Your message dated Wed, 02 Aug 2017 20:09:38 +0100 with message-id <1501700978.2701.43.camel@decadent.org.uk> and subject line Re: Bug#870484: linux-image-4.9.0-3-amd64: nf_conntrack_ftp does not detect passive data connection as related has caused the Debian Bug report #870484, regarding linux-image-4.9.0-3-amd64: nf_conntrack_ftp does not detect passive data connection as related to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 870484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870484 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: linux-image-4.9.0-3-amd64: nf_conntrack_ftp does not detect passive data connection as related
- From: David Guyot <david.guyot@europecamions-interactive.com>
- Date: Wed, 02 Aug 2017 15:50:57 +0200
- Message-id: <[🔎] 1501681857.2169.8.camel@europecamions-interactive.com>
Package: src:linux Version: 4.9.30-2+deb9u2 Severity: normal Hello, there. I just encounter a situation which seems to indicate that nf_conntrack_ftp does not work as it should. The affected server has the following iptables rules regarding FTP: Chain INPUT (policy DROP 4 packets, 208 bytes) pkts bytes target prot opt in out source destination 87 13850 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* loopbac k@localhost */ 1 44 ACCEPT tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02 limit: avg 5/min burst 50 recent: SET name: FTP side: source mask: 255.255.255.255 0 0 LOGDROP tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02 recent: UPDATE seconds: 60 hit_count: 6 TTL-Match name: FTP side: source mask: 255.255.255.255 17 769 ACCEPT tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:50000:50500 ctstate RELATED,ESTABLISHED […] Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 466 75053 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* loopbac k@localhost */ 14 1184 ACCEPT tcp -- * ens3 0.0.0.0/0 0.0.0.0/0 tcp spt:21 0 0 ACCEPT tcp -- * ens3 0.0.0.0/0 0.0.0.0/0 tcp spts:50000:50500 ctstate RELATED,ESTABLISHED […] As you can see, iptables is configured to let passive FTP connections pass, on the same port range than the one configured on the FTP service: root@pern /h/david {⌗0/⬓2}[0]꩜# cat /etc/pure- ftpd/conf/PassivePortRange 50000 50500 Still, the passive FTP connection can't be established, as it freezes when the client tries to open the passive data connection: 13:55:36.066536 IP client.59494 > server.ftp: Flags [S], seq 2083620944, win 32120, options [mss 1460], length 0 13:55:36.066589 IP server.ftp > client.59494: Flags [S.], seq 2534440145, ack 2083620945, win 29200, options [mss 1460], length 0 13:55:36.101446 IP client.59494 > server.ftp: Flags [.], ack 1, win 32120, length 0 13:55:41.111237 IP server.ftp > client.59494: Flags [P.], seq 1:320, ack 1, win 29200, length 319: FTP: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 13:55:41.144917 IP client.59494 > server.ftp: Flags [.], ack 320, win 31801, length 0 13:55:41.983515 IP client.59494 > server.ftp: Flags [P.], seq 1:11, ack 320, win 32120, length 10: FTP: AUTH TLS 13:55:41.983551 IP server.ftp > client.59494: Flags [.], ack 11, win 29200, length 0 13:55:41.983654 IP server.ftp > client.59494: Flags [P.], seq 320:365, ack 11, win 29200, length 45: FTP: 500 This security scheme is not implemented 13:55:42.017240 IP client.59494 > server.ftp: Flags [.], ack 365, win 32075, length 0 13:55:42.743558 IP client.59494 > server.ftp: Flags [P.], seq 11:21, ack 365, win 32120, length 10: FTP: AUTH SSL 13:55:42.743750 IP server.ftp > client.59494: Flags [P.], seq 365:410, ack 21, win 29200, length 45: FTP: 500 This security scheme is not implemented 13:55:42.777386 IP client.59494 > server.ftp: Flags [.], ack 410, win 32075, length 0 13:55:43.503046 IP client.59494 > server.ftp: Flags [P.], seq 21:36, ack 410, win 32120, length 15: FTP: USER **removed for security** 13:55:43.503210 IP server.ftp > client.59494: Flags [P.], seq 410:451, ack 36, win 29200, length 41: FTP: 331 User **removed for security** OK. Password required 13:55:43.536807 IP client.59494 > server.ftp: Flags [.], ack 451, win 32079, length 0 13:55:44.303051 IP client.59494 > server.ftp: Flags [P.], seq 36:63, ack 451, win 32120, length 27: FTP: PASS **removed for security** 13:55:44.328143 IP server.ftp > client.59494: Flags [P.], seq 451:483, ack 63, win 29200, length 32: FTP: 230 OK. Current directory is / 13:55:44.361804 IP client.59494 > server.ftp: Flags [.], ack 483, win 32088, length 0 13:55:45.103442 IP client.59494 > server.ftp: Flags [P.], seq 63:69, ack 483, win 32120, length 6: FTP: SYST 13:55:45.103606 IP server.ftp > client.59494: Flags [P.], seq 483:502, ack 69, win 29200, length 19: FTP: 215 UNIX Type: L8 13:55:45.137252 IP client.59494 > server.ftp: Flags [.], ack 502, win 32101, length 0 13:55:45.983146 IP client.59494 > server.ftp: Flags [P.], seq 69:75, ack 502, win 32120, length 6: FTP: FEAT 13:55:45.983254 IP server.ftp > client.59494: Flags [P.], seq 502:742, ack 75, win 29200, length 240: FTP: 211-Extensions supported: 13:55:46.016878 IP client.59494 > server.ftp: Flags [.], ack 742, win 31880, length 0 13:55:46.783712 IP client.59494 > server.ftp: Flags [P.], seq 75:89, ack 742, win 32120, length 14: FTP: OPTS UTF8 ON 13:55:46.783902 IP server.ftp > client.59494: Flags [P.], seq 742:765, ack 89, win 29200, length 23: FTP: 200 OK, UTF-8 enabled 13:55:46.817570 IP client.59494 > server.ftp: Flags [.], ack 765, win 32097, length 0 13:55:47.544469 IP client.59494 > server.ftp: Flags [P.], seq 89:94, ack 765, win 32120, length 5: FTP: PWD 13:55:47.544640 IP server.ftp > client.59494: Flags [P.], seq 765:799, ack 94, win 29200, length 34: FTP: 257 "/" is your current location 13:55:47.578287 IP client.59494 > server.ftp: Flags [.], ack 799, win 32086, length 0 13:55:48.342997 IP client.59494 > server.ftp: Flags [P.], seq 94:102, ack 799, win 32120, length 8: FTP: TYPE I 13:55:48.343143 IP server.ftp > client.59494: Flags [P.], seq 799:829, ack 102, win 29200, length 30: FTP: 200 TYPE is now 8-bit binary 13:55:48.376858 IP client.59494 > server.ftp: Flags [.], ack 829, win 32090, length 0 13:55:49.143326 IP client.59494 > server.ftp: Flags [P.], seq 102:108, ack 829, win 32120, length 6: FTP: PASV 13:55:49.143517 IP server.ftp > client.59494: Flags [P.], seq 829:879, ack 108, win 29200, length 50: FTP: 227 Entering Passive Mode (**removed for security**,196,84) 13:55:49.177260 IP client.59494 > server.ftp: Flags [.], ack 879, win 32070, length 0 13:55:49.943101 IP client.59494 > server.ftp: Flags [P.], seq 108:114, ack 879, win 32120, length 6: FTP: MLSD 13:55:49.943277 IP client.55391 > server.50260: Flags [S], seq 1498334446, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 13:55:49.984867 IP server.ftp > client.59494: Flags [.], ack 114, win 29200, length 0 13:55:52.940748 IP client.55391 > server.50260: Flags [S], seq 1498334446, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 13:55:57.065945 IP client.55391 > server.50260: Flags [S], seq 1814879207, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 13:56:00.063063 IP client.55391 > server.50260: Flags [S], seq 1814879207, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 13:56:05.423245 IP client.55391 > server.50260: Flags [S], seq 4001186743, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 13:56:08.425764 IP client.55391 > server.50260: Flags [S], seq 4001186743, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 During the time the client tries to open the passive data connection, the conntrack table only contains the control connection: root@pern /h/david {⌗0/⬓2}[0]꩜# conntrack -L -s 88.202.77.84 tcp 6 431989 ESTABLISHED src=client dst=server sport=59494 dport=21 src=server dst=client sport=21 dport=59494 [ASSURED] mark=0 use=1 conntrack v1.4.4 (conntrack-tools): 1 flow entries have been shown. The FTP counters above were retrieved after the FTP connection attempt; as you can see, iptables does not let them pass. Because the conntrack does not contain the passive data connection, it is manifestly because the nf_conntrack_ftp does not identify the passive data connection attempts as being related to the already established control connection. Should nf_conntrack_ftp do its job, there will be an entry in the conntrack, even if iptables were misconfigured and did not let these packets pass. I also strongly suspect a nf_conntrack_ftp failure as: * the client tries to connect to the passive port the server gave, so it's not a client error; anyway, I tried 2 clients (packages filezilla and ftp), so I'm pretty sure the client is not the problem; * the problem remains if I use -m state --state ESTABLISHED,RELATED for the passive data connection; I might add that it was what I did under Jessie and Wheezy and there was no problem. If you need more data to process this report, I will provide them in this report, as long as I can anonymise them enough; if I can't, I'll send them as a private message to the Debian maintainer requesting them. Regards. -- Package-specific info: ** Version: Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30- 2+deb9u2 (2017-06-26) ** Command line: BOOT_IMAGE=/boot/vmlinuz-4.9.0-3-amd64 root=UUID=9abb590f-8a5e-496f- ad2a-2c877415bdc5 ro console=ttyS0 ** Not tainted ** Kernel log: Unable to read kernel log; any relevant messages should be attached ** Model information sys_vendor: OpenStack Foundation product_name: OpenStack Nova product_version: 2014.2.4 chassis_vendor: QEMU chassis_version: pc-i440fx-vivid bios_vendor: SeaBIOS bios_version: 2:1.10.2-6e899082 ** Loaded modules: nfnetlink_queue nfnetlink_log nfnetlink bluetooth rfkill ip6table_mangle iptable_mangle binfmt_misc xt_connlimit ts_bm xt_string nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack xt_hashlimit xt_tcpudp xt_recent xt_comment nf_log_ipv6 ip6table_filter ip6_tables nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_filter kvm_intel kvm ppdev parport_pc parport sg irqbypass hid_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel usbhid hid cirrus ttm drm_kms_helper virtio_balloon joydev evdev drm serio_raw acpi_cpufreq button pcspkr nf_conntrack_ftp nf_conntrack ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb mbcache sd_mod ata_generic virtio_scsi virtio_net crc32c_intel uhci_hcd ata_piix ehci_hcd libata aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper usbcore cryptd usb_common psmouse virtio_pci virtio_ring virtio scsi_mod i2c_piix4 floppy ** Network interface configuration: source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug ens4 iface ens4 inet dhcp iface ens3 inet6 static address **removed for security** netmask 128 post-up /sbin/ip -6 route add 2001:41d0:302:1100::1 dev ens3 post-up /sbin/ip -6 route add default via 2001:41d0:302:1100::1 dev ens3 pre-down /sbin/ip -6 route del default via 2001:41d0:302:1100::1 dev ens3 pre-down /sbin/ip -6 route del 2001:41d0:302:1100::1 dev ens3 ** Network status: *** IP interfaces and addresses: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether fa:16:3e:ab:8b:78 brd ff:ff:ff:ff:ff:ff inet **removed for security** brd **removed for security** scope global ens3 valid_lft forever preferred_lft forever inet6 **renoved for security** scope global valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feab:8b78/64 scope link valid_lft forever preferred_lft forever *** Device statistics: Inter- | Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 768873 5094 0 0 0 0 0 0 768 873 5094 0 0 0 0 0 0 ens3: 2572670 4306 0 0 0 0 0 0 1142527 4 565 0 0 0 0 0 0 *** Protocol statistics: Ip: Forwarding: 2 7432 total packets received 4 with invalid addresses 0 forwarded 0 incoming packets discarded 7413 incoming packets delivered 7349 requests sent out 32 outgoing packets dropped Icmp: 678 ICMP messages received 0 input ICMP message failed ICMP input histogram: destination unreachable: 325 echo requests: 353 678 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 325 echo replies: 353 IcmpMsg: InType3: 325 InType8: 353 OutType0: 353 OutType3: 325 Tcp: 521 active connection openings 240 passive connection openings 0 failed connection attempts 4 connection resets received 1 connections established 5209 segments received 5625 segments sent out 41 segments retransmitted 0 bad segments received 35 resets sent Udp: 2866 packets received 325 packets to unknown port received 0 packet receive errors 3239 packets sent 0 receive buffer errors 0 send buffer errors UdpLite: TcpExt: 482 TCP sockets finished time wait in fast timer 33 delayed acks sent Quick ack mode was activated 8 times 15 packets directly queued to recvmsg prequeue TCPDirectCopyFromPrequeue: 46534 908 packet headers predicted 5 packet headers predicted and directly queued to user 1483 acknowledgments not containing data payload received 709 predicted acknowledgments TCPSackRecovery: 12 TCPDSACKUndo: 3 1 congestion windows recovered without slow start after partial ack TCPLostRetransmit: 2 TCPSackFailures: 1 25 fast retransmits 3 forward retransmits 2 retransmits in slow start TCPTimeouts: 1 TCPLossProbes: 9 TCPSackRecoveryFail: 1 TCPDSACKOldSent: 8 TCPDSACKRecv: 6 14 connections reset due to unexpected data TCPSpuriousRTOs: 1 TCPSackMerged: 10 TCPSackShiftFallback: 19 IPReversePathFilter: 1 TCPRcvCoalesce: 113 TCPOFOQueue: 13 TCPOrigDataSent: 2835 IpExt: InOctets: 1297927 OutOctets: 1070535 InNoECTPkts: 7470 ** PCI devices: 00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02) Subsystem: Red Hat, Inc Qemu virtual machine [1af4:1100] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000] Subsystem: Red Hat, Inc Qemu virtual machine [1af4:1100] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- 00:01.1 IDE interface [0101]: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] [8086:7010] (prog-if 80 [Master]) Subsystem: Red Hat, Inc Qemu virtual machine [1af4:1100] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Region 0: [virtual] Memory at 000001f0 (32-bit, non- prefetchable) [size=8] Region 1: [virtual] Memory at 000003f0 (type 3, non- prefetchable) Region 2: [virtual] Memory at 00000170 (32-bit, non- prefetchable) [size=8] Region 3: [virtual] Memory at 00000370 (type 3, non- prefetchable) Region 4: I/O ports at c0a0 [size=16] Kernel driver in use: ata_piix Kernel modules: ata_piix, ata_generic 00:01.2 USB controller [0c03]: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] [8086:7020] (rev 01) (prog-if 00 [UHCI]) Subsystem: Red Hat, Inc QEMU Virtual Machine [1af4:1100] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin D routed to IRQ 11 Region 4: I/O ports at c040 [size=32] Kernel driver in use: uhci_hcd Kernel modules: uhci_hcd 00:01.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 03) Subsystem: Red Hat, Inc Qemu virtual machine [1af4:1100] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 9 Kernel driver in use: piix4_smbus Kernel modules: i2c_piix4 00:02.0 VGA compatible controller [0300]: Cirrus Logic GD 5446 [1013:00b8] (prog-if 00 [VGA controller]) Subsystem: Red Hat, Inc QEMU Virtual Machine [1af4:1100] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Region 0: Memory at fc000000 (32-bit, prefetchable) [size=32M] Region 1: Memory at febd0000 (32-bit, non-prefetchable) [size=4K] Expansion ROM at 000c0000 [disabled] [size=128K] Kernel driver in use: cirrus Kernel modules: cirrusfb, cirrus 00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000] Subsystem: Red Hat, Inc Virtio network device [1af4:0001] Physical Slot: 3 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx+ Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin A routed to IRQ 10 Region 0: I/O ports at c060 [size=32] Region 1: Memory at febd1000 (32-bit, non-prefetchable) [size=4K] Expansion ROM at feb80000 [disabled] [size=256K] Capabilities: [40] MSI-X: Enable+ Count=3 Masked- Vector table: BAR=1 offset=00000000 PBA: BAR=1 offset=00000800 Kernel driver in use: virtio-pci Kernel modules: virtio_pci 00:04.0 SCSI storage controller [0100]: Red Hat, Inc Virtio SCSI [1af4:1004] Subsystem: Red Hat, Inc Virtio SCSI [1af4:0008] Physical Slot: 4 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx+ Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin A routed to IRQ 11 Region 0: I/O ports at c000 [size=64] Region 1: Memory at febd2000 (32-bit, non-prefetchable) [size=4K] Capabilities: [40] MSI-X: Enable+ Count=4 Masked- Vector table: BAR=1 offset=00000000 PBA: BAR=1 offset=00000800 Kernel driver in use: virtio-pci Kernel modules: virtio_pci 00:05.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon [1af4:1002] Subsystem: Red Hat, Inc Virtio memory balloon [1af4:0005] Physical Slot: 5 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 Interrupt: pin A routed to IRQ 10 Region 0: I/O ports at c080 [size=32] Kernel driver in use: virtio-pci Kernel modules: virtio_pci ** USB devices: not available -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-image-4.9.0-3-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.130 ii kmod 23-2 ii linux-base 4.5 Versions of packages linux-image-4.9.0-3-amd64 recommends: pn firmware-linux-free <none> pn irqbalance <none> Versions of packages linux-image-4.9.0-3-amd64 suggests: pn debian-kernel-handbook <none> ii grub-pc 2.02~beta3-5 pn linux-doc-4.9 <none> Versions of packages linux-image-4.9.0-3-amd64 is related to: pn firmware-amd-graphics <none> pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> pn firmware-linux-nonfree <none> pn firmware-misc-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-realtek <none> pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information -- David Guyot Administrateur système / Sysadmin Europe Camions Interactive / Stockway Moulin Collot F-88500 Ambacourt Tél : +33 (0)3 29 30 47 85Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 870484-done@bugs.debian.org
- Subject: Re: Bug#870484: linux-image-4.9.0-3-amd64: nf_conntrack_ftp does not detect passive data connection as related
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Wed, 02 Aug 2017 20:09:38 +0100
- Message-id: <1501700978.2701.43.camel@decadent.org.uk>
- In-reply-to: <[🔎] 1501681857.2169.8.camel@europecamions-interactive.com>
- References: <[🔎] 1501681857.2169.8.camel@europecamions-interactive.com>
This is an intentional change that was mentioned in NEWS for the linux- image-amd64 package. You need to explicitly specify the helper to be used in the related-connection rule. See https://home.regit.org/netfilter-en/secure-use-of-helpers/ Ben. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't.Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---