1 /* FTP extension for connection tracking. */
3 /* (C) 1999-2001 Paul `Rusty' Russell
4 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
5 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
12 * - enable working with Layer 3 protocol independent connection tracking.
13 * - track EPRT and EPSV commands with IPv6 address.
15 * Derived from net/ipv4/netfilter/ip_conntrack_ftp.c
18 #include <linux/config.h>
19 #include <linux/module.h>
20 #include <linux/moduleparam.h>
21 #include <linux/netfilter.h>
23 #include <linux/ipv6.h>
24 #include <linux/ctype.h>
25 #include <net/checksum.h>
28 #include <net/netfilter/nf_conntrack.h>
29 #include <net/netfilter/nf_conntrack_helper.h>
30 #include <linux/netfilter/nf_conntrack_ftp.h>
32 MODULE_LICENSE("GPL");
33 MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
34 MODULE_DESCRIPTION("ftp connection tracking helper");
36 /* This is slow, but it's simple. --RR */
37 static char *ftp_buffer;
39 static DEFINE_SPINLOCK(nf_ftp_lock);
42 static u_int16_t ports[MAX_PORTS];
43 static unsigned int ports_c;
44 module_param_array(ports, ushort, &ports_c, 0400);
47 module_param(loose, int, 0600);
49 unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,
50 enum ip_conntrack_info ctinfo,
51 enum ip_ct_ftp_type type,
52 unsigned int matchoff,
53 unsigned int matchlen,
54 struct nf_conntrack_expect *exp,
56 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
61 #define DEBUGP(format, args...)
64 static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, char);
65 static int try_eprt(const char *, size_t, struct nf_conntrack_man *, char);
66 static int try_epsv_response(const char *, size_t, struct nf_conntrack_man *,
69 static struct ftp_search {
70 enum ip_conntrack_dir dir;
75 enum ip_ct_ftp_type ftptype;
76 int (*getnum)(const char *, size_t, struct nf_conntrack_man *, char);
80 "PORT", sizeof("PORT") - 1, ' ', '\r',
86 "227 ", sizeof("227 ") - 1, '(', ')',
92 "EPRT", sizeof("EPRT") - 1, ' ', '\r',
98 "229 ", sizeof("229 ") - 1, '(', ')',
104 /* This code is based on inet_pton() in glibc-2.2.4 */
106 get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term)
108 static const char xdigits[] = "0123456789abcdef";
109 u_int8_t tmp[16], *tp, *endp, *colonp;
114 tp = memset(tmp, '\0', sizeof(tmp));
115 endp = tp + sizeof(tmp);
118 /* Leading :: requires some special handling. */
121 DEBUGP("invalid \":\" at the head of addr\n");
129 while ((clen < dlen) && (*src != term)) {
132 ch = tolower(*src++);
135 pch = strchr(xdigits, ch);
138 val |= (pch - xdigits);
146 DEBUGP("get_ipv6_addr: invalid char. \'%c\'\n", ch);
152 DEBUGP("invalid location of \"::\".\n");
157 } else if (*src == term) {
158 DEBUGP("trancated IPv6 addr\n");
164 *tp++ = (u_int8_t) (val >> 8) & 0xff;
165 *tp++ = (u_int8_t) val & 0xff;
174 *tp++ = (u_int8_t) (val >> 8) & 0xff;
175 *tp++ = (u_int8_t) val & 0xff;
177 if (colonp != NULL) {
179 * Since some memmove()'s erroneously fail to handle
180 * overlapping regions, we'll do the shift by hand.
182 const int n = tp - colonp;
188 for (i = 1; i <= n; i++) {
189 endp[- i] = colonp[n - i];
194 if (tp != endp || (*src != term))
197 memcpy(dst->s6_addr, tmp, sizeof(dst->s6_addr));
201 static int try_number(const char *data, size_t dlen, u_int32_t array[],
202 int array_size, char sep, char term)
206 memset(array, 0, sizeof(array[0])*array_size);
208 /* Keep data pointing at next char. */
209 for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
210 if (*data >= '0' && *data <= '9') {
211 array[i] = array[i]*10 + *data - '0';
213 else if (*data == sep)
216 /* Unexpected character; true if it's the
217 terminator and we're finished. */
218 if (*data == term && i == array_size - 1)
221 DEBUGP("Char %u (got %u nums) `%u' unexpected\n",
226 DEBUGP("Failed to fill %u numbers separated by %c\n", array_size, sep);
231 /* Returns 0, or length of numbers: 192,168,1,1,5,6 */
232 static int try_rfc959(const char *data, size_t dlen,
233 struct nf_conntrack_man *cmd, char term)
238 length = try_number(data, dlen, array, 6, ',', term);
242 cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
243 (array[2] << 8) | array[3]);
244 cmd->u.tcp.port = htons((array[4] << 8) | array[5]);
248 /* Grab port: number up to delimiter */
249 static int get_port(const char *data, int start, size_t dlen, char delim,
252 u_int16_t tmp_port = 0;
255 for (i = start; i < dlen; i++) {
257 if (data[i] == delim) {
260 *port = htons(tmp_port);
261 DEBUGP("get_port: return %d\n", tmp_port);
264 else if (data[i] >= '0' && data[i] <= '9')
265 tmp_port = tmp_port*10 + data[i] - '0';
266 else { /* Some other crap */
267 DEBUGP("get_port: invalid char.\n");
274 /* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */
275 static int try_eprt(const char *data, size_t dlen, struct nf_conntrack_man *cmd,
281 /* First character is delimiter, then "1" for IPv4 or "2" for IPv6,
282 then delimiter again. */
284 DEBUGP("EPRT: too short\n");
288 if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) {
289 DEBUGP("try_eprt: invalid delimitter.\n");
293 if ((cmd->l3num == PF_INET && data[1] != '1') ||
294 (cmd->l3num == PF_INET6 && data[1] != '2')) {
295 DEBUGP("EPRT: invalid protocol number.\n");
299 DEBUGP("EPRT: Got %c%c%c\n", delim, data[1], delim);
301 if (data[1] == '1') {
304 /* Now we have IP address. */
305 length = try_number(data + 3, dlen - 3, array, 4, '.', delim);
307 cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16)
308 | (array[2] << 8) | array[3]);
310 /* Now we have IPv6 address. */
311 length = get_ipv6_addr(data + 3, dlen - 3,
312 (struct in6_addr *)cmd->u3.ip6, delim);
317 DEBUGP("EPRT: Got IP address!\n");
318 /* Start offset includes initial "|1|", and trailing delimiter */
319 return get_port(data, 3 + length + 1, dlen, delim, &cmd->u.tcp.port);
322 /* Returns 0, or length of numbers: |||6446| */
323 static int try_epsv_response(const char *data, size_t dlen,
324 struct nf_conntrack_man *cmd, char term)
328 /* Three delimiters. */
329 if (dlen <= 3) return 0;
331 if (isdigit(delim) || delim < 33 || delim > 126
332 || data[1] != delim || data[2] != delim)
335 return get_port(data, 3, dlen, delim, &cmd->u.tcp.port);
338 /* Return 1 for match, 0 for accept, -1 for partial. */
339 static int find_pattern(const char *data, size_t dlen,
340 const char *pattern, size_t plen,
341 char skip, char term,
342 unsigned int *numoff,
343 unsigned int *numlen,
344 struct nf_conntrack_man *cmd,
345 int (*getnum)(const char *, size_t,
346 struct nf_conntrack_man *, char))
350 DEBUGP("find_pattern `%s': dlen = %u\n", pattern, dlen);
355 /* Short packet: try for partial? */
356 if (strnicmp(data, pattern, dlen) == 0)
361 if (strnicmp(data, pattern, plen) != 0) {
365 DEBUGP("ftp: string mismatch\n");
366 for (i = 0; i < plen; i++) {
367 DEBUGP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
369 pattern[i], pattern[i]);
375 DEBUGP("Pattern matches!\n");
376 /* Now we've found the constant string, try to skip
377 to the 'skip' character */
378 for (i = plen; data[i] != skip; i++)
379 if (i == dlen - 1) return -1;
381 /* Skip over the last character */
384 DEBUGP("Skipped up to `%c'!\n", skip);
387 *numlen = getnum(data + i, dlen - i, cmd, term);
391 DEBUGP("Match succeeded!\n");
395 /* Look up to see if we're just after a \n. */
396 static int find_nl_seq(u32 seq, const struct ip_ct_ftp_master *info, int dir)
400 for (i = 0; i < info->seq_aft_nl_num[dir]; i++)
401 if (info->seq_aft_nl[dir][i] == seq)
406 /* We don't update if it's older than what we have. */
407 static void update_nl_seq(u32 nl_seq, struct ip_ct_ftp_master *info, int dir,
410 unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
412 /* Look for oldest: if we find exact match, we're done. */
413 for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
414 if (info->seq_aft_nl[dir][i] == nl_seq)
417 if (oldest == info->seq_aft_nl_num[dir]
418 || before(info->seq_aft_nl[dir][i], oldest))
422 if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
423 info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
424 nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
425 } else if (oldest != NUM_SEQ_TO_REMEMBER) {
426 info->seq_aft_nl[dir][oldest] = nl_seq;
427 nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
431 static int help(struct sk_buff **pskb,
432 unsigned int protoff,
434 enum ip_conntrack_info ctinfo)
436 unsigned int dataoff, datalen;
437 struct tcphdr _tcph, *th;
441 int dir = CTINFO2DIR(ctinfo);
442 unsigned int matchlen, matchoff;
443 struct ip_ct_ftp_master *ct_ftp_info = &ct->help->ct_ftp_info;
444 struct nf_conntrack_expect *exp;
445 struct nf_conntrack_man cmd = {};
448 int found = 0, ends_in_nl;
450 /* Until there's been traffic both ways, don't look in packets. */
451 if (ctinfo != IP_CT_ESTABLISHED
452 && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
453 DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo);
457 th = skb_header_pointer(*pskb, protoff, sizeof(_tcph), &_tcph);
461 dataoff = protoff + th->doff * 4;
463 if (dataoff >= (*pskb)->len) {
464 DEBUGP("ftp: dataoff(%u) >= skblen(%u)\n", dataoff,
468 datalen = (*pskb)->len - dataoff;
470 spin_lock_bh(&nf_ftp_lock);
471 fb_ptr = skb_header_pointer(*pskb, dataoff, datalen, ftp_buffer);
472 BUG_ON(fb_ptr == NULL);
474 ends_in_nl = (fb_ptr[datalen - 1] == '\n');
475 seq = ntohl(th->seq) + datalen;
477 /* Look up to see if we're just after a \n. */
478 if (!find_nl_seq(ntohl(th->seq), ct_ftp_info, dir)) {
479 /* Now if this ends in \n, update ftp info. */
480 DEBUGP("nf_conntrack_ftp_help: wrong seq pos %s(%u) or %s(%u)\n",
481 ct_ftp_info->seq_aft_nl_num[dir] > 0 ? "" : "(UNSET)",
482 ct_ftp_info->seq_aft_nl[dir][0],
483 ct_ftp_info->seq_aft_nl_num[dir] > 1 ? "" : "(UNSET)",
484 ct_ftp_info->seq_aft_nl[dir][1]);
489 /* Initialize IP/IPv6 addr to expected address (it's not mentioned
490 in EPSV responses) */
491 cmd.l3num = ct->tuplehash[dir].tuple.src.l3num;
492 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
495 for (i = 0; i < ARRAY_SIZE(search); i++) {
496 if (search[i].dir != dir) continue;
498 found = find_pattern(fb_ptr, datalen,
503 &matchoff, &matchlen,
509 /* We don't usually drop packets. After all, this is
510 connection tracking, not packet filtering.
511 However, it is necessary for accurate tracking in
514 printk("conntrack_ftp: partial %s %u+%u\n",
516 ntohl(th->seq), datalen);
519 } else if (found == 0) { /* No match */
524 DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
525 (int)matchlen, fb_ptr + matchoff,
526 matchlen, ntohl(th->seq) + matchoff);
528 exp = nf_conntrack_expect_alloc(ct);
534 /* We refer to the reverse direction ("!dir") tuples here,
535 * because we're expecting something in the other direction.
536 * Doesn't matter unless NAT is happening. */
537 exp->tuple.dst.u3 = ct->tuplehash[!dir].tuple.dst.u3;
539 /* Update the ftp info */
540 if ((cmd.l3num == ct->tuplehash[dir].tuple.src.l3num) &&
541 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
542 sizeof(cmd.u3.all))) {
543 /* Enrico Scholz's passive FTP to partially RNAT'd ftp
544 server: it really wants us to connect to a
545 different IP address. Simply don't record it for
547 if (cmd.l3num == PF_INET) {
548 DEBUGP("conntrack_ftp: NOT RECORDING: %u,%u,%u,%u != %u.%u.%u.%u\n",
550 NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip));
552 DEBUGP("conntrack_ftp: NOT RECORDING: %x:%x:%x:%x:%x:%x:%x:%x != %x:%x:%x:%x:%x:%x:%x:%x\n",
553 NIP6(*((struct in6_addr *)cmd.u3.ip6)),
554 NIP6(*((struct in6_addr *)ct->tuplehash[dir]
555 .tuple.src.u3.ip6)));
558 /* Thanks to Cristiano Lincoln Mattos
559 <lincoln@cesar.org.br> for reporting this potential
560 problem (DMZ machines opening holes to internal
561 networks, or the packet filter itself). */
566 memcpy(&exp->tuple.dst.u3, &cmd.u3.all,
567 sizeof(exp->tuple.dst.u3));
570 exp->tuple.src.u3 = ct->tuplehash[!dir].tuple.src.u3;
571 exp->tuple.src.l3num = cmd.l3num;
572 exp->tuple.src.u.tcp.port = 0;
573 exp->tuple.dst.u.tcp.port = cmd.u.tcp.port;
574 exp->tuple.dst.protonum = IPPROTO_TCP;
576 exp->mask = (struct nf_conntrack_tuple)
577 { .src = { .l3num = 0xFFFF,
578 .u = { .tcp = { 0 }},
580 .dst = { .protonum = 0xFF,
581 .u = { .tcp = { 0xFFFF }},
584 if (cmd.l3num == PF_INET) {
585 exp->mask.src.u3.ip = 0xFFFFFFFF;
586 exp->mask.dst.u3.ip = 0xFFFFFFFF;
588 memset(exp->mask.src.u3.ip6, 0xFF,
589 sizeof(exp->mask.src.u3.ip6));
590 memset(exp->mask.dst.u3.ip6, 0xFF,
591 sizeof(exp->mask.src.u3.ip6));
594 exp->expectfn = NULL;
597 /* Now, NAT might want to mangle the packet, and register the
598 * (possibly changed) expectation itself. */
600 ret = nf_nat_ftp_hook(pskb, ctinfo, search[i].ftptype,
601 matchoff, matchlen, exp, &seq);
603 /* Can't expect this? Best to drop packet now. */
604 if (nf_conntrack_expect_related(exp) != 0)
611 nf_conntrack_expect_put(exp);
614 /* Now if this ends in \n, update ftp info. Seq may have been
615 * adjusted by NAT code. */
617 update_nl_seq(seq, ct_ftp_info, dir, *pskb);
619 spin_unlock_bh(&nf_ftp_lock);
623 static struct nf_conntrack_helper ftp[MAX_PORTS][2];
624 static char ftp_names[MAX_PORTS][2][sizeof("ftp-65535")];
626 /* don't make this __exit, since it's called from __init ! */
627 static void fini(void)
630 for (i = 0; i < ports_c; i++) {
631 for (j = 0; j < 2; j++) {
632 if (ftp[i][j].me == NULL)
635 DEBUGP("nf_ct_ftp: unregistering helper for pf: %d "
637 ftp[i][j].tuple.src.l3num, ports[i]);
638 nf_conntrack_helper_unregister(&ftp[i][j]);
645 static int __init init(void)
647 int i, j = -1, ret = 0;
650 ftp_buffer = kmalloc(65536, GFP_KERNEL);
655 ports[ports_c++] = FTP_PORT;
657 /* FIXME should be configurable whether IPv4 and IPv6 FTP connections
658 are tracked or not - YK */
659 for (i = 0; i < ports_c; i++) {
660 memset(&ftp[i], 0, sizeof(struct nf_conntrack_helper));
662 ftp[i][0].tuple.src.l3num = PF_INET;
663 ftp[i][1].tuple.src.l3num = PF_INET6;
664 for (j = 0; j < 2; j++) {
665 ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
666 ftp[i][j].tuple.dst.protonum = IPPROTO_TCP;
667 ftp[i][j].mask.src.u.tcp.port = 0xFFFF;
668 ftp[i][j].mask.dst.protonum = 0xFF;
669 ftp[i][j].max_expected = 1;
670 ftp[i][j].timeout = 5 * 60; /* 5 Minutes */
671 ftp[i][j].me = THIS_MODULE;
672 ftp[i][j].help = help;
673 tmpname = &ftp_names[i][j][0];
674 if (ports[i] == FTP_PORT)
675 sprintf(tmpname, "ftp");
677 sprintf(tmpname, "ftp-%d", ports[i]);
678 ftp[i][j].name = tmpname;
680 DEBUGP("nf_ct_ftp: registering helper for pf: %d "
682 ftp[i][j].tuple.src.l3num, ports[i]);
683 ret = nf_conntrack_helper_register(&ftp[i][j]);
685 printk("nf_ct_ftp: failed to register helper "
686 " for pf: %d port: %d\n",
687 ftp[i][j].tuple.src.l3num, ports[i]);