patch-2.1.73 linux/net/ipv4/ip_masq_ftp.c

• Lines: 349
• Date: Wed Dec 10 09:45:16 1997
• Orig file: v2.1.72/linux/net/ipv4/ip_masq_ftp.c
• Orig date: Mon Dec 1 12:04:16 1997

diff -u --recursive --new-file v2.1.72/linux/net/ipv4/ip_masq_ftp.c linux/net/ipv4/ip_masq_ftp.c
@@ -2,14 +2,20 @@
  *		IP_MASQ_FTP ftp masquerading module
  *
  *
- * Version:	@(#)ip_masq_ftp.c 0.01   02/05/96
+ * Version:	@(#)ip_masq_ftp.c 0.04   02/05/96
  *
  * Author:	Wouter Gadeyne
- *
+ *		
  *
  * Fixes:
  *	Wouter Gadeyne		:	Fixed masquerading support of ftp PORT commands
  * 	Juan Jose Ciarlante	:	Code moved and adapted from ip_fw.c
+ * 	Keith Owens		:	Add keep alive for ftp control channel
+ *	Nigel Metheringham	:	Added multiple port support
+ * 	Juan Jose Ciarlante	:	Use control_add() for ftp control chan
+ * 	Juan Jose Ciarlante	:	Litl bits for 2.1
+ *	Juan Jose Ciarlante	:	use ip_masq_listen() 
+ *	Juan Jose Ciarlante	: 	use private app_data for own flag(s)
  *
  *
  *
@@ -17,7 +23,18 @@
  *	modify it under the terms of the GNU General Public License
  *	as published by the Free Software Foundation; either version
  *	2 of the License, or (at your option) any later version.
- *
+ *	
+ * Multiple Port Support
+ *	The helper can be made to handle up to MAX_MASQ_APP_PORTS (normally 12)
+ *	with the port numbers being defined at module load time.  The module
+ *	uses the symbol "ports" to define a list of monitored ports, which can
+ *	be specified on the insmod command line as
+ *		ports=x1,x2,x3...
+ *	where x[n] are integer port numbers.  This option can be put into
+ *	/etc/conf.modules (or /etc/modules.conf depending on your config)
+ *	where modload will pick it up should you use modload to load your
+ *	modules.
+ *	
  */
 
 #include <linux/config.h>
@@ -31,9 +48,28 @@
 #include <linux/init.h>
 #include <net/protocol.h>
 #include <net/tcp.h>
+
+/* #define IP_MASQ_NDEBUG */
 #include <net/ip_masq.h>
 
-#define DEBUG_CONFIG_IP_MASQ_FTP 0
+
+/* 
+ * List of ports (up to MAX_MASQ_APP_PORTS) to be handled by helper
+ * First port is set to the default port.
+ */
+static int ports[MAX_MASQ_APP_PORTS] = {21}; /* I rely on the trailing items being set to zero */
+struct ip_masq_app *masq_incarnations[MAX_MASQ_APP_PORTS];
+
+/*
+ *	Debug level
+ */
+static int debug=0;
+
+MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_MASQ_APP_PORTS) "i");
+MODULE_PARM(debug, "i");
+
+/*	Dummy variable */
+static int masq_ftp_pasv;
 
 static int
 masq_ftp_init_1 (struct ip_masq_app *mapp, struct ip_masq *ms)
@@ -70,6 +106,8 @@
         data = (char *)&th[1];
 
         data_limit = skb->h.raw + skb->len - 18;
+        if (skb->len >= 6 && (memcmp(data, "PASV\r\n", 6) == 0 || memcmp(data, "pasv\r\n", 6) == 0))
+		ms->app_data = &masq_ftp_pasv;
 
 	while (data < data_limit)
 	{
@@ -100,39 +138,30 @@
 
 		from = (p1<<24) | (p2<<16) | (p3<<8) | p4;
 		port = (p5<<8) | p6;
-#if DEBUG_CONFIG_IP_MASQ_FTP
-		printk("PORT %X:%X detected\n",from,port);
-#endif
+
+		IP_MASQ_DEBUG(1-debug, "PORT %X:%X detected\n",from,port);
+
 		/*
 		 * Now update or create an masquerade entry for it
 		 */
-#if DEBUG_CONFIG_IP_MASQ_FTP
-		printk("protocol %d %lX:%X %X:%X\n", iph->protocol, htonl(from), htons(port), iph->daddr, 0);
 
-#endif
-		n_ms = ip_masq_out_get_2(iph->protocol,
+		IP_MASQ_DEBUG(1-debug, "protocol %d %lX:%X %X:%X\n", iph->protocol, htonl(from), htons(port), iph->daddr, 0);
+
+		n_ms = ip_masq_out_get(iph->protocol,
 					 htonl(from), htons(port),
 					 iph->daddr, 0);
-		if (n_ms) {
-			/* existing masquerade, clear timer */
-			ip_masq_set_expire(n_ms,0);
-		}
-		else {
-			n_ms = ip_masq_new(maddr, IPPROTO_TCP,
+		if (!n_ms) {
+			n_ms = ip_masq_new(IPPROTO_TCP,
+					   maddr, 0,
 					   htonl(from), htons(port),
 					   iph->daddr, 0,
 					   IP_MASQ_F_NO_DPORT);
 
 			if (n_ms==NULL)
 				return 0;
+			ip_masq_control_add(n_ms, ms);
 		}
 
-                /*
-                 * keep for a bit longer than tcp_fin, caller may not reissue
-                 * PORT before tcp_fin_timeout.
-                 */
-                ip_masq_set_expire(n_ms, ip_masq_expire->tcp_fin_timeout*3);
-
 		/*
 		 * Replace the old PORT with the new one
 		 */
@@ -142,30 +171,34 @@
 			from>>24&255,from>>16&255,from>>8&255,from&255,
 			port>>8&255,port&255);
 		buf_len = strlen(buf);
-#if DEBUG_CONFIG_IP_MASQ_FTP
-		printk("new PORT %X:%X\n",from,port);
-#endif
+
+		IP_MASQ_DEBUG(1-debug, "new PORT %X:%X\n",from,port);
 
 		/*
 		 * Calculate required delta-offset to keep TCP happy
 		 */
-
+		
 		diff = buf_len - (data-p);
-
+		
 		/*
 		 *	No shift.
 		 */
-
-		if (diff==0)
-		{
+		
+		if (diff==0) {
 			/*
 			 * simple case, just replace the old PORT cmd
  			 */
  			memcpy(p,buf,buf_len);
- 			return 0;
- 		}
+ 		} else {
+
+			*skb_p = ip_masq_skb_replace(skb, GFP_ATOMIC, p, data-p, buf, buf_len);
+		}
+                /*
+                 * 	Move tunnel to listen state
+                 */
+		ip_masq_listen(n_ms);
+		ip_masq_put(n_ms);
 
-                *skb_p = ip_masq_skb_replace(skb, GFP_ATOMIC, p, data-p, buf, buf_len);
                 return diff;
 
 	}
@@ -173,6 +206,108 @@
 
 }
 
+/*
+ * Look at incoming ftp packets to catch the response to a PASV command.  When
+ * we see one we build a masquerading entry for the client address, client port
+ * 0 (unknown at the moment), the server address and the server port.  Mark the
+ * current masquerade entry as a control channel and point the new entry at the
+ * control entry.  All this work just for ftp keepalive across masquerading.
+ *
+ * The incoming packet should be something like
+ * "227 Entering Passive Mode (xxx,xxx,xxx,xxx,ppp,ppp)".
+ * xxx,xxx,xxx,xxx is the server address, ppp,ppp is the server port number.
+ * ncftp 2.3.0 cheats by skipping the leading number then going 22 bytes into
+ * the data so we do the same.  If it's good enough for ncftp then it's good
+ * enough for me.
+ *
+ * In this case, the client is the source machine being masqueraded, the server
+ * is the destination for ftp requests.  It all depends on your point of view ...
+ */
+
+int
+masq_ftp_in (struct ip_masq_app *mapp, struct ip_masq *ms, struct sk_buff **skb_p, __u32 maddr)
+{
+	struct sk_buff *skb;
+	struct iphdr *iph;
+	struct tcphdr *th;
+	char *data, *data_limit;
+	unsigned char p1,p2,p3,p4,p5,p6;
+	__u32 to;
+	__u16 port;
+	struct ip_masq *n_ms;
+
+	if (ms->app_data != &masq_ftp_pasv)
+		return 0;	/* quick exit if no outstanding PASV */
+
+	skb = *skb_p;
+	iph = skb->nh.iph;
+	th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]);
+	data = (char *)&th[1];
+	data_limit = skb->h.raw + skb->len;
+
+	while (data < data_limit && *data != ' ')
+		++data;	
+	while (data < data_limit && *data == ' ')
+		++data;	
+	data += 22;
+	if (data >= data_limit || *data != '(')
+		return 0;
+	p1 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ',')
+		return 0;
+	p2 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ',')
+		return 0;
+	p3 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ',')
+		return 0;
+	p4 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ',')
+		return 0;
+	p5 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ',')
+		return 0;
+	p6 = simple_strtoul(data+1, &data, 10);
+	if (data >= data_limit || *data != ')')
+		return 0;
+
+	to = (p1<<24) | (p2<<16) | (p3<<8) | p4;
+	port = (p5<<8) | p6;
+
+	/*
+	 * Now update or create an masquerade entry for it
+	 */
+	IP_MASQ_DEBUG(1-debug, "PASV response %lX:%X %X:%X detected\n", ntohl(ms->saddr), 0, to, port);
+
+	n_ms = ip_masq_out_get(iph->protocol,
+				 ms->saddr, 0,
+				 htonl(to), htons(port));
+	if (!n_ms) {
+		n_ms = ip_masq_new(IPPROTO_TCP,
+					maddr, 0,
+					ms->saddr, 0,
+					htonl(to), htons(port),
+					IP_MASQ_F_NO_SPORT);
+
+		if (n_ms==NULL)
+			return 0;
+		ip_masq_control_add(n_ms, ms);
+	}
+
+#if 0	/* v0.12 state processing */
+
+	/*
+	 * keep for a bit longer than tcp_fin, client may not issue open
+	 * to server port before tcp_fin_timeout.
+	 */
+	n_ms->timeout = ip_masq_expire->tcp_fin_timeout*3;
+#endif
+	ms->app_data = NULL;
+	ip_masq_put(n_ms);
+
+	return 0;	/* no diff required for incoming packets, thank goodness */
+}
+
 struct ip_masq_app ip_masq_ftp = {
         NULL,			/* next */
 	"ftp",			/* name */
@@ -181,7 +316,7 @@
         masq_ftp_init_1,        /* ip_masq_init_1 */
         masq_ftp_done_1,        /* ip_masq_done_1 */
         masq_ftp_out,           /* pkt_out */
-        NULL                    /* pkt_in */
+        masq_ftp_in,            /* pkt_in */
 };
 
 /*
@@ -190,7 +325,27 @@
 
 __initfunc(int ip_masq_ftp_init(void))
 {
-        return register_ip_masq_app(&ip_masq_ftp, IPPROTO_TCP, 21);
+	int i, j;
+
+	for (i=0; (i<MAX_MASQ_APP_PORTS); i++) {
+		if (ports[i]) {
+			if ((masq_incarnations[i] = kmalloc(sizeof(struct ip_masq_app),
+							    GFP_KERNEL)) == NULL)
+				return -ENOMEM;
+			memcpy(masq_incarnations[i], &ip_masq_ftp, sizeof(struct ip_masq_app));
+			if ((j = register_ip_masq_app(masq_incarnations[i], 
+						      IPPROTO_TCP, 
+						      ports[i]))) {
+				return j;
+			}
+			IP_MASQ_DEBUG(1-debug, "Ftp: loaded support on port[%d] = %d\n",
+			       i, ports[i]);
+		} else {
+			/* To be safe, force the incarnation table entry to NULL */
+			masq_incarnations[i] = NULL;
+		}
+	}
+	return 0;
 }
 
 /*
@@ -199,7 +354,22 @@
 
 int ip_masq_ftp_done(void)
 {
-        return unregister_ip_masq_app(&ip_masq_ftp);
+	int i, j, k;
+
+	k=0;
+	for (i=0; (i<MAX_MASQ_APP_PORTS); i++) {
+		if (masq_incarnations[i]) {
+			if ((j = unregister_ip_masq_app(masq_incarnations[i]))) {
+				k = j;
+			} else {
+				kfree(masq_incarnations[i]);
+				masq_incarnations[i] = NULL;
+				IP_MASQ_DEBUG(1-debug, "Ftp: unloaded support on port[%d] = %d\n",
+				       i, ports[i]);
+			}
+		}
+	}
+	return k;
 }
 
 #ifdef MODULE