CVE-2025-68206

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: add seqadj extension for natted connections<br /> <br /> Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.<br /> due to need to re-write packet payload (IP, port) on the ftp control<br /> connection. This can require changes to the TCP length and expected<br /> seq / ack_seq.<br /> <br /> The easiest way to reproduce this issue is with PASV mode.<br /> Example ruleset:<br /> table inet ftp_nat {<br /> ct helper ftp_helper {<br /> type "ftp" protocol tcp<br /> l3proto inet<br /> }<br /> <br /> chain prerouting {<br /> type filter hook prerouting priority 0; policy accept;<br /> tcp dport 21 ct state new ct helper set "ftp_helper"<br /> }<br /> }<br /> table ip nat {<br /> chain prerouting {<br /> type nat hook prerouting priority -100; policy accept;<br /> tcp dport 21 dnat ip prefix to ip daddr map {<br /> 192.168.100.1 : 192.168.13.2/32 }<br /> }<br /> <br /> chain postrouting {<br /> type nat hook postrouting priority 100 ; policy accept;<br /> tcp sport 21 snat ip prefix to ip saddr map {<br /> 192.168.13.2 : 192.168.100.1/32 }<br /> }<br /> }<br /> <br /> Note that the ftp helper gets assigned *after* the dnat setup.<br /> <br /> The inverse (nat after helper assign) is handled by an existing<br /> check in nf_nat_setup_info() and will not show the problem.<br /> <br /> Topoloy:<br /> <br /> +-------------------+ +----------------------------------+<br /> | FTP: 192.168.13.2 | | NAT: 192.168.13.3, 192.168.100.1 |<br /> +-------------------+ +----------------------------------+<br /> |<br /> +-----------------------+<br /> | Client: 192.168.100.2 |<br /> +-----------------------+<br /> <br /> ftp nat changes do not work as expected in this case:<br /> Connected to 192.168.100.1.<br /> [..]<br /> ftp&gt; epsv<br /> EPSV/EPRT on IPv4 off.<br /> ftp&gt; ls<br /> 227 Entering passive mode (192,168,100,1,209,129).<br /> 421 Service not available, remote server has closed connection.<br /> <br /> Kernel logs:<br /> Missing nfct_seqadj_ext_add() setup call<br /> WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41<br /> [..]<br /> __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]<br /> nf_nat_ftp+0x142/0x280 [nf_nat_ftp]<br /> help+0x4d1/0x880 [nf_conntrack_ftp]<br /> nf_confirm+0x122/0x2e0 [nf_conntrack]<br /> nf_hook_slow+0x3c/0xb0<br /> ..<br /> <br /> Fix this by adding the required extension when a conntrack helper is assigned<br /> to a connection that has a nat binding.