[FS#2042] nat helpers do not work (e.g. ftp), CT rules do not match connections in chain zone_wan_helper

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Wed Nov 11 20:04:41 EST 2020


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#2042 - nat helpers do not work (e.g. ftp), CT rules do not match connections in chain zone_wan_helper
User who did this - Catalin Patulea (cpatulea)

----------
I have observed the same, for sip connections originating from WAN.

> Do you mean connections originating from the router itself?

No, I believe OP means an external host originating the connection, which matches a configured port forward rule:


external host (source) ---> (wan) router (lan) --> internal host (destination)


In this case, it appears conntrack helpers are not triggered correctly (iptables -vnL shows zero matches to helper rule) and connection is not nat'ed properly.

For SIP, this means the call cannot be established, due to media channel addresses not rewritten.

I am able to fix the problem using wide open helper rule in firewall.user:

iptables -t raw -A zone_wan_helper -p udp -m udp --dport 5060 -j CT --helper sip


(..but now I am having problems making fw3 apply the rule consistently, because zone_wan_helper is a built-in chain which is reset by fw3 on each reload.. we would need a similar chain like prerouting_wan_rule (dedicated to user-defined rules), but in raw table..)

----------

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=2042#comment8990

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.



More information about the openwrt-bugs mailing list