Indeed, both passive and active mode need to preload the nf_nat_ftp module.
The patched script passed on my side too.
Thanks for fixing mistakes in the script!
On Tue, Jun 10, 2025 at 5:35 AM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Yi Chen <yiche@xxxxxxxxxx> wrote:
> > This test verifies functionality of the FTP helper,
> > for both passive, active FTP modes,
> > and the functionality of the nf_nat_ftp module.
>
> Thanks, I had to apply this delta to make this work for me, can
> you check that it still passes on your end?
>
> I guess nf_nat_ftp module is already loaded on
> your system, its needed for all tests as the FTP server
> is on a different address than what the client connectects to.
>
> The important changes are:
> - load nf_nat_ftp early
> - use ${PCAP} for last tcpdump too, local dir isn't writeable
> in my virtme-ng setup.
>
> Rest is debugging aid/cosmetic. The curl feature check gets extended
> to skip in case curl exists but was built with no ftp support.
>
> I removed -s flag from curl, this also removes the error messages,
> if any, which makes it harder to debug. Its fine to have more
> information available in case something goes wrong.
>
> I now get:
> I: [OK] 1/1 tests/shell/testcases/packetpath/nat_ftp
>
> No need to resend unless you want to make further enhancements.
>
> diff --git a/tests/shell/features/curl.sh b/tests/shell/features/curl.sh
> --- a/tests/shell/features/curl.sh
> +++ b/tests/shell/features/curl.sh
> @@ -1,4 +1,4 @@
> #!/bin/sh
>
> -# check whether curl is installed
> -curl -h >/dev/null 2>&1
> +# check whether curl is installed and supports ftp
> +curl --version | grep "^Protocols: "| grep -q " ftp"
> diff --git a/tests/shell/testcases/packetpath/nat_ftp b/tests/shell/testcases/packetpath/nat_ftp
> --- a/tests/shell/testcases/packetpath/nat_ftp
> +++ b/tests/shell/testcases/packetpath/nat_ftp
> @@ -22,7 +22,10 @@ assert_pass()
> echo "FAIL: ${@}"
> ip netns exec $R nft list ruleset
> tcpdump -nnr ${PCAP}
> - ip netns exec $R cat /proc/net/nf_conntrack
> + test -r /proc/net/nf_conntrack && ip netns exec $R cat /proc/net/nf_conntrack
> + ip netns exec $R conntrack -S
> + ip netns exec $R conntrack -L
> + ip netns exec $S ss -nitepal
> exit 1
> else
> echo "PASS: ${@}"
> @@ -43,6 +46,9 @@ PCAP="$WORKDIR/tcpdump.pcap"
> mkdir -p $WORKDIR
> assert_pass "mkdir $WORKDIR"
>
> +modprobe nf_nat_ftp
> +assert_pass "modprobe nf_nat_ftp. Needed for DNAT of data connection and active mode PORT change with SNAT"
> +
> ip_sr=2001:db8:ffff:22::1
> ip_cr=2001:db8:ffff:21::2
> ip_rs=2001:db8:ffff:22::fffe
> @@ -86,7 +92,7 @@ reload_ruleset()
> chain PRE-dnat {
> type nat hook prerouting priority dstnat; policy accept;
> # Dnat the control connection, data connection will be automaticly NATed.
> - ip6 daddr ${ip_rc} ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
> + ip6 daddr ${ip_rc} counter ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
> }
>
> chain PRE-aftnat {
> @@ -103,7 +109,7 @@ reload_ruleset()
>
> chain forward {
> type filter hook forward priority filter; policy drop;
> - ip6 daddr ${ip_sr} tcp dport 21 ct state new counter accept
> + ip6 daddr ${ip_sr} counter tcp dport 21 ct state new counter accept
> ip6 nexthdr tcp ct state established counter accept
> ip6 nexthdr tcp ct state related counter log accept
> }
> @@ -142,7 +148,7 @@ reload_ruleset
> ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
> pid=$!
> sleep 1
> -ip netns exec $C curl -s --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
> +ip netns exec $C curl --no-progress-meter --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
> assert_pass "curl ftp passive mode "
>
> cmp "$INFILE" "$OUTFILE"
> @@ -155,19 +161,17 @@ assert_pass "assert FTP traffic NATed"
>
> # test active mode
> reload_ruleset
> -modprobe nf_nat_ftp
> -assert_pass "modprobe nf_nat_ftp. Active mode need it to modify the client ip in PORT command under SNAT"
>
> -ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${0##*/}.pcap 2> /dev/null &
> +ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
> pid=$!
> -ip netns exec $C curl -s -P - --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
> +ip netns exec $C curl --no-progress-meter -P - --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
> assert_pass "curl ftp active mode "
>
> cmp "$INFILE" "$OUTFILE"
> assert_pass "FTP Active mode: in and output files remain the same when FTP traffic passes through NAT."
>
> kill $pid; sync
> -tcpdump -nnr ${0##*/}.pcap src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
> +tcpdump -nnr ${PCAP} src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
> assert_pass "assert FTP traffic NATed"
>
> # trap calls cleanup
>
