[lvs-users] IPVSadm and passive FTP bug on CentOS 7/Debian 8, works fine on CentOS 5

[Mischa Verheul <mischa.verheul@xxxxxxxxxx>]

Hello,

I'm trying to set up an IPVS NAT loadbalance solution with failover through
keepalived and sync through "ipvsadm --start-daemon" on CentOS 7.
Protocols such as HTTP work as expected, but FTP in passive mode isn't
working for the FTP-data connection. It stops after issueing a list or get
command.

After I couldn't find out what was possibly wrong with my configuration
after following documentation, I set up two basic IPVS setups for
trial&error:
Client        ->        IPVSmachine        ->        FTPserver
192.168.2.6        2.100/157.254            192.168.157.10/GW
192.168.157.254

CentOS 5: uname -r 2.6.18-398.el5
CentOS 7: uname -r 3.10.0-327.36.3.el7.x86_64

Configuration on both IPVS machines is identical:
ipvsadm -A -t 192.168.2.100:21 -s rr
ipvsadm -a -t 192.168.2.100:21 -r 192.168.157.10:21 -m
net.ipv4.ip_forward=1
modprobe ip_vs_ftp
no iptables rules

[root@cent5 ~]# lsmod | grep -i ftp
Module                  Size  Used by
ip_vs_ftp              39109  1
ip_vs                 122241  5 ip_vs_ftp,ip_vs_rr


[root@cent7 ~]# lsmod | grep -i ftp
Module                  Size  Used by
ip_vs_ftp              13079  0
nf_nat                 26146  1 ip_vs_ftp
ip_vs                 140944  5 ip_vs_rr,ip_vs_ftp

CentOS 5, with ip_vs_ftp loaded, FTP in passive mode works as expected. The
module correctly translates the IP from the real server to that of the IPVS
machine in the "227 Entering Passive Mode (x,x,x,x,.,.)" line.
For some reason I can't figure out, this doesn't happen on the latest
CentOS 7 version (same results on the latest Debian 8).

The IPVS machine on CentOS 7 never translates the IP in the "227 Entering
Passive Mode" line and never sends it back to the client.

Does anyone know what is causing this bug to occur and/or how to solve it?
Perhaps it isn't a bug and something between versions changed and I haven't
been able to find out?

Below are the capture dumps for the client->IPVS machine->FTP server. The
first dumps are for version 5, where it works, the second dump are the
dumps for version 7.

CENTOS5 SETUP:
------------------------------------------------------------------------------------
CLIENT
No.     Time           Source                Destination           Protocol
Length Info
     71 7.283164       192.168.2.6           192.168.2.100
FTP      74     Request: PASV
     73 7.284789       192.168.2.100          192.168.2.6
FTP      119    Response: 227 Entering Passive Mode (192,168,2,100,185,100).
     80 7.286195       192.168.2.6           192.168.2.100
FTP      74     Request: LIST
     81 7.287193       192.168.2.100          192.168.2.6
FTP      107    Response: 150 Here comes the directory listing.
     82 7.287456       192.168.2.100          192.168.2.6
FTP-DATA 339    FTP Data: 271 bytes
     89 7.288480       192.168.2.100          192.168.2.6
FTP      92     Response: 226 Directory send OK.
    107 9.630096       192.168.2.6           192.168.2.100
FTP      74     Request: QUIT
    109 9.634286       192.168.2.100          192.168.2.6
FTP      82     Response: 221 Goodbye.


IPVS CENTOS5
No.     Time           Source                Destination           Protocol
Length Info
     39 8.234350       192.168.2.6           192.168.2.100
FTP      74     Request: PASV
     40 8.234390       192.168.2.6           192.168.157.10        FTP
74     Request: PASV
     41 8.235294       192.168.157.10        192.168.2.6           FTP
121    Response: 227 Entering Passive Mode (192,168,157,10,185,100).
     42 8.235336       192.168.2.100          192.168.2.6
FTP      119    Response: 227 Entering Passive Mode (192,168,2,100,185,100).
     51 8.236985       192.168.2.6           192.168.2.100
FTP      74     Request: LIST
     52 8.237031       192.168.2.6           192.168.157.10        FTP
74     Request: LIST
     53 8.237753       192.168.157.10        192.168.2.6           FTP
107    Response: 150 Here comes the directory listing.
     54 8.237770       192.168.2.100          192.168.2.6
FTP      107    Response: 150 Here comes the directory listing.
     55 8.237995       192.168.157.10        192.168.2.6           FTP-DATA
339    FTP Data: 271 bytes
     56 8.238022       192.168.2.100          192.168.2.6
FTP-DATA 339    FTP Data: 271 bytes
     65 8.238914       192.168.157.10        192.168.2.6           FTP
92     Response: 226 Directory send OK.
     66 8.238937       192.168.2.100          192.168.2.6
FTP      92     Response: 226 Directory send OK.
     69 10.581285      192.168.2.6           192.168.2.100
FTP      74     Request: QUIT
     70 10.581332      192.168.2.6           192.168.157.10        FTP
74     Request: QUIT
     71 10.583614      192.168.157.10        192.168.2.6           FTP
82     Response: 221 Goodbye.
     72 10.583730      192.168.2.100          192.168.2.6
FTP      82     Response: 221 Goodbye.

FTPSERVER
No.     Time           Source                Destination           Protocol
Length Info
     19 6.190654       192.168.2.6           192.168.157.10        FTP
74     Request: PASV
     20 6.191207       192.168.157.10        192.168.2.6           FTP
121    Response: 227 Entering Passive Mode (192,168,157,10,185,100).
     25 6.193210       192.168.2.6           192.168.157.10        FTP
74     Request: LIST
     26 6.193646       192.168.157.10        192.168.2.6           FTP
107    Response: 150 Here comes the directory listing.
     27 6.193958       192.168.157.10        192.168.2.6           FTP-DATA
339    FTP Data: 271 bytes
     32 6.194930       192.168.157.10        192.168.2.6           FTP
92     Response: 226 Directory send OK.
     34 8.537715       192.168.2.6           192.168.157.10        FTP
74     Request: QUIT
     35 8.537959       192.168.157.10        192.168.2.6           FTP
82     Response: 221 Goodbye.

CENTOS7 SETUP:
------------------------------------------------------------------------------------
CLIENT
No.     Time           Source                Destination           Protocol
Length Info
    156 12.323031      192.168.2.100           192.168.2.6
FTP      99     Response: 200 Switching to Binary mode.
    158 12.323454      192.168.2.6           192.168.2.100
FTP      74     Request: PASV

IPVS CENTOS7
No.     Time           Source                Destination           Protocol
Length Info
     58 13.679705      192.168.2.6           192.168.2.100
FTP      74     Request: PASV
     59 13.679760      192.168.2.6           192.168.157.10        FTP
74     Request: PASV
     60 13.680715      192.168.157.10        192.168.2.6           FTP
119    Response: 227 Entering Passive Mode (192,168,157,10,44,65).
     62 13.883872      192.168.2.6           192.168.157.10        FTP
74     [TCP Spurious Retransmission] Request: PASV

FTPSERVER
No.     Time           Source                Destination           Protocol
Length Info
     27 9.044371       192.168.2.6           192.168.157.10        FTP
74     Request: PASV
     28 9.044819       192.168.157.10        192.168.2.6           FTP
119    Response: 227 Entering Passive Mode (192,168,157,10,44,65).
     29 9.248510       192.168.2.6           192.168.157.10        FTP
74     [TCP Spurious Retransmission] Request: PASV
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users