2 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
31 Alias_ftp.c performs special processing for FTP sessions under
32 TCP. Specifically, when a PORT/EPRT command from the client
33 side or 227/229 reply from the server is sent, it is intercepted
34 and modified. The address is changed to the gateway machine
35 and an aliasing port is used.
37 For this routine to work, the message must fit entirely into a
38 single TCP packet. This is typically the case, but exceptions
39 can easily be envisioned under the actual specifications.
41 Probably the most troubling aspect of the approach taken here is
42 that the new message will typically be a different length, and
43 this causes a certain amount of bookkeeping to keep track of the
44 changes of sequence and acknowledgment numbers, since the client
45 machine is totally unaware of the modification to the TCP stream.
48 References: RFC 959, RFC 2428.
50 Initial version: August, 1996 (cjm)
53 Brian Somers and Martin Renters identified an IP checksum
54 error for modified IP packets.
56 Version 1.7: January 9, 1996 (cjm)
57 Differential checksum computation for change
60 Version 2.1: May, 1997 (cjm)
61 Very minor changes to conform with
62 local/global/function naming conventions
63 within the packet aliasing module.
65 Version 3.1: May, 2000 (eds)
66 Add support for passive mode, alias the 227 replies.
68 See HISTORY file for record of revisions.
75 #include <sys/types.h>
76 #include <netinet/in_systm.h>
77 #include <netinet/in.h>
78 #include <netinet/ip.h>
79 #include <netinet/tcp.h>
81 #include "alias_local.h"
83 #define FTP_CONTROL_PORT_NUMBER 21
84 #define MAX_MESSAGE_SIZE 128
86 /* FTP protocol flags. */
87 #define WAIT_CRLF 0x01
89 enum ftp_message_type {
97 static int ParseFtpPortCommand(char *, int);
98 static int ParseFtpEprtCommand(char *, int);
99 static int ParseFtp227Reply(char *, int);
100 static int ParseFtp229Reply(char *, int);
101 static void NewFtpMessage(struct ip *, struct alias_link *, int, int);
103 static struct in_addr true_addr; /* in network byte order. */
104 static u_short true_port; /* in host byte order. */
108 struct ip *pip, /* IP packet to examine/patch */
109 struct alias_link *link, /* The link to go through (aliased port) */
110 int maxpacketsize /* The maximum size this packet can grow to (including headers) */)
112 int hlen, tlen, dlen, pflags;
115 int ftp_message_type;
117 /* Calculate data length of TCP packet */
118 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2));
119 hlen = (pip->ip_hl + tc->th_off) << 2;
120 tlen = ntohs(pip->ip_len);
123 /* Place string pointer and beginning of data */
128 * Check that data length is not too long and previous message was
129 * properly terminated with CRLF.
131 pflags = GetProtocolFlags(link);
132 if (dlen <= MAX_MESSAGE_SIZE && !(pflags & WAIT_CRLF)) {
133 ftp_message_type = FTP_UNKNOWN_MESSAGE;
135 if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER) {
137 * When aliasing a client, check for the PORT/EPRT command.
139 if (ParseFtpPortCommand(sptr, dlen))
140 ftp_message_type = FTP_PORT_COMMAND;
141 else if (ParseFtpEprtCommand(sptr, dlen))
142 ftp_message_type = FTP_EPRT_COMMAND;
145 * When aliasing a server, check for the 227/229 reply.
147 if (ParseFtp227Reply(sptr, dlen))
148 ftp_message_type = FTP_227_REPLY;
149 else if (ParseFtp229Reply(sptr, dlen)) {
150 ftp_message_type = FTP_229_REPLY;
151 true_addr.s_addr = pip->ip_src.s_addr;
155 if (ftp_message_type != FTP_UNKNOWN_MESSAGE)
156 NewFtpMessage(pip, link, maxpacketsize, ftp_message_type);
159 /* Track the msgs which are CRLF term'd for PORT/PASV FW breach */
161 if (dlen) { /* only if there's data */
162 sptr = (char *) pip; /* start over at beginning */
163 tlen = ntohs(pip->ip_len); /* recalc tlen, pkt may have grown */
164 if (sptr[tlen-2] == '\r' && sptr[tlen-1] == '\n')
165 pflags &= ~WAIT_CRLF;
168 SetProtocolFlags(link, pflags);
173 ParseFtpPortCommand(char *sptr, int dlen)
181 /* Format: "PORT A,D,D,R,PO,RT". */
183 /* Return if data length is too short. */
187 addr = port = octet = 0;
189 for (i = 0; i < dlen; i++) {
192 case -4: if (ch == 'P') state++; else return 0; break;
193 case -3: if (ch == 'O') state++; else return 0; break;
194 case -2: if (ch == 'R') state++; else return 0; break;
195 case -1: if (ch == 'T') state++; else return 0; break;
202 case 1: case 3: case 5: case 7: case 9: case 11:
209 case 2: case 4: case 6: case 8:
211 octet = 10 * octet + ch - '0';
212 else if (ch == ',') {
213 addr = (addr << 8) + octet;
220 octet = 10 * octet + ch - '0';
221 else if (ch == ',' || state == 12) {
222 port = (port << 8) + octet;
231 true_addr.s_addr = htonl(addr);
239 ParseFtpEprtCommand(char *sptr, int dlen)
247 /* Format: "EPRT |1|A.D.D.R|PORT|". */
249 /* Return if data length is too short. */
253 addr = port = octet = 0;
254 delim = '|'; /* XXX gcc -Wuninitialized */
256 for (i = 0; i < dlen; i++) {
260 case -4: if (ch == 'E') state++; else return 0; break;
261 case -3: if (ch == 'P') state++; else return 0; break;
262 case -2: if (ch == 'R') state++; else return 0; break;
263 case -1: if (ch == 'T') state++; else return 0; break;
272 if (ch == '1') /* IPv4 address */
283 case 3: case 5: case 7: case 9:
290 case 4: case 6: case 8: case 10:
292 octet = 10 * octet + ch - '0';
293 else if (ch == '.' || state == 10) {
294 addr = (addr << 8) + octet;
308 port = 10 * port + ch - '0';
309 else if (ch == delim)
318 true_addr.s_addr = htonl(addr);
326 ParseFtp227Reply(char *sptr, int dlen)
334 /* Format: "227 Entering Passive Mode (A,D,D,R,PO,RT)" */
336 /* Return if data length is too short. */
340 addr = port = octet = 0;
343 for (i = 0; i < dlen; i++) {
347 case -3: if (ch == '2') state++; else return 0; break;
348 case -2: if (ch == '2') state++; else return 0; break;
349 case -1: if (ch == '7') state++; else return 0; break;
355 case 1: case 3: case 5: case 7: case 9: case 11:
362 case 2: case 4: case 6: case 8:
364 octet = 10 * octet + ch - '0';
365 else if (ch == ',') {
366 addr = (addr << 8) + octet;
373 octet = 10 * octet + ch - '0';
374 else if (ch == ',' || (state == 12 && ch == ')')) {
375 port = (port << 8) + octet;
385 true_addr.s_addr = htonl(addr);
392 ParseFtp229Reply(char *sptr, int dlen)
398 /* Format: "229 Entering Extended Passive Mode (|||PORT|)" */
400 /* Return if data length is too short. */
405 delim = '|'; /* XXX gcc -Wuninitialized */
408 for (i = 0; i < dlen; i++) {
412 case -3: if (ch == '2') state++; else return 0; break;
413 case -2: if (ch == '2') state++; else return 0; break;
414 case -1: if (ch == '9') state++; else return 0; break;
439 port = 10 * port + ch - '0';
440 else if (ch == delim)
462 NewFtpMessage(struct ip *pip,
463 struct alias_link *link,
465 int ftp_message_type)
467 struct alias_link *ftp_link;
469 /* Security checks. */
470 if (pip->ip_src.s_addr != true_addr.s_addr)
473 if (true_port < IPPORT_RESERVED)
476 /* Establish link to address and port found in FTP control message. */
477 ftp_link = FindUdpTcpOut(true_addr, GetDestAddress(link),
478 htons(true_port), 0, IPPROTO_TCP, 1);
480 if (ftp_link != NULL)
482 int slen, hlen, tlen, dlen;
486 /* Punch hole in firewall */
487 PunchFWHole(ftp_link);
490 /* Calculate data length of TCP packet */
491 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2));
492 hlen = (pip->ip_hl + tc->th_off) << 2;
493 tlen = ntohs(pip->ip_len);
496 /* Create new FTP message. */
498 char stemp[MAX_MESSAGE_SIZE + 1];
502 int a1, a2, a3, a4, p1, p2;
503 struct in_addr alias_address;
505 /* Decompose alias address into quad format */
506 alias_address = GetAliasAddress(link);
507 ptr = (u_char *) &alias_address.s_addr;
508 a1 = *ptr++; a2=*ptr++; a3=*ptr++; a4=*ptr;
510 alias_port = GetAliasPort(ftp_link);
512 switch (ftp_message_type)
514 case FTP_PORT_COMMAND:
516 /* Decompose alias port into pair format. */
517 ptr = (char *) &alias_port;
518 p1 = *ptr++; p2=*ptr;
520 if (ftp_message_type == FTP_PORT_COMMAND) {
521 /* Generate PORT command string. */
522 sprintf(stemp, "PORT %d,%d,%d,%d,%d,%d\r\n",
525 /* Generate 227 reply string. */
527 "227 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n",
531 case FTP_EPRT_COMMAND:
532 /* Generate EPRT command string. */
533 sprintf(stemp, "EPRT |1|%d.%d.%d.%d|%d|\r\n",
534 a1,a2,a3,a4,ntohs(alias_port));
537 /* Generate 229 reply string. */
538 sprintf(stemp, "229 Entering Extended Passive Mode (|||%d|)\r\n",
543 /* Save string length for IP header modification */
544 slen = strlen(stemp);
546 /* Copy modified buffer into IP packet. */
547 sptr = (char *) pip; sptr += hlen;
548 strncpy(sptr, stemp, maxpacketsize-hlen);
551 /* Save information regarding modified seq and ack numbers */
555 SetAckModified(link);
556 delta = GetDeltaSeqOut(pip, link);
557 AddSeq(pip, link, delta+slen-dlen);
560 /* Revise IP header */
564 new_len = htons(hlen + slen);
565 DifferentialChecksum(&pip->ip_sum,
569 pip->ip_len = new_len;
572 /* Compute TCP checksum for revised packet */
574 tc->th_sum = TcpChecksum(pip);
580 "PacketAlias/HandleFtpOut: Cannot allocate FTP data port\n");