Passive FTP is not handled properly by the ip_vs_ftp module

This change was made by a bot.

I notice that the ip_vs_ftp module is used by nf_nat. Does this mean that FTP mangling cannot happen without the firewall?

I really don't want to enable to the Linux firewall ... all of this is behind a Cisco firewall with restrictive ACLs, even though I'm using public IPs on this machine.

root@lb1:~# lsmod | grep ftp
ip_vs_ftp 13079 0
ip_vs 136629 2 ip_vs_ftp
nf_nat 21841 1 ip_vs_ftp

If I have to enable the firewall, then I will need help configuring it. In addition to being a load balancer, this machine also serves as a router -- the only way to access the back-end servers, even directly by private IP, is by routing through it.

I grabbed a packet capture on the FTP client of the attempted FTP through LVS. When the client sends the PASV command, it never gets a response.

Repeating the packet capture on the machine doing LVS (and capturing both interfaces), I got more info. The FTP server sends the reponse to the PASV command, which the ip_vs_ftp module should mangle (changing to the public IP) and forward to the client ... but it never does. Instead thousands of duplicate ACKs begin traversing the network. I will attach a screenshot of the capture in wireshark. The IP addresses are different than my ldirectord config above ... I had to set up a temporary FTP server and run a different virtual address, because the other FTP servers are using the old machine as their default gateway.

I cloned the latest resource-agents repository from github, built a new ldirectord, and started up that copy. No change.

Will it be possible to solve this problem without turning on the firewall?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.1 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.1-rc3-vivid/

That rc3-vivid kernel doesn't seem to exist.

I set up a lab machine, tried it out, and saw the same behavior that I've reported here.

Then I installed the 4.1 rc2-vivid kernel package for amd64 and rebooted. It complained about missing firmware for my realtek nics, but networking appears to work just fine. The newer kernel did not help.

Linux lb5 4.1.0-040100rc2-generic #201505032335 SMP Mon May 4 03:36:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I also tried enabling UFW on my test machine, putting a config /etc/ufw/applications.d for port 21/tcp (FTP) and allowing that application. That didn't help either.

Additional data point -- I've built temporary production FTP load balancers with CentOS 6, and they work properly. The firewall is disabled here too. Here's the "uname -a" output of the online machine:

Linux lb5 2.6.32-504.16.2.el6.centos.plus.x86_64 #1 SMP Wed Apr 22 00:59:31 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Side issue: The username on my Ubuntu account (cz-ubuntu) was not chosen by me, and I'd like to change it. I can't get into the Ubuntu forums with this account. Who do I need to contact for that?

I have been trying out other solutions in the lab, such as having haproxy (which is also running on these machines) handle the FTP. So far I have not been able to find the right config to make that work.

The reason that I filed this as a bug is because I have a config that works perfectly on 2.6 kernels that I cannot get working on 3.13 or 4.1 kernels.

I figure there are two possible reasons:

1) The feature has become broken and needs to be fixed.
2) Something changed in how the feature works and now it requires a different config.

I think it's probably number 1. If it is number 2, then I will need to know the new way of configuring it, and I would expect to file a bug against ldirectord.

I'm not sure how to go about it, but if there's a way to load a system with a 2.6.32 kernel, prove that it works right, and then step through each kernel release after that, we could figure out which specific release broke it.

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]