2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Charles Mott <cm@linktel.net>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
33 Alias_ftp.c performs special processing for FTP sessions under
34 TCP. Specifically, when a PORT/EPRT command from the client
35 side or 227/229 reply from the server is sent, it is intercepted
36 and modified. The address is changed to the gateway machine
37 and an aliasing port is used.
39 For this routine to work, the message must fit entirely into a
40 single TCP packet. This is typically the case, but exceptions
41 can easily be envisioned under the actual specifications.
43 Probably the most troubling aspect of the approach taken here is
44 that the new message will typically be a different length, and
45 this causes a certain amount of bookkeeping to keep track of the
46 changes of sequence and acknowledgment numbers, since the client
47 machine is totally unaware of the modification to the TCP stream.
49 References: RFC 959, RFC 2428.
51 Initial version: August, 1996 (cjm)
54 Brian Somers and Martin Renters identified an IP checksum
55 error for modified IP packets.
57 Version 1.7: January 9, 1996 (cjm)
58 Differential checksum computation for change
61 Version 2.1: May, 1997 (cjm)
62 Very minor changes to conform with
63 local/global/function naming conventions
64 within the packet aliasing module.
66 Version 3.1: May, 2000 (eds)
67 Add support for passive mode, alias the 227 replies.
69 See HISTORY file for record of revisions.
74 #include <sys/param.h>
75 #include <sys/ctype.h>
76 #include <sys/systm.h>
77 #include <sys/kernel.h>
78 #include <sys/module.h>
82 #include <sys/types.h>
87 #include <netinet/in_systm.h>
88 #include <netinet/in.h>
89 #include <netinet/ip.h>
90 #include <netinet/tcp.h>
93 #include <netinet/libalias/alias.h>
94 #include <netinet/libalias/alias_local.h>
95 #include <netinet/libalias/alias_mod.h>
97 #include "alias_local.h"
98 #include "alias_mod.h"
101 #define FTP_CONTROL_PORT_NUMBER 21
104 AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *,
107 AliasHandleFtpIn(struct libalias *, struct ip *, struct alias_link *);
110 fingerprint_out(struct libalias *la, struct alias_data *ah)
112 if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL ||
115 if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER ||
116 ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER)
122 fingerprint_in(struct libalias *la, struct alias_data *ah)
124 if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL)
126 if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER ||
127 ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER)
133 protohandler_out(struct libalias *la, struct ip *pip, struct alias_data *ah)
135 AliasHandleFtpOut(la, pip, ah->lnk, ah->maxpktsize);
140 protohandler_in(struct libalias *la, struct ip *pip, struct alias_data *ah)
142 AliasHandleFtpIn(la, pip, ah->lnk);
146 struct proto_handler handlers[] = {
151 .fingerprint = &fingerprint_out,
152 .protohandler = &protohandler_out
158 .fingerprint = &fingerprint_in,
159 .protohandler = &protohandler_in
165 mod_handler(module_t mod, int type, void *data)
172 LibAliasAttachHandlers(handlers);
176 LibAliasDetachHandlers(handlers);
187 moduledata_t alias_mod = {
188 "alias_ftp", mod_handler, NULL
192 DECLARE_MODULE(alias_ftp, alias_mod, SI_SUB_DRIVERS, SI_ORDER_SECOND);
193 MODULE_VERSION(alias_ftp, 1);
194 MODULE_DEPEND(alias_ftp, libalias, 1, 1, 1);
197 #define FTP_CONTROL_PORT_NUMBER 21
198 #define MAX_MESSAGE_SIZE 128
200 /* FTP protocol flags. */
201 #define WAIT_CRLF 0x01
203 enum ftp_message_type {
211 static int ParseFtpPortCommand(struct libalias *la, char *, int);
212 static int ParseFtpEprtCommand(struct libalias *la, char *, int);
213 static int ParseFtp227Reply(struct libalias *la, char *, int);
214 static int ParseFtp229Reply(struct libalias *la, char *, int);
215 static void NewFtpMessage(struct libalias *la, struct ip *, struct alias_link *, int, int);
220 struct ip *pip, /* IP packet to examine/patch */
221 struct alias_link *lnk, /* The link to go through (aliased port) */
222 int maxpacketsize /* The maximum size this packet can grow to
223 (including headers) */ )
225 int hlen, tlen, dlen, pflags;
228 int ftp_message_type;
230 /* Calculate data length of TCP packet */
231 tc = (struct tcphdr *)ip_next(pip);
232 hlen = (pip->ip_hl + tc->th_off) << 2;
233 tlen = ntohs(pip->ip_len);
236 /* Place string pointer and beginning of data */
241 * Check that data length is not too long and previous message was
242 * properly terminated with CRLF.
244 pflags = GetProtocolFlags(lnk);
245 if (dlen <= MAX_MESSAGE_SIZE && !(pflags & WAIT_CRLF)) {
246 ftp_message_type = FTP_UNKNOWN_MESSAGE;
248 if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER) {
249 /* When aliasing a client, check for the PORT/EPRT command. */
250 if (ParseFtpPortCommand(la, sptr, dlen))
251 ftp_message_type = FTP_PORT_COMMAND;
252 else if (ParseFtpEprtCommand(la, sptr, dlen))
253 ftp_message_type = FTP_EPRT_COMMAND;
255 /* When aliasing a server, check for the 227/229 reply. */
256 if (ParseFtp227Reply(la, sptr, dlen))
257 ftp_message_type = FTP_227_REPLY;
258 else if (ParseFtp229Reply(la, sptr, dlen)) {
259 ftp_message_type = FTP_229_REPLY;
260 la->true_addr.s_addr = pip->ip_src.s_addr;
264 if (ftp_message_type != FTP_UNKNOWN_MESSAGE)
265 NewFtpMessage(la, pip, lnk, maxpacketsize, ftp_message_type);
268 /* Track the msgs which are CRLF term'd for PORT/PASV FW breach */
269 if (dlen) { /* only if there's data */
270 sptr = (char *)pip; /* start over at beginning */
271 tlen = ntohs(pip->ip_len); /* recalc tlen, pkt may have grown */
272 if (sptr[tlen - 2] == '\r' && sptr[tlen - 1] == '\n')
273 pflags &= ~WAIT_CRLF;
276 SetProtocolFlags(lnk, pflags);
281 AliasHandleFtpIn(struct libalias *la,
282 struct ip *pip, /* IP packet to examine/patch */
283 struct alias_link *lnk) /* The link to go through (aliased port) */
285 int hlen, tlen, dlen, pflags;
289 /* Calculate data length of TCP packet */
290 tc = (struct tcphdr *)ip_next(pip);
291 hlen = (pip->ip_hl + tc->th_off) << 2;
292 tlen = ntohs(pip->ip_len);
295 /* Place string pointer and beginning of data */
300 * Check that data length is not too long and previous message was
301 * properly terminated with CRLF.
303 pflags = GetProtocolFlags(lnk);
304 if (dlen <= MAX_MESSAGE_SIZE && (pflags & WAIT_CRLF) == 0 &&
305 ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER &&
306 (ParseFtpPortCommand(la, sptr, dlen) != 0 ||
307 ParseFtpEprtCommand(la, sptr, dlen) != 0)) {
309 * Alias active mode client requesting data from server
310 * behind NAT. We need to alias server->client connection
311 * to external address client is connecting to.
313 AddLink(la, GetOriginalAddress(lnk), la->true_addr,
314 GetAliasAddress(lnk), htons(FTP_CONTROL_PORT_NUMBER - 1),
315 htons(la->true_port), GET_ALIAS_PORT, IPPROTO_TCP);
317 /* Track the msgs which are CRLF term'd for PORT/PASV FW breach */
319 sptr = (char *)pip; /* start over at beginning */
320 tlen = ntohs(pip->ip_len); /* recalc tlen, pkt may
322 if (sptr[tlen - 2] == '\r' && sptr[tlen - 1] == '\n')
323 pflags &= ~WAIT_CRLF;
326 SetProtocolFlags(lnk, pflags);
331 ParseFtpPortCommand(struct libalias *la, char *sptr, int dlen)
339 /* Format: "PORT A,D,D,R,PO,RT". */
341 /* Return if data length is too short. */
345 if (strncasecmp("PORT ", sptr, 5))
348 addr = port = octet = 0;
350 for (i = 5; i < dlen; i++) {
375 octet = 10 * octet + ch - '0';
376 else if (ch == ',') {
377 addr = (addr << 8) + octet;
385 octet = 10 * octet + ch - '0';
386 else if (ch == ',' || state == 12) {
387 port = (port << 8) + octet;
396 la->true_addr.s_addr = htonl(addr);
397 la->true_port = port;
404 ParseFtpEprtCommand(struct libalias *la, char *sptr, int dlen)
412 /* Format: "EPRT |1|A.D.D.R|PORT|". */
414 /* Return if data length is too short. */
418 if (strncasecmp("EPRT ", sptr, 5))
421 addr = port = octet = 0;
422 delim = '|'; /* XXX gcc -Wuninitialized */
424 for (i = 5; i < dlen; i++) {
434 if (ch == '1') /* IPv4 address */
460 octet = 10 * octet + ch - '0';
461 else if (ch == '.' || state == 10) {
462 addr = (addr << 8) + octet;
476 port = 10 * port + ch - '0';
477 else if (ch == delim)
486 la->true_addr.s_addr = htonl(addr);
487 la->true_port = port;
494 ParseFtp227Reply(struct libalias *la, char *sptr, int dlen)
502 /* Format: "227 Entering Passive Mode (A,D,D,R,PO,RT)" */
504 /* Return if data length is too short. */
508 if (strncmp("227 ", sptr, 4))
511 addr = port = octet = 0;
514 for (i = 4; i < dlen; i++) {
538 octet = 10 * octet + ch - '0';
539 else if (ch == ',') {
540 addr = (addr << 8) + octet;
548 octet = 10 * octet + ch - '0';
549 else if (ch == ',' || (state == 12 && ch == ')')) {
550 port = (port << 8) + octet;
559 la->true_port = port;
560 la->true_addr.s_addr = htonl(addr);
567 ParseFtp229Reply(struct libalias *la, char *sptr, int dlen)
573 /* Format: "229 Entering Extended Passive Mode (|||PORT|)" */
575 /* Return if data length is too short. */
579 if (strncmp("229 ", sptr, 4))
583 delim = '|'; /* XXX gcc -Wuninitialized */
586 for (i = 4; i < dlen; i++) {
613 port = 10 * port + ch - '0';
614 else if (ch == delim)
629 la->true_port = port;
636 NewFtpMessage(struct libalias *la, struct ip *pip,
637 struct alias_link *lnk,
639 int ftp_message_type)
641 struct alias_link *ftp_lnk;
643 /* Security checks. */
644 if (pip->ip_src.s_addr != la->true_addr.s_addr)
647 if (la->true_port < IPPORT_RESERVED)
650 /* Establish link to address and port found in FTP control message. */
651 ftp_lnk = AddLink(la, la->true_addr, GetDestAddress(lnk),
652 GetAliasAddress(lnk), htons(la->true_port), 0, GET_ALIAS_PORT,
655 if (ftp_lnk != NULL) {
656 int slen, hlen, tlen, dlen;
660 /* Punch hole in firewall */
661 PunchFWHole(ftp_lnk);
664 /* Calculate data length of TCP packet */
665 tc = (struct tcphdr *)ip_next(pip);
666 hlen = (pip->ip_hl + tc->th_off) << 2;
667 tlen = ntohs(pip->ip_len);
670 /* Create new FTP message. */
672 char stemp[MAX_MESSAGE_SIZE + 1];
676 int a1, a2, a3, a4, p1, p2;
677 struct in_addr alias_address;
679 /* Decompose alias address into quad format */
680 alias_address = GetAliasAddress(lnk);
681 ptr = (u_char *)&alias_address.s_addr;
687 alias_port = GetAliasPort(ftp_lnk);
689 /* Prepare new command */
690 switch (ftp_message_type) {
691 case FTP_PORT_COMMAND:
693 /* Decompose alias port into pair format. */
694 ptr = (char *)&alias_port;
698 if (ftp_message_type == FTP_PORT_COMMAND) {
699 /* Generate PORT command string. */
700 sprintf(stemp, "PORT %d,%d,%d,%d,%d,%d\r\n",
701 a1, a2, a3, a4, p1, p2);
703 /* Generate 227 reply string. */
705 "227 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n",
706 a1, a2, a3, a4, p1, p2);
709 case FTP_EPRT_COMMAND:
710 /* Generate EPRT command string. */
711 sprintf(stemp, "EPRT |1|%d.%d.%d.%d|%d|\r\n",
712 a1, a2, a3, a4, ntohs(alias_port));
715 /* Generate 229 reply string. */
716 sprintf(stemp, "229 Entering Extended Passive Mode (|||%d|)\r\n",
721 /* Save string length for IP header modification */
722 slen = strlen(stemp);
724 /* Copy modified buffer into IP packet. */
727 strncpy(sptr, stemp, maxpacketsize - hlen);
730 /* Save information regarding modified seq and ack numbers */
735 tc = (struct tcphdr *)ip_next(pip);
736 delta = GetDeltaSeqOut(tc->th_seq, lnk);
737 AddSeq(lnk, delta + slen - dlen, pip->ip_hl,
738 pip->ip_len, tc->th_seq, tc->th_off);
741 /* Revise IP header */
745 new_len = htons(hlen +
746 MIN(slen, maxpacketsize - hlen));
747 DifferentialChecksum(&pip->ip_sum,
751 pip->ip_len = new_len;
754 /* Compute TCP checksum for revised packet */
757 tc->th_x2 = (TH_RES1 >> 8);
759 tc->th_sum = TcpChecksum(pip);
762 #ifdef LIBALIAS_DEBUG
764 "PacketAlias/HandleFtpOut: Cannot allocate FTP data port\n");