAT64/c0dba0e8/nat64: Step 1: Determining the Incoming Tuple
[  282.789356] Jool NAT64/c0dba0e8/nat64: Tuple: 192.168.1.2#36354 -> 192.168.1.1#63146 [TCP]
[  282.798070] Jool NAT64/c0dba0e8/nat64: Done step 1.
[  282.812617] Jool NAT64/c0dba0e8/nat64: Step 2: Filtering and Updating
[  282.980902] Jool NAT64/c0dba0e8/nat64: Potential Simultaneous Open; storing type 1 packet.
[  283.007577] Jool NAT64/c0dba0e8/nat64: Done: Step 2.
[  283.019488] Jool NAT64/c0dba0e8/nat64: ===============================================
[  283.027833] Jool NAT64/c0dba0e8/nat64: Packet: 192.168.1.2->192.168.1.1
[  283.034781] Jool NAT64/c0dba0e8/nat64: Step 1: Determining the Incoming Tuple
[  283.042289] Jool NAT64/c0dba0e8/nat64: Tuple: 192.168.1.2#52256 -> 192.168.1.1#21 [TCP]
[  283.050714] Jool NAT64/c0dba0e8/nat64: Done step 1.
[  283.065255] Jool NAT64/c0dba0e8/nat64: Step 2: Filtering and Updating
[  283.079178] Jool NAT64/c0dba0e8/nat64: Packet does not belong to pool4.
[  283.086136] Jool: Returning the packet to the kernel.
[  283.091474] ftp: dataoff(52) >= skblen(52)
[  283.789643] Jool NAT64/c0dba0e8/nat64: ===============================================
[  283.798045] Jool NAT64/c0dba0e8/nat64: Packet: 192.168.1.2->192.168.1.1
[  283.805009] Jool NAT64/c0dba0e8/nat64: Step 1: Determining the Incoming Tuple
[  283.812521] Jool NAT64/c0dba0e8/nat64: Tuple: 192.168.1.2#36354 -> 192.168.1.1#63146 [TCP]
[  283.821209] Jool NAT64/c0dba0e8/nat64: Done step 1.
[  283.835761] Jool NAT64/c0dba0e8/nat64: Step 2: Filtering and Updating
[  284.004058] Jool NAT64/c0dba0e8/nat64: Potential Simultaneous Open; storing type 1 packet.
[  284.020686] Jool NAT64/c0dba0e8/nat64: Simultaneous Open already exists.
[  284.037439] Jool NAT64/c0dba0e8/nat64: Done: Step 2.
[  284.042661] Jool: Dropping packet.

I should probably mention that it's all IPv4, no IPv6 addresses are used (not regular, nor v4 mapped to v6)

[ydahhrk]

Sorry about the silence. I'll review it next weekend.

[ydahhrk]

It looks like your FTP server is bypassing Linux's ephemeral range configuration.

if one of the random ports for data connection is greater than arround 60_000, the connection times out.

I'm guessing it's actually 61_000.

NAT64 Jool uses ports 61k1+ by default. And Netfilter Jool is very greedy, so you can't use them for anything else.

It's sort of like if you started ~4.5 thousand HTTP servers, and bound each of them to a port above 61k. So one for 61001, one for 61002, another for 61003, up to the last server, which binds itself to 65535.

Your FTP server can try to listen in those ports, but the HTTP servers will eat up all the traffic, because they have more priority.

You need to tweak your NAT64 port range and/or your FTP port range so they don't collide with each other.

[matejvrba]

Thanks for the response. I didn't realize this was a known limitation.