diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 5d8f9f1f51f7..c4ee0ef593df 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -1,2182 +1,2178 @@ /* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * * $FreeBSD$ * Id: ip_ftp_pxy.c,v 2.88.2.19 2006/04/01 10:14:53 darrenr Exp $ */ #define IPF_FTP_PROXY #define IPF_MINPORTLEN 18 #define IPF_MINEPRTLEN 20 #define IPF_MAXPORTLEN 30 #define IPF_MIN227LEN 39 #define IPF_MAX227LEN 51 #define IPF_MIN229LEN 47 #define IPF_MAX229LEN 51 #define FTPXY_GO 0 #define FTPXY_INIT 1 #define FTPXY_USER_1 2 #define FTPXY_USOK_1 3 #define FTPXY_PASS_1 4 #define FTPXY_PAOK_1 5 #define FTPXY_AUTH_1 6 #define FTPXY_AUOK_1 7 #define FTPXY_ADAT_1 8 #define FTPXY_ADOK_1 9 #define FTPXY_ACCT_1 10 #define FTPXY_ACOK_1 11 #define FTPXY_USER_2 12 #define FTPXY_USOK_2 13 #define FTPXY_PASS_2 14 #define FTPXY_PAOK_2 15 #define FTPXY_JUNK_OK 0 #define FTPXY_JUNK_BAD 1 /* Ignore all commands for this connection */ #define FTPXY_JUNK_EOL 2 /* consume the rest of this line only */ #define FTPXY_JUNK_CONT 3 /* Saerching for next numeric */ /* * Values for FTP commands. Numerics cover 0-999 */ #define FTPXY_C_PASV 1000 #define FTPXY_C_PORT 1001 #define FTPXY_C_EPSV 1002 #define FTPXY_C_EPRT 1003 typedef struct ipf_ftp_softc_s { int ipf_p_ftp_pasvonly; /* Do not require logins before transfers */ int ipf_p_ftp_insecure; int ipf_p_ftp_pasvrdr; /* PASV must be last command prior to 227 */ int ipf_p_ftp_forcepasv; int ipf_p_ftp_debug; int ipf_p_ftp_single_xfer; void *ipf_p_ftp_tune; } ipf_ftp_softc_t; void ipf_p_ftp_main_load(void); void ipf_p_ftp_main_unload(void); void *ipf_p_ftp_soft_create(ipf_main_softc_t *); void ipf_p_ftp_soft_destroy(ipf_main_softc_t *, void *); int ipf_p_ftp_client(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_complete(char *, size_t); int ipf_p_ftp_in(void *, fr_info_t *, ap_session_t *, nat_t *); int ipf_p_ftp_new(void *, fr_info_t *, ap_session_t *, nat_t *); void ipf_p_ftp_del(ipf_main_softc_t *, ap_session_t *); int ipf_p_ftp_out(void *, fr_info_t *, ap_session_t *, nat_t *); int ipf_p_ftp_pasv(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_epsv(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_port(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_process(ipf_ftp_softc_t *, fr_info_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_server(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_valid(ipf_ftp_softc_t *, ftpinfo_t *, int, char *, size_t); int ipf_p_ftp_server_valid(ipf_ftp_softc_t *, ftpside_t *, char *, size_t); int ipf_p_ftp_client_valid(ipf_ftp_softc_t *, ftpside_t *, char *, size_t); u_short ipf_p_ftp_atoi(char **); int ipf_p_ftp_pasvreply(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, u_int, char *, char *); int ipf_p_ftp_eprt(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_eprt4(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_eprt6(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int); int ipf_p_ftp_addport(ipf_ftp_softc_t *, fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int, int, int); void ipf_p_ftp_setpending(ipf_main_softc_t *, ftpinfo_t *); /* * Debug levels */ #define DEBUG_SECURITY 0x01 #define DEBUG_ERROR 0x02 #define DEBUG_INFO 0x04 #define DEBUG_PARSE_ERR 0x08 #define DEBUG_PARSE_INFO 0x10 #define DEBUG_PARSE 0x20 static int ipf_p_ftp_proxy_init = 0; static frentry_t ftppxyfr; static ipftuneable_t ipf_ftp_tuneables[] = { { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_debug) }, "ftp_debug", 0, 0x7f, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_debug), 0, NULL, NULL }, { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_pasvonly) }, "ftp_pasvonly", 0, 1, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_pasvonly), 0, NULL, NULL }, { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_insecure) }, "ftp_insecure", 0, 1, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_insecure), 0, NULL, NULL }, { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_pasvrdr) }, "ftp_pasvrdr", 0, 1, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_pasvrdr), 0, NULL, NULL }, { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_forcepasv) }, "ftp_forcepasv", 0, 1, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_forcepasv), 0, NULL, NULL }, { { (void *)offsetof(ipf_ftp_softc_t, ipf_p_ftp_single_xfer) }, "ftp_single_xfer", 0, 1, stsizeof(ipf_ftp_softc_t, ipf_p_ftp_single_xfer), 0, NULL, NULL }, { { NULL }, NULL, 0, 0, 0, 0, NULL, NULL } }; void ipf_p_ftp_main_load() { bzero((char *)&ftppxyfr, sizeof(ftppxyfr)); ftppxyfr.fr_ref = 1; ftppxyfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; MUTEX_INIT(&ftppxyfr.fr_lock, "FTP Proxy Mutex"); ipf_p_ftp_proxy_init = 1; } void ipf_p_ftp_main_unload() { if (ipf_p_ftp_proxy_init == 1) { MUTEX_DESTROY(&ftppxyfr.fr_lock); ipf_p_ftp_proxy_init = 0; } } /* * Initialize local structures. */ void * ipf_p_ftp_soft_create(softc) ipf_main_softc_t *softc; { ipf_ftp_softc_t *softf; KMALLOC(softf, ipf_ftp_softc_t *); if (softf == NULL) return NULL; bzero((char *)softf, sizeof(*softf)); #if defined(_KERNEL) softf->ipf_p_ftp_debug = 0; #else softf->ipf_p_ftp_debug = DEBUG_PARSE_ERR; #endif softf->ipf_p_ftp_forcepasv = 1; softf->ipf_p_ftp_tune = ipf_tune_array_copy(softf, sizeof(ipf_ftp_tuneables), ipf_ftp_tuneables); if (softf->ipf_p_ftp_tune == NULL) { ipf_p_ftp_soft_destroy(softc, softf); return NULL; } if (ipf_tune_array_link(softc, softf->ipf_p_ftp_tune) == -1) { ipf_p_ftp_soft_destroy(softc, softf); return NULL; } return softf; } void ipf_p_ftp_soft_destroy(softc, arg) ipf_main_softc_t *softc; void *arg; { ipf_ftp_softc_t *softf = arg; if (softf->ipf_p_ftp_tune != NULL) { ipf_tune_array_unlink(softc, softf->ipf_p_ftp_tune); KFREES(softf->ipf_p_ftp_tune, sizeof(ipf_ftp_tuneables)); softf->ipf_p_ftp_tune = NULL; } KFREE(softf); } int ipf_p_ftp_new(arg, fin, aps, nat) void *arg; fr_info_t *fin; ap_session_t *aps; nat_t *nat; { ftpinfo_t *ftp; ftpside_t *f; KMALLOC(ftp, ftpinfo_t *); if (ftp == NULL) return -1; nat = nat; /* LINT */ aps->aps_data = ftp; aps->aps_psiz = sizeof(ftpinfo_t); aps->aps_sport = htons(fin->fin_sport); aps->aps_dport = htons(fin->fin_dport); bzero((char *)ftp, sizeof(*ftp)); f = &ftp->ftp_side[0]; f->ftps_rptr = f->ftps_buf; f->ftps_wptr = f->ftps_buf; f = &ftp->ftp_side[1]; f->ftps_rptr = f->ftps_buf; f->ftps_wptr = f->ftps_buf; ftp->ftp_passok = FTPXY_INIT; ftp->ftp_incok = 0; return 0; } void ipf_p_ftp_setpending(ipf_main_softc_t *softc, ftpinfo_t *ftp) { if (ftp->ftp_pendnat != NULL) ipf_nat_setpending(softc, ftp->ftp_pendnat); if (ftp->ftp_pendstate != NULL) { READ_ENTER(&softc->ipf_state); ipf_state_setpending(softc, ftp->ftp_pendstate); RWLOCK_EXIT(&softc->ipf_state); } } void ipf_p_ftp_del(softc, aps) ipf_main_softc_t *softc; ap_session_t *aps; { ftpinfo_t *ftp; ftp = aps->aps_data; if (ftp != NULL) ipf_p_ftp_setpending(softc, ftp); } int ipf_p_ftp_port(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { char newbuf[IPF_FTPBUFSZ], *s; u_int a1, a2, a3, a4; u_short a5, a6, sp; size_t nlen, olen; tcphdr_t *tcp; int inc, off; ftpside_t *f; mb_t *m; m = fin->fin_m; f = &ftp->ftp_side[0]; tcp = (tcphdr_t *)fin->fin_dp; off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; /* * Check for client sending out PORT message. */ if (dlen < IPF_MINPORTLEN) { DT3(ftp_PORT_error_dlen, nat_t *, nat, ftpside_t *, f, u_int, dlen); if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("ipf_p_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen); return 0; } /* * Skip the PORT command + space */ s = f->ftps_rptr + 5; /* * Pick out the address components, two at a time. */ a1 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PORT_error_atoi_1, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_port:ipf_p_ftp_atoi(%d) failed\n", 1); return 0; } a2 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PORT_error_atoi_2, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_port:ipf_p_ftp_atoi(%d) failed\n", 2); return 0; } /* * Check that IP address in the PORT/PASV reply is the same as the * sender of the command - prevents using PORT for port scanning. */ a1 <<= 16; a1 |= a2; if (((nat->nat_dir == NAT_OUTBOUND) && (a1 != ntohl(nat->nat_osrcaddr))) || ((nat->nat_dir == NAT_INBOUND) && (a1 != ntohl(nat->nat_nsrcaddr)))) { DT3(ftp_PORT_error_address, nat_t *, nat, ftpside_t *, f, u_int, a1); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_port:%s != nat->nat_inip\n", "a1"); return APR_ERR(1); } a5 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PORT_error_atoi_3, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_port:ipf_p_ftp_atoi(%d) failed\n", 3); return 0; } if (*s == ')') s++; /* * check for CR-LF at the end. */ if (*s == '\n') s--; if ((*s != '\r') || (*(s + 1) != '\n')) { DT2(ftp_PORT_error_no_crlf, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_port:missing %s\n", "cr-lf"); return 0; } s += 2; a6 = a5 & 0xff; /* * Calculate the source port. Verification of > 1024 is in * ipf_p_ftp_addport. */ a5 >>= 8; a5 &= 0xff; sp = a5 << 8 | a6; /* * Calculate new address parts for PORT command */ if (nat->nat_dir == NAT_INBOUND) a1 = ntohl(nat->nat_ndstaddr); else a1 = ntohl(ip->ip_src.s_addr); a1 = ntohl(ip->ip_src.s_addr); a2 = (a1 >> 16) & 0xff; a3 = (a1 >> 8) & 0xff; a4 = a1 & 0xff; a1 >>= 24; olen = s - f->ftps_rptr; /* DO NOT change this to snprintf! */ #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n", "PORT", a1, a2, a3, a4, a5, a6); #else (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", "PORT", a1, a2, a3, a4, a5, a6); #endif nlen = strlen(newbuf); inc = nlen - olen; if ((inc + fin->fin_plen) > 65535) { DT3(ftp_PORT_error_inc, nat_t *, nat, ftpside_t *, f, int, inc); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc); return 0; } #if !defined(_KERNEL) M_ADJ(m, inc); #else /* * m_adj takes care of pkthdr.len, if required and treats inc<0 to * mean remove -len bytes from the end of the packet. * The mbuf chain will be extended if necessary by m_copyback(). */ if (inc < 0) M_ADJ(m, inc); #endif /* !defined(_KERNEL) */ COPYBACK(m, off, nlen, newbuf); fin->fin_flx |= FI_DOCKSUM; if (inc != 0) { fin->fin_plen += inc; ip->ip_len = htons(fin->fin_plen); fin->fin_dlen += inc; } f->ftps_cmd = FTPXY_C_PORT; return ipf_p_ftp_addport(softf, fin, ip, nat, ftp, dlen, sp, inc); } int ipf_p_ftp_addport(softf, fin, ip, nat, ftp, dlen, nport, inc) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen, nport, inc; { tcphdr_t tcph, *tcp2 = &tcph; ipf_main_softc_t *softc; ipf_nat_softc_t *softn; int direction; fr_info_t fi; ipnat_t *ipn; nat_t *nat2; u_short sp; int flags; softc = fin->fin_main_soft; softn = softc->ipf_nat_soft; if ((ftp->ftp_pendnat != NULL) || (ftp->ftp_pendstate != NULL)) { if (softf->ipf_p_ftp_single_xfer != 0) { DT2(ftp_PORT_error_add_active, nat_t *, nat, ftpinfo_t *, ftp); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_addport:xfer active %p/%p\n", ftp->ftp_pendnat, ftp->ftp_pendstate); return 0; } ipf_p_ftp_setpending(softc, ftp); } /* * Add skeleton NAT entry for connection which will come back the * other way. */ sp = nport; /* * Don't allow the PORT command to specify a port < 1024 due to * security risks. */ if (sp < 1024) { DT3(ftp_PORT_error_port, nat_t *, nat, ftpinfo_t *, ftp, u_int, sp); if (softf->ipf_p_ftp_debug & DEBUG_SECURITY) printf("ipf_p_ftp_addport:sp(%d) < 1024\n", sp); return 0; } /* * The server may not make the connection back from port 20, but * it is the most likely so use it here to check for a conflicting * mapping. */ bcopy((char *)fin, (char *)&fi, sizeof(fi)); fi.fin_flx |= FI_IGNORE; fi.fin_data[0] = sp; fi.fin_data[1] = fin->fin_data[1] - 1; fi.fin_src6 = nat->nat_ndst6; fi.fin_dst6 = nat->nat_nsrc6; - if (nat->nat_v[0] == 6) { #ifndef USE_INET6 + if (nat->nat_v[0] == 6) return APR_INC(inc); #endif - } /* * Add skeleton NAT entry for connection which will come back the * other way. */ #ifdef USE_INET6 if (nat->nat_v[0] == 6) { if (nat->nat_dir == NAT_OUTBOUND) { nat2 = ipf_nat6_outlookup(&fi, IPN_TCP|NAT_SEARCH, nat->nat_pr[1], &nat->nat_osrc6.in6, &nat->nat_odst6.in6); } else { nat2 = ipf_nat6_inlookup(&fi, IPN_TCP|NAT_SEARCH, nat->nat_pr[0], &nat->nat_odst6.in6, &nat->nat_osrc6.in6); } } else #endif { if (nat->nat_dir == NAT_OUTBOUND) { nat2 = ipf_nat_outlookup(&fi, IPN_TCP|NAT_SEARCH, nat->nat_pr[1], nat->nat_osrcip, nat->nat_odstip); } else { nat2 = ipf_nat_inlookup(&fi, IPN_TCP|NAT_SEARCH, nat->nat_pr[0], nat->nat_odstip, nat->nat_osrcip); } } if (nat2 != NULL) return APR_INC(inc); ipn = ipf_proxy_rule_rev(nat); if (ipn == NULL) return APR_ERR(1); ipn->in_use = 0; fi.fin_fr = &ftppxyfr; fi.fin_dp = (char *)tcp2; fi.fin_dlen = sizeof(*tcp2); fi.fin_plen = fi.fin_hlen + sizeof(*tcp2); fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE; fi.fin_data[1] = sp; fi.fin_data[0] = 0; bzero((char *)tcp2, sizeof(*tcp2)); tcp2->th_sport = 0; tcp2->th_dport = htons(sp); tcp2->th_win = htons(8192); TCP_OFF_A(tcp2, 5); tcp2->th_flags = TH_SYN; if (nat->nat_dir == NAT_INBOUND) { fi.fin_out = 1; direction = NAT_OUTBOUND; } else { fi.fin_out = 0; direction = NAT_INBOUND; } flags = SI_W_SPORT|NAT_SLAVE|IPN_TCP; MUTEX_ENTER(&softn->ipf_nat_new); - if (nat->nat_v[0] == 6) { #ifdef USE_INET6 + if (nat->nat_v[0] == 6) nat2 = ipf_nat6_add(&fi, ipn, &ftp->ftp_pendnat, flags, direction); + else #endif - } else { nat2 = ipf_nat_add(&fi, ipn, &ftp->ftp_pendnat, flags, direction); - } MUTEX_EXIT(&softn->ipf_nat_new); if (nat2 == NULL) { KFREES(ipn, ipn->in_size); return APR_ERR(1); } (void) ipf_nat_proto(&fi, nat2, IPN_TCP); MUTEX_ENTER(&nat2->nat_lock); ipf_nat_update(&fi, nat2); MUTEX_EXIT(&nat2->nat_lock); fi.fin_ifp = NULL; if (nat2->nat_dir == NAT_INBOUND) fi.fin_dst6 = nat->nat_osrc6; if (ipf_state_add(softc, &fi, (ipstate_t **)&ftp->ftp_pendstate, SI_W_SPORT) != 0) ipf_nat_setpending(softc, nat2); return APR_INC(inc); } int ipf_p_ftp_client(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; nat_t *nat; ftpinfo_t *ftp; ip_t *ip; int dlen; { char *rptr, *wptr, cmd[6], c; ftpside_t *f; int inc, i; inc = 0; f = &ftp->ftp_side[0]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; for (i = 0; (i < 5) && (i < dlen); i++) { c = rptr[i]; if (ISALPHA(c)) { cmd[i] = TOUPPER(c); } else { cmd[i] = c; } } cmd[i] = '\0'; ftp->ftp_incok = 0; DT2(ftp_client_command, char [], cmd, int, ftp->ftp_passok); if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) { if (ftp->ftp_passok == FTPXY_ADOK_1 || ftp->ftp_passok == FTPXY_AUOK_1) { ftp->ftp_passok = FTPXY_USER_2; ftp->ftp_incok = 1; } else { ftp->ftp_passok = FTPXY_USER_1; ftp->ftp_incok = 1; } } else if (!strncmp(cmd, "AUTH ", 5)) { ftp->ftp_passok = FTPXY_AUTH_1; ftp->ftp_incok = 1; } else if (!strncmp(cmd, "PASS ", 5)) { if (ftp->ftp_passok == FTPXY_USOK_1) { ftp->ftp_passok = FTPXY_PASS_1; ftp->ftp_incok = 1; } else if (ftp->ftp_passok == FTPXY_USOK_2) { ftp->ftp_passok = FTPXY_PASS_2; ftp->ftp_incok = 1; } } else if ((ftp->ftp_passok == FTPXY_AUOK_1) && !strncmp(cmd, "ADAT ", 5)) { ftp->ftp_passok = FTPXY_ADAT_1; ftp->ftp_incok = 1; } else if ((ftp->ftp_passok == FTPXY_PAOK_1 || ftp->ftp_passok == FTPXY_PAOK_2) && !strncmp(cmd, "ACCT ", 5)) { ftp->ftp_passok = FTPXY_ACCT_1; ftp->ftp_incok = 1; } else if ((ftp->ftp_passok == FTPXY_GO) && !softf->ipf_p_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { inc = ipf_p_ftp_port(softf, fin, ip, nat, ftp, dlen); } else if ((ftp->ftp_passok == FTPXY_GO) && !softf->ipf_p_ftp_pasvonly && !strncmp(cmd, "EPRT ", 5)) { inc = ipf_p_ftp_eprt(softf, fin, ip, nat, ftp, dlen); } else if (softf->ipf_p_ftp_insecure && !softf->ipf_p_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { inc = ipf_p_ftp_port(softf, fin, ip, nat, ftp, dlen); } if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("ipf_p_ftp_client: cmd[%s] passok %d incok %d inc %d\n", cmd, ftp->ftp_passok, ftp->ftp_incok, inc); DT2(ftp_client_passok, char *, cmd, int, ftp->ftp_passok); while ((*rptr++ != '\n') && (rptr < wptr)) ; f->ftps_rptr = rptr; return inc; } int ipf_p_ftp_pasv(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { u_int a1, a2, a3, a4, data_ip; char newbuf[IPF_FTPBUFSZ]; const char *brackets[2]; u_short a5, a6; ftpside_t *f; char *s; if ((softf->ipf_p_ftp_forcepasv != 0) && (ftp->ftp_side[0].ftps_cmd != FTPXY_C_PASV)) { DT2(ftp_PASV_error_state, nat_t *, nat, ftpinfo_t *, ftp); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_pasv:ftps_cmd(%d) != FTPXY_C_PASV\n", ftp->ftp_side[0].ftps_cmd); return 0; } f = &ftp->ftp_side[1]; #define PASV_REPLEN 24 /* * Check for PASV reply message. */ if (dlen < IPF_MIN227LEN) { DT3(ftp_PASV_error_short, nat_t *, nat, ftpinfo_t *, ftp, int, dlen); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen); return 0; } else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) { DT2(ftp_PASV_error_string, nat_t *, nat, ftpinfo_t *, ftp); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_pasv:%d reply wrong\n", 227); return 0; } brackets[0] = ""; brackets[1] = ""; /* * Skip the PASV reply + space */ s = f->ftps_rptr + PASV_REPLEN; while (*s && !ISDIGIT(*s)) { if (*s == '(') { brackets[0] = "("; brackets[1] = ")"; } s++; } /* * Pick out the address components, two at a time. */ a1 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PASV_error_atoi_1, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_pasv:ipf_p_ftp_atoi(%d) failed\n", 1); return 0; } a2 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PASV_error_atoi_2, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_pasv:ipf_p_ftp_atoi(%d) failed\n", 2); return 0; } /* * check that IP address in the PASV reply is the same as the * sender of the command - prevents using PASV for port scanning. */ a1 <<= 16; a1 |= a2; if (((nat->nat_dir == NAT_INBOUND) && (a1 != ntohl(nat->nat_ndstaddr))) || ((nat->nat_dir == NAT_OUTBOUND) && (a1 != ntohl(nat->nat_odstaddr)))) { DT3(ftp_PASV_error_address, nat_t *, nat, ftpside_t *, f, u_int, a1); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_pasv:%s != nat->nat_oip\n", "a1"); return 0; } a5 = ipf_p_ftp_atoi(&s); if (s == NULL) { DT2(ftp_PASV_error_atoi_3, nat_t *, nat, ftpside_t *, f); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_pasv:ipf_p_ftp_atoi(%d) failed\n", 3); return 0; } if (*s == ')') s++; if (*s == '.') s++; if (*s == '\n') s--; /* * check for CR-LF at the end. */ if ((*s != '\r') || (*(s + 1) != '\n')) { DT(pasv_missing_crlf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_pasv:missing %s", "cr-lf\n"); return 0; } s += 2; a6 = a5 & 0xff; a5 >>= 8; /* * Calculate new address parts for 227 reply */ if (nat->nat_dir == NAT_INBOUND) { data_ip = nat->nat_odstaddr; a1 = ntohl(data_ip); } else data_ip = htonl(a1); a2 = (a1 >> 16) & 0xff; a3 = (a1 >> 8) & 0xff; a4 = a1 & 0xff; a1 >>= 24; #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(newbuf, sizeof(newbuf), "%s %s%u,%u,%u,%u,%u,%u%s\r\n", "227 Entering Passive Mode", brackets[0], a1, a2, a3, a4, a5, a6, brackets[1]); #else (void) sprintf(newbuf, "%s %s%u,%u,%u,%u,%u,%u%s\r\n", "227 Entering Passive Mode", brackets[0], a1, a2, a3, a4, a5, a6, brackets[1]); #endif return ipf_p_ftp_pasvreply(softf, fin, ip, nat, ftp, (a5 << 8 | a6), newbuf, s); } int ipf_p_ftp_pasvreply(softf, fin, ip, nat, ftp, port, newmsg, s) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; u_int port; char *newmsg; char *s; { int inc, off, nflags; tcphdr_t *tcp, tcph, *tcp2; ipf_main_softc_t *softc; ipf_nat_softc_t *softn; size_t nlen, olen; #ifdef USE_INET6 ip6_t *ip6; #endif ipnat_t *ipn; fr_info_t fi; ftpside_t *f; nat_t *nat2; mb_t *m; softc = fin->fin_main_soft; softn = softc->ipf_nat_soft; if ((ftp->ftp_pendnat != NULL) || (ftp->ftp_pendstate != NULL)) ipf_p_ftp_setpending(softc, ftp); m = fin->fin_m; tcp = (tcphdr_t *)fin->fin_dp; off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; tcp2 = &tcph; inc = 0; f = &ftp->ftp_side[1]; olen = s - f->ftps_rptr; nlen = strlen(newmsg); inc = nlen - olen; if ((inc + fin->fin_plen) > 65535) { DT3(ftp_PASV_error_inc, nat_t *, nat, ftpside_t *, f, int, inc); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_pasv:inc(%d) + ip->ip_len > 65535\n", inc); return 0; } ipn = ipf_proxy_rule_fwd(nat); if (ipn == NULL) return APR_ERR(1); ipn->in_use = 0; /* * Add skeleton NAT entry for connection which will come back the * other way. */ bzero((char *)tcp2, sizeof(*tcp2)); bcopy((char *)fin, (char *)&fi, sizeof(fi)); fi.fin_flx |= FI_IGNORE; fi.fin_data[0] = 0; fi.fin_data[1] = port; nflags = IPN_TCP|SI_W_SPORT; fi.fin_fr = &ftppxyfr; fi.fin_dp = (char *)tcp2; fi.fin_out = 1 - fin->fin_out; fi.fin_dlen = sizeof(*tcp2); fi.fin_src6 = nat->nat_osrc6; fi.fin_dst6 = nat->nat_odst6; fi.fin_plen = fi.fin_hlen + sizeof(*tcp); fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE; TCP_OFF_A(tcp2, 5); tcp2->th_flags = TH_SYN; tcp2->th_win = htons(8192); tcp2->th_dport = htons(port); MUTEX_ENTER(&softn->ipf_nat_new); #ifdef USE_INET6 if (nat->nat_v[0] == 6) nat2 = ipf_nat6_add(&fi, ipn, &ftp->ftp_pendnat, nflags, nat->nat_dir); else #endif nat2 = ipf_nat_add(&fi, ipn, &ftp->ftp_pendnat, nflags, nat->nat_dir); MUTEX_EXIT(&softn->ipf_nat_new); if (nat2 == NULL) { KFREES(ipn, ipn->in_size); return APR_ERR(1); } (void) ipf_nat_proto(&fi, nat2, IPN_TCP); MUTEX_ENTER(&nat2->nat_lock); ipf_nat_update(&fi, nat2); MUTEX_EXIT(&nat2->nat_lock); fi.fin_ifp = NULL; if (nat->nat_dir == NAT_INBOUND) { - if (nat->nat_v[0] == 6) { #ifdef USE_INET6 + if (nat->nat_v[0] == 6) fi.fin_dst6 = nat->nat_ndst6; + else #endif - } else { fi.fin_daddr = nat->nat_ndstaddr; - } } if (ipf_state_add(softc, &fi, (ipstate_t **)&ftp->ftp_pendstate, SI_W_SPORT) != 0) ipf_nat_setpending(softc, nat2); #if !defined(_KERNEL) M_ADJ(m, inc); #else /* * m_adj takes care of pkthdr.len, if required and treats inc<0 to * mean remove -len bytes from the end of the packet. * The mbuf chain will be extended if necessary by m_copyback(). */ if (inc < 0) M_ADJ(m, inc); #endif /* !defined(_KERNEL) */ COPYBACK(m, off, nlen, newmsg); fin->fin_flx |= FI_DOCKSUM; if (inc != 0) { fin->fin_plen += inc; fin->fin_dlen += inc; - if (nat->nat_v[0] == 6) { #ifdef USE_INET6 + if (nat->nat_v[0] == 6) { ip6 = (ip6_t *)fin->fin_ip; u_short len = ntohs(ip6->ip6_plen) + inc; ip6->ip6_plen = htons(len); + } else #endif - } else { ip->ip_len = htons(fin->fin_plen); - } } return APR_INC(inc); } int ipf_p_ftp_server(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { char *rptr, *wptr; ftpside_t *f; int inc; inc = 0; f = &ftp->ftp_side[1]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; DT2(ftp_server_response, char *, rptr, int, ftp->ftp_passok); if (*rptr == ' ') goto server_cmd_ok; if (!ISDIGIT(*rptr) || !ISDIGIT(*(rptr + 1)) || !ISDIGIT(*(rptr + 2))) return 0; if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("ipf_p_ftp_server_1: cmd[%4.4s] passok %d\n", rptr, ftp->ftp_passok); if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) inc = ipf_p_ftp_pasv(softf, fin, ip, nat, ftp, dlen); else if (!strncmp(rptr, "229 ", 4)) inc = ipf_p_ftp_epsv(softf, fin, ip, nat, ftp, dlen); else if (strncmp(rptr, "200", 3)) { /* * 200 is returned for a successful command. */ ; } } else if (softf->ipf_p_ftp_insecure && !strncmp(rptr, "227 ", 4)) { inc = ipf_p_ftp_pasv(softf, fin, ip, nat, ftp, dlen); } else if (softf->ipf_p_ftp_insecure && !strncmp(rptr, "229 ", 4)) { inc = ipf_p_ftp_epsv(softf, fin, ip, nat, ftp, dlen); } else if (*rptr == '5' || *rptr == '4') ftp->ftp_passok = FTPXY_INIT; else if (ftp->ftp_incok) { if (*rptr == '3') { if (ftp->ftp_passok == FTPXY_ACCT_1) ftp->ftp_passok = FTPXY_GO; else ftp->ftp_passok++; } else if (*rptr == '2') { switch (ftp->ftp_passok) { case FTPXY_USER_1 : case FTPXY_USER_2 : case FTPXY_PASS_1 : case FTPXY_PASS_2 : case FTPXY_ACCT_1 : ftp->ftp_passok = FTPXY_GO; break; default : ftp->ftp_passok += 3; break; } } } ftp->ftp_incok = 0; server_cmd_ok: if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("ipf_p_ftp_server_2: cmd[%4.4s] passok %d\n", rptr, ftp->ftp_passok); DT3(ftp_server_passok, char *,rptr, int, ftp->ftp_incok, int, ftp->ftp_passok); while ((*rptr++ != '\n') && (rptr < wptr)) ; f->ftps_rptr = rptr; return inc; } /* * 0 FTPXY_JUNK_OK * 1 FTPXY_JUNK_BAD * 2 FTPXY_JUNK_EOL * 3 FTPXY_JUNK_CONT * * Look to see if the buffer starts with something which we recognise as * being the correct syntax for the FTP protocol. */ int ipf_p_ftp_client_valid(softf, ftps, buf, len) ipf_ftp_softc_t *softf; ftpside_t *ftps; char *buf; size_t len; { register char *s, c, pc; register size_t i = len; char cmd[5]; s = buf; if (ftps->ftps_junk == FTPXY_JUNK_BAD) return FTPXY_JUNK_BAD; if (i < 5) { DT1(client_valid, int, i); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_client_valid:i(%d) < 5\n", (int)i); return 2; } i--; c = *s++; if (ISALPHA(c)) { cmd[0] = TOUPPER(c); c = *s++; i--; if (ISALPHA(c)) { cmd[1] = TOUPPER(c); c = *s++; i--; if (ISALPHA(c)) { cmd[2] = TOUPPER(c); c = *s++; i--; if (ISALPHA(c)) { cmd[3] = TOUPPER(c); c = *s++; i--; if ((c != ' ') && (c != '\r')) goto bad_client_command; } else if ((c != ' ') && (c != '\r')) goto bad_client_command; } else goto bad_client_command; } else goto bad_client_command; } else { bad_client_command: DT4(client_junk, int, len, int, i, int, c, char *, buf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", "ipf_p_ftp_client_valid", ftps->ftps_junk, (int)len, (int)i, c, (int)len, (int)len, buf); return FTPXY_JUNK_BAD; } for (; i; i--) { pc = c; c = *s++; if ((pc == '\r') && (c == '\n')) { cmd[4] = '\0'; if (!strcmp(cmd, "PASV")) { ftps->ftps_cmd = FTPXY_C_PASV; } else if (!strcmp(cmd, "EPSV")) { ftps->ftps_cmd = FTPXY_C_EPSV; } else { ftps->ftps_cmd = 0; } return 0; } } #if !defined(_KERNEL) printf("ipf_p_ftp_client_valid:junk after cmd[%*.*s]\n", (int)len, (int)len, buf); #endif return FTPXY_JUNK_EOL; } int ipf_p_ftp_server_valid(softf, ftps, buf, len) ipf_ftp_softc_t *softf; ftpside_t *ftps; char *buf; size_t len; { register char *s, c, pc; register size_t i = len; int cmd; s = buf; cmd = 0; if (ftps->ftps_junk == FTPXY_JUNK_BAD) return FTPXY_JUNK_BAD; if (i < 5) { DT1(server_valid, int, i); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_servert_valid:i(%d) < 5\n", (int)i); return 2; } c = *s++; i--; if (c == ' ') { cmd = -1; goto search_eol; } if (ISDIGIT(c)) { cmd = (c - '0') * 100; c = *s++; i--; if (ISDIGIT(c)) { cmd += (c - '0') * 10; c = *s++; i--; if (ISDIGIT(c)) { cmd += (c - '0'); c = *s++; i--; if ((c != '-') && (c != ' ')) goto bad_server_command; if (c == '-') return FTPXY_JUNK_CONT; } else goto bad_server_command; } else goto bad_server_command; } else { bad_server_command: DT4(server_junk, int len, buf, int, i, int, c, char *, buf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", "ipf_p_ftp_server_valid", ftps->ftps_junk, (int)len, (int)i, c, (int)len, (int)len, buf); if (ftps->ftps_junk == FTPXY_JUNK_CONT) return FTPXY_JUNK_CONT; return FTPXY_JUNK_BAD; } search_eol: for (; i; i--) { pc = c; c = *s++; if ((pc == '\r') && (c == '\n')) { if (cmd == -1) { if (ftps->ftps_junk == FTPXY_JUNK_CONT) return FTPXY_JUNK_CONT; } else { ftps->ftps_cmd = cmd; } return FTPXY_JUNK_OK; } } DT2(junk_eol, int, len, char *, buf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) printf("ipf_p_ftp_server_valid:junk after cmd[%*.*s]\n", (int)len, (int)len, buf); return FTPXY_JUNK_EOL; } int ipf_p_ftp_valid(softf, ftp, side, buf, len) ipf_ftp_softc_t *softf; ftpinfo_t *ftp; int side; char *buf; size_t len; { ftpside_t *ftps; int ret; ftps = &ftp->ftp_side[side]; if (side == 0) ret = ipf_p_ftp_client_valid(softf, ftps, buf, len); else ret = ipf_p_ftp_server_valid(softf, ftps, buf, len); return ret; } /* * For map rules, the following applies: * rv == 0 for outbound processing, * rv == 1 for inbound processing. * For rdr rules, the following applies: * rv == 0 for inbound processing, * rv == 1 for outbound processing. */ int ipf_p_ftp_process(softf, fin, nat, ftp, rv) ipf_ftp_softc_t *softf; fr_info_t *fin; nat_t *nat; ftpinfo_t *ftp; int rv; { int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff, retry; char *rptr, *wptr, *s; u_32_t thseq, thack; ap_session_t *aps; ftpside_t *f, *t; tcphdr_t *tcp; ip_t *ip; mb_t *m; m = fin->fin_m; ip = fin->fin_ip; tcp = (tcphdr_t *)fin->fin_dp; off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; f = &ftp->ftp_side[rv]; t = &ftp->ftp_side[1 - rv]; thseq = ntohl(tcp->th_seq); thack = ntohl(tcp->th_ack); mlen = MSGDSIZE(m) - off; DT3(process_debug, tcphdr_t *, tcp, int, off, int, mlen); if (softf->ipf_p_ftp_debug & DEBUG_INFO) printf("ipf_p_ftp_process: %d:%d,%d, mlen %d flags %x\n", fin->fin_out, fin->fin_sport, fin->fin_dport, mlen, tcp->th_flags); if ((mlen == 0) && ((tcp->th_flags & TH_OPENING) == TH_OPENING)) { f->ftps_seq[0] = thseq + 1; t->ftps_seq[0] = thack; return 0; } else if (mlen < 0) { return 0; } aps = nat->nat_aps; sel = aps->aps_sel[1 - rv]; sel2 = aps->aps_sel[rv]; if (rv == 1) { seqoff = aps->aps_seqoff[sel]; if (aps->aps_seqmin[sel] > seqoff + thseq) seqoff = aps->aps_seqoff[!sel]; ackoff = aps->aps_ackoff[sel2]; if (aps->aps_ackmin[sel2] > ackoff + thack) ackoff = aps->aps_ackoff[!sel2]; } else { seqoff = aps->aps_ackoff[sel]; if (softf->ipf_p_ftp_debug & DEBUG_INFO) printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, aps->aps_ackmin[sel]); if (aps->aps_ackmin[sel] > seqoff + thseq) seqoff = aps->aps_ackoff[!sel]; ackoff = aps->aps_seqoff[sel2]; if (softf->ipf_p_ftp_debug & DEBUG_INFO) printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, aps->aps_seqmin[sel2]); if (ackoff > 0) { if (aps->aps_seqmin[sel2] > ackoff + thack) ackoff = aps->aps_seqoff[!sel2]; } else { if (aps->aps_seqmin[sel2] > thack) ackoff = aps->aps_seqoff[!sel2]; } } if (softf->ipf_p_ftp_debug & DEBUG_INFO) { printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n", rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff, thack, ackoff, mlen, fin->fin_plen, off); printf("sel %d seqmin %x/%x offset %d/%d\n", sel, aps->aps_seqmin[sel], aps->aps_seqmin[sel2], aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, aps->aps_ackmin[sel], aps->aps_ackmin[sel2], aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); } /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ if (softf->ipf_p_ftp_debug & DEBUG_INFO) { printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); } ok = 0; if (t->ftps_seq[0] == 0) { t->ftps_seq[0] = thack; ok = 1; } else { if (ackoff == 0) { if (t->ftps_seq[0] == thack) ok = 1; else if (t->ftps_seq[1] == thack) { t->ftps_seq[0] = thack; ok = 1; } } else { if (t->ftps_seq[0] + ackoff == thack) { t->ftps_seq[0] = thack; ok = 1; } else if (t->ftps_seq[0] == thack + ackoff) { t->ftps_seq[0] = thack + ackoff; ok = 1; } else if (t->ftps_seq[1] + ackoff == thack) { t->ftps_seq[0] = thack; ok = 1; } else if (t->ftps_seq[1] == thack + ackoff) { t->ftps_seq[0] = thack + ackoff; ok = 1; } } } if (softf->ipf_p_ftp_debug & DEBUG_INFO) { if (!ok) printf("%s ok\n", "not"); } if (!mlen) { if (t->ftps_seq[0] + ackoff != thack && t->ftps_seq[1] + ackoff != thack) { DT3(thack, ftpside_t *t, t, int, ackoff, u_32_t, thack); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) { printf("%s:seq[0](%u) + (%d) != (%u)\n", "ipf_p_ftp_process", t->ftps_seq[0], ackoff, thack); printf("%s:seq[0](%u) + (%d) != (%u)\n", "ipf_p_ftp_process", t->ftps_seq[1], ackoff, thack); } return APR_ERR(1); } if (softf->ipf_p_ftp_debug & DEBUG_PARSE) { printf("ipf_p_ftp_process:f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); } if (tcp->th_flags & TH_FIN) { if (thseq == f->ftps_seq[1]) { f->ftps_seq[0] = f->ftps_seq[1] - seqoff; f->ftps_seq[1] = thseq + 1 - seqoff; } else { DT2(thseq, ftpside_t *t, t, u_32_t, thseq); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) { printf("FIN: thseq %x seqoff %d ftps_seq %x\n", thseq, seqoff, f->ftps_seq[0]); } return APR_ERR(1); } } f->ftps_len = 0; return 0; } ok = 0; if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) { ok = 1; /* * Retransmitted data packet. */ } else if ((thseq + mlen == f->ftps_seq[0]) || (thseq + mlen == f->ftps_seq[1])) { ok = 1; } if (ok == 0) { DT3(ok_0, ftpside_t *, f, u_32_t, thseq, int, mlen); inc = thseq - f->ftps_seq[0]; if (softf->ipf_p_ftp_debug & DEBUG_ERROR) { printf("inc %d sel %d rv %d\n", inc, sel, rv); printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], f->ftps_seq[1]); printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], aps->aps_ackoff[sel]); printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], aps->aps_seqoff[sel]); } return APR_ERR(1); } inc = 0; rptr = f->ftps_rptr; wptr = f->ftps_wptr; f->ftps_seq[0] = thseq; f->ftps_seq[1] = f->ftps_seq[0] + mlen; f->ftps_len = mlen; while (mlen > 0) { len = MIN(mlen, sizeof(f->ftps_buf) - (wptr - rptr)); if (len == 0) break; COPYDATA(m, off, len, wptr); mlen -= len; off += len; wptr += len; whilemore: if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("%s:len %d/%d off %d wptr %lx junk %d [%*.*s]\n", "ipf_p_ftp_process", len, mlen, off, (u_long)wptr, f->ftps_junk, len, len, rptr); f->ftps_wptr = wptr; if (f->ftps_junk != FTPXY_JUNK_OK) { i = f->ftps_junk; f->ftps_junk = ipf_p_ftp_valid(softf, ftp, rv, rptr, wptr - rptr); DT2(junk_transit, int, i, int, f->ftps_junk); if (softf->ipf_p_ftp_debug & DEBUG_PARSE) printf("%s:junk %d -> %d\n", "ipf_p_ftp_process", i, f->ftps_junk); if (f->ftps_junk == FTPXY_JUNK_BAD) { DT(buffer_full); if (wptr - rptr == sizeof(f->ftps_buf)) { if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) printf("%s:full buffer\n", "ipf_p_ftp_process"); f->ftps_rptr = f->ftps_buf; f->ftps_wptr = f->ftps_buf; rptr = f->ftps_rptr; wptr = f->ftps_wptr; continue; } } } while ((f->ftps_junk == FTPXY_JUNK_OK) && (wptr > rptr)) { len = wptr - rptr; f->ftps_junk = ipf_p_ftp_valid(softf, ftp, rv, rptr, len); if (softf->ipf_p_ftp_debug & DEBUG_PARSE) { printf("%s=%d len %d rv %d ptr %lx/%lx ", "ipf_p_ftp_valid", f->ftps_junk, len, rv, (u_long)rptr, (u_long)wptr); printf("buf [%*.*s]\n", len, len, rptr); } if (f->ftps_junk == FTPXY_JUNK_OK) { f->ftps_cmds++; f->ftps_rptr = rptr; if (rv) inc += ipf_p_ftp_server(softf, fin, ip, nat, ftp, len); else inc += ipf_p_ftp_client(softf, fin, ip, nat, ftp, len); rptr = f->ftps_rptr; wptr = f->ftps_wptr; } } /* * Off to a bad start so lets just forget about using the * ftp proxy for this connection. */ if ((f->ftps_cmds == 0) && (f->ftps_junk == FTPXY_JUNK_BAD)) { /* f->ftps_seq[1] += inc; */ DT(ftp_junk_cmd); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("%s:cmds == 0 junk == 1\n", "ipf_p_ftp_process"); return APR_ERR(2); } retry = 0; if ((f->ftps_junk != FTPXY_JUNK_OK) && (rptr < wptr)) { for (s = rptr; s < wptr; s++) { if ((*s == '\r') && (s + 1 < wptr) && (*(s + 1) == '\n')) { rptr = s + 2; retry = 1; if (f->ftps_junk != FTPXY_JUNK_CONT) f->ftps_junk = FTPXY_JUNK_OK; break; } } } if (rptr == wptr) { rptr = wptr = f->ftps_buf; } else { /* * Compact the buffer back to the start. The junk * flag should already be set and because we're not * throwing away any data, it is preserved from its * current state. */ if (rptr > f->ftps_buf) { bcopy(rptr, f->ftps_buf, wptr - rptr); wptr -= rptr - f->ftps_buf; rptr = f->ftps_buf; } } f->ftps_rptr = rptr; f->ftps_wptr = wptr; if (retry) goto whilemore; } /* f->ftps_seq[1] += inc; */ if (tcp->th_flags & TH_FIN) f->ftps_seq[1]++; if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) { mlen = MSGDSIZE(m); mlen -= off; printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); } f->ftps_rptr = rptr; f->ftps_wptr = wptr; return APR_INC(inc); } int ipf_p_ftp_out(arg, fin, aps, nat) void *arg; fr_info_t *fin; ap_session_t *aps; nat_t *nat; { ipf_ftp_softc_t *softf = arg; ftpinfo_t *ftp; int rev; ftp = aps->aps_data; if (ftp == NULL) return 0; rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1; if (ftp->ftp_side[1 - rev].ftps_ifp == NULL) ftp->ftp_side[1 - rev].ftps_ifp = fin->fin_ifp; return ipf_p_ftp_process(softf, fin, nat, ftp, rev); } int ipf_p_ftp_in(arg, fin, aps, nat) void *arg; fr_info_t *fin; ap_session_t *aps; nat_t *nat; { ipf_ftp_softc_t *softf = arg; ftpinfo_t *ftp; int rev; ftp = aps->aps_data; if (ftp == NULL) return 0; rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1; if (ftp->ftp_side[rev].ftps_ifp == NULL) ftp->ftp_side[rev].ftps_ifp = fin->fin_ifp; return ipf_p_ftp_process(softf, fin, nat, ftp, 1 - rev); } /* * ipf_p_ftp_atoi - implement a version of atoi which processes numbers in * pairs separated by commas (which are expected to be in the range 0 - 255), * returning a 16 bit number combining either side of the , as the MSB and * LSB. */ u_short ipf_p_ftp_atoi(ptr) char **ptr; { register char *s = *ptr, c; register u_char i = 0, j = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (c != ',') { *ptr = NULL; return 0; } while (((c = *s++) != '\0') && ISDIGIT(c)) { j *= 10; j += c - '0'; } *ptr = s; i &= 0xff; j &= 0xff; return (i << 8) | j; } int ipf_p_ftp_eprt(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { ftpside_t *f; /* * Check for client sending out EPRT message. */ if (dlen < IPF_MINEPRTLEN) { DT1(epert_dlen, int, dlen); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_eprt:dlen(%d) < IPF_MINEPRTLEN\n", dlen); return 0; } /* * Parse the EPRT command. Format is: * "EPRT |1|1.2.3.4|2000|" for IPv4 and * "EPRT |2|ef00::1:2|2000|" for IPv6 */ f = &ftp->ftp_side[0]; if (f->ftps_rptr[5] != '|') return 0; if (f->ftps_rptr[5] == f->ftps_rptr[7]) { if (f->ftps_rptr[6] == '1' && nat->nat_v[0] == 4) return ipf_p_ftp_eprt4(softf, fin, ip, nat, ftp, dlen); #ifdef USE_INET6 if (f->ftps_rptr[6] == '2' && nat->nat_v[0] == 6) return ipf_p_ftp_eprt6(softf, fin, ip, nat, ftp, dlen); #endif } return 0; } int ipf_p_ftp_eprt4(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { int a1, a2, a3, a4, port, olen, nlen, inc, off; char newbuf[IPF_FTPBUFSZ]; char *s, c, delim; u_32_t addr, i; tcphdr_t *tcp; ftpside_t *f; mb_t *m; m = fin->fin_m; tcp = (tcphdr_t *)fin->fin_dp; off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; f = &ftp->ftp_side[0]; delim = f->ftps_rptr[5]; s = f->ftps_rptr + 8; /* * get the IP address. */ i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 255) return 0; if (c != '.') return 0; addr = (i << 24); i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 255) return 0; if (c != '.') return 0; addr |= (addr << 16); i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 255) return 0; if (c != '.') return 0; addr |= (addr << 8); i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 255) return 0; if (c != delim) return 0; addr |= addr; /* * Get the port number */ i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 65535) return 0; if (c != delim) return 0; port = i; /* * Check for CR-LF at the end of the command string. */ if ((*s != '\r') || (*(s + 1) != '\n')) { DT(eprt4_no_crlf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_eprt4:missing %s\n", "cr-lf"); return 0; } s += 2; /* * Calculate new address parts for PORT command */ if (nat->nat_dir == NAT_INBOUND) a1 = ntohl(nat->nat_odstaddr); else a1 = ntohl(ip->ip_src.s_addr); a2 = (a1 >> 16) & 0xff; a3 = (a1 >> 8) & 0xff; a4 = a1 & 0xff; a1 >>= 24; olen = s - f->ftps_rptr; /* DO NOT change this to snprintf! */ /* * While we could force the use of | as a delimiter here, it makes * sense to preserve whatever character is being used by the systems * involved in the communication. */ #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(newbuf, sizeof(newbuf), "%s %c1%c%u.%u.%u.%u%c%u%c\r\n", "EPRT", delim, delim, a1, a2, a3, a4, delim, port, delim); #else (void) sprintf(newbuf, "%s %c1%c%u.%u.%u.%u%c%u%c\r\n", "EPRT", delim, delim, a1, a2, a3, a4, delim, port, delim); #endif nlen = strlen(newbuf); inc = nlen - olen; if ((inc + fin->fin_plen) > 65535) { DT2(eprt4_len, int, inc, int, fin->fin_plen); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_eprt4:inc(%d) + ip->ip_len > 65535\n", inc); return 0; } off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; #if !defined(_KERNEL) M_ADJ(m, inc); #else if (inc < 0) M_ADJ(m, inc); #endif /* the mbuf chain will be extended if necessary by m_copyback() */ COPYBACK(m, off, nlen, newbuf); fin->fin_flx |= FI_DOCKSUM; if (inc != 0) { fin->fin_plen += inc; ip->ip_len = htons(fin->fin_plen); fin->fin_dlen += inc; } f->ftps_cmd = FTPXY_C_EPRT; return ipf_p_ftp_addport(softf, fin, ip, nat, ftp, dlen, port, inc); } int ipf_p_ftp_epsv(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { char newbuf[IPF_FTPBUFSZ]; u_short ap = 0; ftpside_t *f; char *s; if ((softf->ipf_p_ftp_forcepasv != 0) && (ftp->ftp_side[0].ftps_cmd != FTPXY_C_EPSV)) { DT1(epsv_cmd, int, ftp->ftp_side[0].ftps_cmd); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_epsv:ftps_cmd(%d) != FTPXY_C_EPSV\n", ftp->ftp_side[0].ftps_cmd); return 0; } f = &ftp->ftp_side[1]; #define EPSV_REPLEN 33 /* * Check for EPSV reply message. */ if (dlen < IPF_MIN229LEN) { return (0); } else if (strncmp(f->ftps_rptr, "229 Entering Extended Passive Mode", EPSV_REPLEN)) { return (0); } /* * Skip the EPSV command + space */ s = f->ftps_rptr + 33; while (*s && !ISDIGIT(*s)) s++; /* * As per RFC 2428, there are no addres components in the EPSV * response. So we'll go straight to getting the port. */ while (*s && ISDIGIT(*s)) { ap *= 10; ap += *s++ - '0'; } if (*s == '|') s++; if (*s == ')') s++; if (*s == '\n') s--; /* * check for CR-LF at the end. */ if ((*s != '\r') || (*(s + 1) != '\n')) { return 0; } s += 2; #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(newbuf, sizeof(newbuf), "%s (|||%u|)\r\n", "229 Entering Extended Passive Mode", ap); #else (void) sprintf(newbuf, "%s (|||%u|)\r\n", "229 Entering Extended Passive Mode", ap); #endif return ipf_p_ftp_pasvreply(softf, fin, ip, nat, ftp, (u_int)ap, newbuf, s); } #ifdef USE_INET6 int ipf_p_ftp_eprt6(softf, fin, ip, nat, ftp, dlen) ipf_ftp_softc_t *softf; fr_info_t *fin; ip_t *ip; nat_t *nat; ftpinfo_t *ftp; int dlen; { int port, olen, nlen, inc, off, left, i; char newbuf[IPF_FTPBUFSZ]; char *s, c; i6addr_t addr, *a6; tcphdr_t *tcp; ip6_t *ip6; char delim; u_short whole; u_short part; ftpside_t *f; u_short *t; int fwd; mb_t *m; u_32_t a; m = fin->fin_m; ip6 = (ip6_t *)ip; f = &ftp->ftp_side[0]; s = f->ftps_rptr + 8; f = &ftp->ftp_side[0]; delim = f->ftps_rptr[5]; tcp = (tcphdr_t *)fin->fin_dp; off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; addr.i6[0] = 0; addr.i6[1] = 0; addr.i6[2] = 0; addr.i6[3] = 0; /* * Parse an IPv6 address. * Go forward until either :: or | is found. If :: is found, * reverse direction. Direction change is performed to ease * parsing an unknown number of 0s in the middle. */ whole = 0; t = (u_short *)&addr; fwd = 1; for (part = 0; (c = *s) != '\0'; ) { if (c == delim) { *t = htons((u_short)whole); break; } if (c == ':') { *t = part; if (fwd) { *t = htons((u_short)whole); t++; } else { *t = htons((u_short)(whole >> 16)); t--; } whole = 0; if (fwd == 1 && s[1] == ':') { while (*s && *s != '|') s++; if ((c = *s) != delim) break; t = (u_short *)&addr.i6[3]; t++; fwd = 0; } else if (fwd == 0 && s[-1] == ':') { break; } } else { if (c >= '0' && c <= '9') { c -= '0'; } else if (c >= 'a' && c <= 'f') { c -= 'a' + 10; } else if (c >= 'A' && c <= 'F') { c -= 'A' + 10; } if (fwd) { whole <<= 8; whole |= c; } else { whole >>= 8; whole |= ((u_32_t)c) << 24; } } if (fwd) s++; else s--; } if (c != ':' && c != delim) return 0; while (*s != '|') s++; s++; /* * Get the port number */ i = 0; while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } if (i > 65535) return 0; if (c != delim) return 0; port = (u_short)(i & 0xffff); /* * Check for CR-LF at the end of the command string. */ if ((*s != '\r') || (*(s + 1) != '\n')) { DT(eprt6_no_crlf); if (softf->ipf_p_ftp_debug & DEBUG_PARSE_ERR) printf("ipf_p_ftp_eprt6:missing %s\n", "cr-lf"); return 0; } s += 2; /* * Calculate new address parts for PORT command */ a6 = (i6addr_t *)&ip6->ip6_src; olen = s - f->ftps_rptr; /* DO NOT change this to snprintf! */ /* * While we could force the use of | as a delimiter here, it makes * sense to preserve whatever character is being used by the systems * involved in the communication. */ s = newbuf; left = sizeof(newbuf); #if defined(SNPRINTF) && defined(_KERNEL) SNPRINTF(newbuf, left, "EPRT %c2%c", delim, delim); left -= strlen(s) + 1; s += strlen(s); a = ntohl(a6->i6[0]); SNPRINTF(s, left, "%x:%x:", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); a = ntohl(a6->i6[1]); SNPRINTF(s, left, "%x:%x:", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); a = ntohl(a6->i6[2]); SNPRINTF(s, left, "%x:%x:", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); a = ntohl(a6->i6[3]); SNPRINTF(s, left, "%x:%x", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); SNPRINTF(s, left, "|%d|\r\n", port); #else (void) sprintf(s, "EPRT %c2%c", delim, delim); s += strlen(s); a = ntohl(a6->i6[0]); sprintf(s, "%x:%x:", a >> 16, a & 0xffff); s += strlen(s); a = ntohl(a6->i6[1]); sprintf(s, "%x:%x:", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); a = ntohl(a6->i6[2]); sprintf(s, "%x:%x:", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); a = ntohl(a6->i6[3]); sprintf(s, "%x:%x", a >> 16, a & 0xffff); left -= strlen(s); s += strlen(s); sprintf(s, "|%d|\r\n", port); #endif nlen = strlen(newbuf); inc = nlen - olen; if ((inc + fin->fin_plen) > 65535) { DT2(eprt6_len, int, inc, int, fin->fin_plen); if (softf->ipf_p_ftp_debug & DEBUG_ERROR) printf("ipf_p_ftp_eprt6:inc(%d) + ip->ip_len > 65535\n", inc); return 0; } off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff; #if !defined(_KERNEL) M_ADJ(m, inc); #else if (inc < 0) M_ADJ(m, inc); #endif /* the mbuf chain will be extended if necessary by m_copyback() */ COPYBACK(m, off, nlen, newbuf); fin->fin_flx |= FI_DOCKSUM; if (inc != 0) { fin->fin_plen += inc; ip6->ip6_plen = htons(fin->fin_plen - fin->fin_hlen); fin->fin_dlen += inc; } f->ftps_cmd = FTPXY_C_EPRT; return ipf_p_ftp_addport(softf, fin, ip, nat, ftp, dlen, port, inc); } #endif diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 87051b6e6839..4399a9cde8e4 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -1,1465 +1,1465 @@ /* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ #if defined(KERNEL) || defined(_KERNEL) # undef KERNEL # undef _KERNEL # define KERNEL 1 # define _KERNEL 1 #endif #include #include #include #include #include # include #if !defined(_KERNEL) && !defined(__KERNEL__) # include # include # include # include # define _KERNEL # include # undef _KERNEL #endif # include #include #if defined(_KERNEL) #ifdef __FreeBSD__ # include # endif # include # if !defined(__SVR4) # include # endif #endif #if defined(_KERNEL) && defined(__FreeBSD__) # include # include #else # include #endif #if defined(__SVR4) # include # ifdef _KERNEL # include # endif # include # include #endif #ifdef __FreeBSD__ # include #endif #include #if defined(__FreeBSD__) && defined(_KERNEL) #include #else #define CURVNET_SET(arg) #define CURVNET_RESTORE() #define VNET_DEFINE(_t, _v) _t _v #define VNET_DECLARE(_t, _v) extern _t _v #define VNET(arg) arg #endif #ifdef sun # include #endif #include #include #include # include #include #include #include #include "netinet/ip_compat.h" #include #include "netinet/ip_fil.h" #include "netinet/ip_nat.h" #include "netinet/ip_state.h" #include "netinet/ip_proxy.h" #if defined(__FreeBSD__) # include #endif /* END OF INCLUDES */ #include "netinet/ip_ftp_pxy.c" #include "netinet/ip_tftp_pxy.c" #include "netinet/ip_rcmd_pxy.c" #include "netinet/ip_pptp_pxy.c" #if defined(_KERNEL) # include "netinet/ip_irc_pxy.c" # include "netinet/ip_raudio_pxy.c" # include "netinet/ip_netbios_pxy.c" #endif #include "netinet/ip_ipsec_pxy.c" #include "netinet/ip_rpcb_pxy.c" #if !defined(lint) static const char rcsid[] = "@(#)$Id$"; #endif #define AP_SESS_SIZE 53 static int ipf_proxy_fixseqack(fr_info_t *, ip_t *, ap_session_t *, int ); static aproxy_t *ipf_proxy_create_clone(ipf_main_softc_t *, aproxy_t *); typedef struct ipf_proxy_softc_s { int ips_proxy_debug; int ips_proxy_session_size; ap_session_t **ips_sess_tab; ap_session_t *ips_sess_list; aproxy_t *ips_proxies; int ips_init_run; ipftuneable_t *ipf_proxy_tune; } ipf_proxy_softc_t; static ipftuneable_t ipf_proxy_tuneables[] = { { { (void *)offsetof(ipf_proxy_softc_t, ips_proxy_debug) }, "proxy_debug", 0, 0x1f, stsizeof(ipf_proxy_softc_t, ips_proxy_debug), 0, NULL, NULL }, { { NULL }, NULL, 0, 0, 0, 0, NULL, NULL} }; static aproxy_t *ap_proxylist = NULL; static aproxy_t ips_proxies[] = { #ifdef IPF_FTP_PROXY { NULL, NULL, "ftp", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_ftp_main_load, ipf_p_ftp_main_unload, ipf_p_ftp_soft_create, ipf_p_ftp_soft_destroy, NULL, NULL, ipf_p_ftp_new, ipf_p_ftp_del, ipf_p_ftp_in, ipf_p_ftp_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_TFTP_PROXY { NULL, NULL, "tftp", (char)IPPROTO_UDP, 0, 0, 0, ipf_p_tftp_main_load, ipf_p_tftp_main_unload, ipf_p_tftp_soft_create, ipf_p_tftp_soft_destroy, NULL, NULL, ipf_p_tftp_new, ipf_p_tftp_del, ipf_p_tftp_in, ipf_p_tftp_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_IRC_PROXY { NULL, NULL, "irc", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_irc_main_load, ipf_p_irc_main_unload, NULL, NULL, NULL, NULL, ipf_p_irc_new, NULL, NULL, ipf_p_irc_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_RCMD_PROXY { NULL, NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_rcmd_main_load, ipf_p_rcmd_main_unload, NULL, NULL, NULL, NULL, ipf_p_rcmd_new, ipf_p_rcmd_del, ipf_p_rcmd_in, ipf_p_rcmd_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_RAUDIO_PROXY { NULL, NULL, "raudio", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_raudio_main_load, ipf_p_raudio_main_unload, NULL, NULL, NULL, NULL, ipf_p_raudio_new, NULL, ipf_p_raudio_in, ipf_p_raudio_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_MSNRPC_PROXY { NULL, NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_msnrpc_init, ipf_p_msnrpc_fini, NULL, NULL, NULL, NULL, ipf_p_msnrpc_new, NULL, ipf_p_msnrpc_in, ipf_p_msnrpc_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_NETBIOS_PROXY { NULL, NULL, "netbios", (char)IPPROTO_UDP, 0, 0, 0, ipf_p_netbios_main_load, ipf_p_netbios_main_unload, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ipf_p_netbios_out, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_IPSEC_PROXY { NULL, NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, 0, NULL, NULL, ipf_p_ipsec_soft_create, ipf_p_ipsec_soft_destroy, ipf_p_ipsec_soft_init, ipf_p_ipsec_soft_fini, ipf_p_ipsec_new, ipf_p_ipsec_del, ipf_p_ipsec_inout, ipf_p_ipsec_inout, ipf_p_ipsec_match, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_DNS_PROXY { NULL, NULL, "dns", (char)IPPROTO_UDP, 0, 0, 0, NULL, NULL, ipf_p_dns_soft_create, ipf_p_dns_soft_destroy, NULL, NULL, ipf_p_dns_new, ipf_p_ipsec_del, ipf_p_dns_inout, ipf_p_dns_inout, ipf_p_dns_match, ipf_p_dns_ctl, NULL, NULL, NULL }, #endif #ifdef IPF_PPTP_PROXY { NULL, NULL, "pptp", (char)IPPROTO_TCP, 0, 0, 0, ipf_p_pptp_main_load, ipf_p_pptp_main_unload, NULL, NULL, NULL, NULL, ipf_p_pptp_new, ipf_p_pptp_del, ipf_p_pptp_inout, ipf_p_pptp_inout, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef IPF_RPCB_PROXY # ifndef _KERNEL { NULL, NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, ipf_p_rpcb_new, ipf_p_rpcb_del, ipf_p_rpcb_in, ipf_p_rpcb_out, NULL, NULL, NULL, NULL, NULL }, # endif { NULL, NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0, 0, ipf_p_rpcb_main_load, ipf_p_rpcb_main_unload, NULL, NULL, NULL, NULL, ipf_p_rpcb_new, ipf_p_rpcb_del, ipf_p_rpcb_in, ipf_p_rpcb_out, NULL, NULL, NULL, NULL, NULL }, #endif { NULL, NULL, "", '\0', 0, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL } }; /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_main_load */ /* Returns: int - 0 == success, else failure. */ /* Parameters: Nil */ /* */ /* Initialise hook for kernel application proxies. */ /* Call the initialise routine for all the compiled in kernel proxies. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_main_load() { aproxy_t *ap; for (ap = ips_proxies; ap->apr_p; ap++) { if (ap->apr_load != NULL) (*ap->apr_load)(); } return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_main_unload */ /* Returns: int - 0 == success, else failure. */ /* Parameters: Nil */ /* */ /* Unload hook for kernel application proxies. */ /* Call the finialise routine for all the compiled in kernel proxies. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_main_unload() { aproxy_t *ap; for (ap = ips_proxies; ap->apr_p; ap++) if (ap->apr_unload != NULL) (*ap->apr_unload)(); for (ap = ap_proxylist; ap; ap = ap->apr_next) if (ap->apr_unload != NULL) (*ap->apr_unload)(); return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_soft_create */ /* Returns: void * - */ /* Parameters: softc(I) - pointer to soft context main structure */ /* */ /* Build the structure to hold all of the run time data to support proxies. */ /* ------------------------------------------------------------------------ */ void * ipf_proxy_soft_create(softc) ipf_main_softc_t *softc; { ipf_proxy_softc_t *softp; aproxy_t *last; aproxy_t *apn; aproxy_t *ap; KMALLOC(softp, ipf_proxy_softc_t *); if (softp == NULL) return softp; bzero((char *)softp, sizeof(*softp)); #if defined(_KERNEL) softp->ips_proxy_debug = 0; #else softp->ips_proxy_debug = 2; #endif softp->ips_proxy_session_size = AP_SESS_SIZE; softp->ipf_proxy_tune = ipf_tune_array_copy(softp, sizeof(ipf_proxy_tuneables), ipf_proxy_tuneables); if (softp->ipf_proxy_tune == NULL) { ipf_proxy_soft_destroy(softc, softp); return NULL; } if (ipf_tune_array_link(softc, softp->ipf_proxy_tune) == -1) { ipf_proxy_soft_destroy(softc, softp); return NULL; } last = NULL; for (ap = ips_proxies; ap->apr_p; ap++) { apn = ipf_proxy_create_clone(softc, ap); if (apn == NULL) goto failed; if (last != NULL) last->apr_next = apn; else softp->ips_proxies = apn; last = apn; } for (ap = ips_proxies; ap != NULL; ap = ap->apr_next) { apn = ipf_proxy_create_clone(softc, ap); if (apn == NULL) goto failed; if (last != NULL) last->apr_next = apn; else softp->ips_proxies = apn; last = apn; } return softp; failed: ipf_proxy_soft_destroy(softc, softp); return NULL; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_soft_create */ /* Returns: void * - */ /* Parameters: softc(I) - pointer to soft context main structure */ /* orig(I) - pointer to proxy definition to copy */ /* */ /* This function clones a proxy definition given by orig and returns a */ /* a pointer to that copy. */ /* ------------------------------------------------------------------------ */ static aproxy_t * ipf_proxy_create_clone(softc, orig) ipf_main_softc_t *softc; aproxy_t *orig; { aproxy_t *apn; KMALLOC(apn, aproxy_t *); if (apn == NULL) return NULL; bcopy((char *)orig, (char *)apn, sizeof(*apn)); apn->apr_next = NULL; apn->apr_soft = NULL; if (apn->apr_create != NULL) { apn->apr_soft = (*apn->apr_create)(softc); if (apn->apr_soft == NULL) { KFREE(apn); return NULL; } } apn->apr_parent = orig; orig->apr_clones++; return apn; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_soft_create */ /* Returns: int - 0 == success, else failure. */ /* Parameters: softc(I) - pointer to soft context main structure */ /* arg(I) - pointer to proxy contect data */ /* */ /* Initialise the proxy context and walk through each of the proxies and */ /* call its initialisation function. This allows for proxies to do any */ /* local setup prior to actual use. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_soft_init(softc, arg) ipf_main_softc_t *softc; void *arg; { ipf_proxy_softc_t *softp; aproxy_t *ap; u_int size; int err; softp = arg; size = softp->ips_proxy_session_size * sizeof(ap_session_t *); KMALLOCS(softp->ips_sess_tab, ap_session_t **, size); if (softp->ips_sess_tab == NULL) return -1; bzero(softp->ips_sess_tab, size); for (ap = softp->ips_proxies; ap != NULL; ap = ap->apr_next) { if (ap->apr_init != NULL) { err = (*ap->apr_init)(softc, ap->apr_soft); if (err != 0) return -2; } } softp->ips_init_run = 1; return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_soft_create */ /* Returns: int - 0 == success, else failure. */ /* Parameters: softc(I) - pointer to soft context main structure */ /* arg(I) - pointer to proxy contect data */ /* */ /* This function should always succeed. It is responsible for ensuring that */ /* the proxy context can be safely called when ipf_proxy_soft_destroy is */ /* called and suring all of the proxies have similarly been instructed. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_soft_fini(softc, arg) ipf_main_softc_t *softc; void *arg; { ipf_proxy_softc_t *softp = arg; aproxy_t *ap; for (ap = softp->ips_proxies; ap != NULL; ap = ap->apr_next) { if (ap->apr_fini != NULL) { (*ap->apr_fini)(softc, ap->apr_soft); } } if (softp->ips_sess_tab != NULL) { KFREES(softp->ips_sess_tab, softp->ips_proxy_session_size * sizeof(ap_session_t *)); softp->ips_sess_tab = NULL; } softp->ips_init_run = 0; return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_soft_destroy */ /* Returns: Nil */ /* Parameters: softc(I) - pointer to soft context main structure */ /* arg(I) - pointer to proxy contect data */ /* */ /* Free up all of the local data structures allocated during creation. */ /* ------------------------------------------------------------------------ */ void ipf_proxy_soft_destroy(softc, arg) ipf_main_softc_t *softc; void *arg; { ipf_proxy_softc_t *softp = arg; aproxy_t *ap; while ((ap = softp->ips_proxies) != NULL) { softp->ips_proxies = ap->apr_next; if (ap->apr_destroy != NULL) (*ap->apr_destroy)(softc, ap->apr_soft); ap->apr_parent->apr_clones--; KFREE(ap); } if (softp->ipf_proxy_tune != NULL) { ipf_tune_array_unlink(softc, softp->ipf_proxy_tune); KFREES(softp->ipf_proxy_tune, sizeof(ipf_proxy_tuneables)); softp->ipf_proxy_tune = NULL; } KFREE(softp); } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_flush */ /* Returns: Nil */ /* Parameters: arg(I) - pointer to proxy contect data */ /* how(I) - indicates the type of flush operation */ /* */ /* Walk through all of the proxies and pass on the flush command as either */ /* a flush or a clear. */ /* ------------------------------------------------------------------------ */ void ipf_proxy_flush(arg, how) void *arg; int how; { ipf_proxy_softc_t *softp = arg; aproxy_t *ap; switch (how) { case 0 : for (ap = softp->ips_proxies; ap; ap = ap->apr_next) if (ap->apr_flush != NULL) (*ap->apr_flush)(ap, how); break; case 1 : for (ap = softp->ips_proxies; ap; ap = ap->apr_next) if (ap->apr_clear != NULL) (*ap->apr_clear)(ap); break; default : break; } } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_add */ /* Returns: int - 0 == success, else failure. */ /* Parameters: ap(I) - pointer to proxy structure */ /* */ /* Dynamically add a new kernel proxy. Ensure that it is unique in the */ /* collection compiled in and dynamically added. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_add(arg, ap) void *arg; aproxy_t *ap; { ipf_proxy_softc_t *softp = arg; aproxy_t *a; for (a = ips_proxies; a->apr_p; a++) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, sizeof(ap->apr_label))) { if (softp->ips_proxy_debug & 0x01) printf("ipf_proxy_add: %s/%d present (B)\n", a->apr_label, a->apr_p); return -1; } for (a = ap_proxylist; (a != NULL); a = a->apr_next) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, sizeof(ap->apr_label))) { if (softp->ips_proxy_debug & 0x01) printf("ipf_proxy_add: %s/%d present (D)\n", a->apr_label, a->apr_p); return -1; } ap->apr_next = ap_proxylist; ap_proxylist = ap; if (ap->apr_load != NULL) (*ap->apr_load)(); return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_ctl */ /* Returns: int - 0 == success, else error */ /* Parameters: softc(I) - pointer to soft context main structure */ /* arg(I) - pointer to proxy context */ /* ctl(I) - pointer to proxy control structure */ /* */ /* Check to see if the proxy this control request has come through for */ /* exists, and if it does and it has a control function then invoke that */ /* control function. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_ctl(softc, arg, ctl) ipf_main_softc_t *softc; void *arg; ap_ctl_t *ctl; { ipf_proxy_softc_t *softp = arg; aproxy_t *a; int error; a = ipf_proxy_lookup(arg, ctl->apc_p, ctl->apc_label); if (a == NULL) { if (softp->ips_proxy_debug & 0x01) printf("ipf_proxy_ctl: can't find %s/%d\n", ctl->apc_label, ctl->apc_p); IPFERROR(80001); error = ESRCH; } else if (a->apr_ctl == NULL) { if (softp->ips_proxy_debug & 0x01) printf("ipf_proxy_ctl: no ctl function for %s/%d\n", ctl->apc_label, ctl->apc_p); IPFERROR(80002); error = ENXIO; } else { error = (*a->apr_ctl)(softc, a->apr_soft, ctl); if ((error != 0) && (softp->ips_proxy_debug & 0x02)) printf("ipf_proxy_ctl: %s/%d ctl error %d\n", a->apr_label, a->apr_p, error); } return error; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_del */ /* Returns: int - 0 == success, else failure. */ /* Parameters: ap(I) - pointer to proxy structure */ /* */ /* Delete a proxy that has been added dynamically from those available. */ /* If it is in use, return 1 (do not destroy NOW), not in use 0 or -1 */ /* if it cannot be matched. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_del(ap) aproxy_t *ap; { aproxy_t *a, **app; for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next) { if (a == ap) { a->apr_flags |= APR_DELETE; if (ap->apr_ref == 0 && ap->apr_clones == 0) { *app = a->apr_next; return 0; } return 1; } } return -1; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_ok */ /* Returns: int - 1 == good match else not. */ /* Parameters: fin(I) - pointer to packet information */ /* tcp(I) - pointer to TCP/UDP header */ /* nat(I) - pointer to current NAT session */ /* */ /* This function extends the NAT matching to ensure that a packet that has */ /* arrived matches the proxy information attached to the NAT rule. Notably, */ /* if the proxy is scheduled to be deleted then packets will not match the */ /* rule even if the rule is still active. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_ok(fin, tcp, np) fr_info_t *fin; tcphdr_t *tcp; ipnat_t *np; { aproxy_t *apr = np->in_apr; u_short dport = np->in_odport; if ((apr == NULL) || (apr->apr_flags & APR_DELETE) || (fin->fin_p != apr->apr_p)) return 0; if ((tcp == NULL) && dport) return 0; return 1; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_ioctl */ /* Returns: int - 0 == success, else error */ /* Parameters: softc(I) - pointer to soft context main structure */ /* data(I) - pointer to ioctl data */ /* cmd(I) - ioctl command */ /* mode(I) - mode bits for device */ /* ctx(I) - pointer to context information */ /* */ /* ------------------------------------------------------------------------ */ int ipf_proxy_ioctl(softc, data, cmd, mode, ctx) ipf_main_softc_t *softc; caddr_t data; ioctlcmd_t cmd; int mode; void *ctx; { ap_ctl_t ctl; caddr_t ptr; int error; mode = mode; /* LINT */ switch (cmd) { case SIOCPROXY : error = ipf_inobj(softc, data, NULL, &ctl, IPFOBJ_PROXYCTL); if (error != 0) { return error; } ptr = NULL; if (ctl.apc_dsize > 0) { KMALLOCS(ptr, caddr_t, ctl.apc_dsize); if (ptr == NULL) { IPFERROR(80003); error = ENOMEM; } else { error = copyinptr(softc, ctl.apc_data, ptr, ctl.apc_dsize); if (error == 0) ctl.apc_data = ptr; } } else { ctl.apc_data = NULL; error = 0; } if (error == 0) error = ipf_proxy_ctl(softc, softc->ipf_proxy_soft, &ctl); if ((error != 0) && (ptr != NULL)) { KFREES(ptr, ctl.apc_dsize); } break; default : IPFERROR(80004); error = EINVAL; } return error; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_match */ /* Returns: int - 0 == success, else error */ /* Parameters: fin(I) - pointer to packet information */ /* nat(I) - pointer to current NAT session */ /* */ /* If a proxy has a match function, call that to do extended packet */ /* matching. Whilst other parts of the NAT code are rather lenient when it */ /* comes to the quality of the packet that it will transform, the proxy */ /* matching is not because they need to work with data, not just headers. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_match(fin, nat) fr_info_t *fin; nat_t *nat; { ipf_main_softc_t *softc = fin->fin_main_soft; ipf_proxy_softc_t *softp = softc->ipf_proxy_soft; aproxy_t *apr; ipnat_t *ipn; int result; ipn = nat->nat_ptr; if (softp->ips_proxy_debug & 0x04) printf("ipf_proxy_match(%lx,%lx) aps %lx ptr %lx\n", (u_long)fin, (u_long)nat, (u_long)nat->nat_aps, (u_long)ipn); if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_match: flx 0x%x (BAD|SHORT)\n", fin->fin_flx); return -1; } apr = ipn->in_apr; if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_match:apr %lx apr_flags 0x%x\n", (u_long)apr, apr ? apr->apr_flags : 0); return -1; } if (apr->apr_match != NULL) { result = (*apr->apr_match)(fin, nat->nat_aps, nat); if (result != 0) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_match: result %d\n", result); return -1; } } return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_new */ /* Returns: int - 0 == success, else error */ /* Parameters: fin(I) - pointer to packet information */ /* nat(I) - pointer to current NAT session */ /* */ /* Allocate a new application proxy structure and fill it in with the */ /* relevant details. call the init function once complete, prior to */ /* returning. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_new(fin, nat) fr_info_t *fin; nat_t *nat; { ipf_main_softc_t *softc = fin->fin_main_soft; ipf_proxy_softc_t *softp = softc->ipf_proxy_soft; register ap_session_t *aps; aproxy_t *apr; if (softp->ips_proxy_debug & 0x04) printf("ipf_proxy_new(%lx,%lx) \n", (u_long)fin, (u_long)nat); if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_new: nat_ptr %lx nat_aps %lx\n", (u_long)nat->nat_ptr, (u_long)nat->nat_aps); return -1; } apr = nat->nat_ptr->in_apr; if ((apr->apr_flags & APR_DELETE) || (fin->fin_p != apr->apr_p)) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_new: apr_flags 0x%x p %d/%d\n", apr->apr_flags, fin->fin_p, apr->apr_p); return -1; } KMALLOC(aps, ap_session_t *); if (!aps) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_new: malloc failed (%lu)\n", (u_long)sizeof(ap_session_t)); return -1; } bzero((char *)aps, sizeof(*aps)); aps->aps_data = NULL; aps->aps_apr = apr; aps->aps_psiz = 0; if (apr->apr_new != NULL) if ((*apr->apr_new)(apr->apr_soft, fin, aps, nat) == -1) { if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) { KFREES(aps->aps_data, aps->aps_psiz); } KFREE(aps); if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_new: new(%lx) failed\n", (u_long)apr->apr_new); return -1; } aps->aps_nat = nat; aps->aps_next = softp->ips_sess_list; softp->ips_sess_list = aps; nat->nat_aps = aps; return 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_check */ /* Returns: int - -1 == error, 0 == success */ /* Parameters: fin(I) - pointer to packet information */ /* nat(I) - pointer to current NAT session */ /* */ /* Check to see if a packet should be passed through an active proxy */ /* routine if one has been setup for it. We don't need to check the */ /* checksum here if IPFILTER_CKSUM is defined because if it is, a failed */ /* check causes FI_BAD to be set. */ /* ------------------------------------------------------------------------ */ int ipf_proxy_check(fin, nat) fr_info_t *fin; nat_t *nat; { ipf_main_softc_t *softc = fin->fin_main_soft; ipf_proxy_softc_t *softp = softc->ipf_proxy_soft; #if SOLARIS && defined(_KERNEL) && defined(ICK_VALID) mb_t *m; #endif tcphdr_t *tcp = NULL; udphdr_t *udp = NULL; ap_session_t *aps; aproxy_t *apr; short adjlen; int dosum; ip_t *ip; short rv; int err; #if !defined(_KERNEL) || SOLARIS u_32_t s1, s2, sd; #endif if (fin->fin_flx & FI_BAD) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_check: flx 0x%x (BAD)\n", fin->fin_flx); return -1; } #ifndef IPFILTER_CKSUM if ((fin->fin_out == 0) && (ipf_checkl4sum(fin) == -1)) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_check: l4 checksum failure %d\n", fin->fin_p); if (fin->fin_p == IPPROTO_TCP) softc->ipf_stats[fin->fin_out].fr_tcpbad++; return -1; } #endif aps = nat->nat_aps; if (aps != NULL) { /* * If there is data in this packet to be proxied then try and * get it all into the one buffer, else drop it. */ #if SOLARIS || defined(HAVE_M_PULLDOWN) if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE)) if (ipf_coalesce(fin) == -1) { if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_check: %s %x\n", "coalesce failed", fin->fin_flx); return -1; } #endif ip = fin->fin_ip; if (fin->fin_cksum > FI_CK_SUMOK) dosum = 0; else dosum = 1; switch (fin->fin_p) { case IPPROTO_TCP : tcp = (tcphdr_t *)fin->fin_dp; #if SOLARIS && defined(_KERNEL) && defined(ICK_VALID) m = fin->fin_qfm; if (dohwcksum && (m->b_ick_flag == ICK_VALID)) dosum = 0; #endif break; case IPPROTO_UDP : udp = (udphdr_t *)fin->fin_dp; break; default : break; } apr = aps->aps_apr; err = 0; if (fin->fin_out != 0) { if (apr->apr_outpkt != NULL) err = (*apr->apr_outpkt)(apr->apr_soft, fin, aps, nat); } else { if (apr->apr_inpkt != NULL) err = (*apr->apr_inpkt)(apr->apr_soft, fin, aps, nat); } rv = APR_EXIT(err); if (((softp->ips_proxy_debug & 0x08) && (rv != 0)) || (softp->ips_proxy_debug & 0x04)) printf("ipf_proxy_check: out %d err %x rv %d\n", fin->fin_out, err, rv); if (rv == 1) return -1; if (rv == 2) { ipf_proxy_deref(apr); nat->nat_aps = NULL; return -1; } /* * If err != 0 then the data size of the packet has changed * so we need to recalculate the header checksums for the * packet. */ adjlen = APR_INC(err); #if !defined(_KERNEL) || SOLARIS s1 = LONG_SUM(fin->fin_plen - adjlen); s2 = LONG_SUM(fin->fin_plen); CALC_SUMD(s1, s2, sd); if ((err != 0) && (fin->fin_cksum < FI_CK_L4PART) && fin->fin_v == 4) ipf_fix_outcksum(0, &ip->ip_sum, sd, 0); #endif if (fin->fin_flx & FI_DOCKSUM) dosum = 1; /* * For TCP packets, we may need to adjust the sequence and * acknowledgement numbers to reflect changes in size of the * data stream. * * For both TCP and UDP, recalculate the layer 4 checksum, * regardless, as we can't tell (here) if data has been * changed or not. */ if (tcp != NULL) { err = ipf_proxy_fixseqack(fin, ip, aps, adjlen); if (fin->fin_cksum == FI_CK_L4PART) { u_short sum = ntohs(tcp->th_sum); sum += adjlen; tcp->th_sum = htons(sum); } else if (fin->fin_cksum < FI_CK_L4PART) { tcp->th_sum = fr_cksum(fin, ip, IPPROTO_TCP, tcp); } } else if ((udp != NULL) && (udp->uh_sum != 0)) { if (fin->fin_cksum == FI_CK_L4PART) { u_short sum = ntohs(udp->uh_sum); sum += adjlen; udp->uh_sum = htons(sum); } else if (dosum) { udp->uh_sum = fr_cksum(fin, ip, IPPROTO_UDP, udp); } } aps->aps_bytes += fin->fin_plen; aps->aps_pkts++; } return 1; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_lookup */ /* Returns: int - -1 == error, 0 == success */ /* Parameters: arg(I) - pointer to proxy context information */ /* pr(I) - protocol number for proxy */ /* name(I) - proxy name */ /* */ /* Search for an proxy by the protocol it is being used with and its name. */ /* ------------------------------------------------------------------------ */ aproxy_t * ipf_proxy_lookup(arg, pr, name) void *arg; u_int pr; char *name; { ipf_proxy_softc_t *softp = arg; aproxy_t *ap; if (softp->ips_proxy_debug & 0x04) printf("ipf_proxy_lookup(%d,%s)\n", pr, name); for (ap = softp->ips_proxies; ap != NULL; ap = ap->apr_next) if ((ap->apr_p == pr) && !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { ap->apr_ref++; return ap; } if (softp->ips_proxy_debug & 0x08) printf("ipf_proxy_lookup: failed for %d/%s\n", pr, name); return NULL; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_deref */ /* Returns: Nil */ /* Parameters: ap(I) - pointer to proxy structure */ /* */ /* Drop the reference counter associated with the proxy. */ /* ------------------------------------------------------------------------ */ void ipf_proxy_deref(ap) aproxy_t *ap; { ap->apr_ref--; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_free */ /* Returns: Nil */ /* Parameters: softc(I) - pointer to soft context main structure */ /* aps(I) - pointer to current proxy session */ /* Locks Held: ipf_nat_new, ipf_nat(W) */ /* */ /* Free up proxy session information allocated to be used with a NAT */ /* session. */ /* ------------------------------------------------------------------------ */ void ipf_proxy_free(softc, aps) ipf_main_softc_t *softc; ap_session_t *aps; { ipf_proxy_softc_t *softp = softc->ipf_proxy_soft; ap_session_t *a, **ap; aproxy_t *apr; if (!aps) return; for (ap = &softp->ips_sess_list; ((a = *ap) != NULL); ap = &a->aps_next) if (a == aps) { *ap = a->aps_next; break; } apr = aps->aps_apr; if ((apr != NULL) && (apr->apr_del != NULL)) (*apr->apr_del)(softc, aps); if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) KFREES(aps->aps_data, aps->aps_psiz); KFREE(aps); } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_fixseqack */ /* Returns: int - 2 if TCP ack/seq is changed, else 0 */ /* Parameters: fin(I) - pointer to packet information */ /* ip(I) - pointer to IP header */ /* nat(I) - pointer to current NAT session */ /* inc(I) - delta to apply to TCP sequence numbering */ /* */ /* Adjust the TCP sequence/acknowledge numbers in the TCP header based on */ /* whether or not the new header is past the point at which an adjustment */ /* occurred. This might happen because of (say) an FTP string being changed */ /* and the new string being a different length to the old. */ /* ------------------------------------------------------------------------ */ static int ipf_proxy_fixseqack(fin, ip, aps, inc) fr_info_t *fin; ip_t *ip; ap_session_t *aps; int inc; { ipf_main_softc_t *softc = fin->fin_main_soft; ipf_proxy_softc_t *softp = softc->ipf_proxy_soft; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; /* * ip_len has already been adjusted by 'inc'. */ nlen = fin->fin_dlen; nlen -= (TCP_OFF(tcp) << 2); inc2 = inc; inc = (int)inc2; if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); sel = aps->aps_sel[out]; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { if (softp->ips_proxy_debug & 0x10) printf("proxy out switch set seq %d -> %d %x > %x\n", sel, !sel, seq1, aps->aps_seqmin[!sel]); sel = aps->aps_sel[out] = !sel; } if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_seqoff[sel]; seq1 += seq2; tcp->th_seq = htonl(seq1); ch = 1; } } if (inc && (seq1 > aps->aps_seqmin[!sel])) { aps->aps_seqmin[sel] = seq1 + nlen - 1; aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; if (softp->ips_proxy_debug & 0x10) printf("proxy seq set %d at %x to %d + %d\n", sel, aps->aps_seqmin[sel], aps->aps_seqoff[sel], inc); } /***/ seq1 = ntohl(tcp->th_ack); sel = aps->aps_sel[1 - out]; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { if (softp->ips_proxy_debug & 0x10) printf("proxy out switch set ack %d -> %d %x > %x\n", sel, !sel, seq1, aps->aps_ackmin[!sel]); sel = aps->aps_sel[1 - out] = !sel; } if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; tcp->th_ack = htonl(seq1 - seq2); ch = 1; } } else { seq1 = ntohl(tcp->th_seq); sel = aps->aps_sel[out]; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { if (softp->ips_proxy_debug & 0x10) printf("proxy in switch set ack %d -> %d %x > %x\n", sel, !sel, seq1, aps->aps_ackmin[!sel]); sel = aps->aps_sel[out] = !sel; } if (aps->aps_ackoff[sel]) { seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_ackoff[sel]; seq1 += seq2; tcp->th_seq = htonl(seq1); ch = 1; } } if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; if (softp->ips_proxy_debug & 0x10) printf("proxy ack set %d at %x to %d + %d\n", !sel, aps->aps_seqmin[!sel], aps->aps_seqoff[sel], inc); } /***/ seq1 = ntohl(tcp->th_ack); sel = aps->aps_sel[1 - out]; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { if (softp->ips_proxy_debug & 0x10) printf("proxy in switch set seq %d -> %d %x > %x\n", sel, !sel, seq1, aps->aps_seqmin[!sel]); sel = aps->aps_sel[1 - out] = !sel; } if (aps->aps_seqoff[sel] != 0) { if (softp->ips_proxy_debug & 0x10) printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, aps->aps_seqoff[sel], seq1, aps->aps_seqmin[sel]); if (seq1 > aps->aps_seqmin[sel]) { seq2 = aps->aps_seqoff[sel]; tcp->th_ack = htonl(seq1 - seq2); ch = 1; } } } if (softp->ips_proxy_debug & 0x10) printf("ipf_proxy_fixseqack: seq %u ack %u\n", (u_32_t)ntohl(tcp->th_seq), (u_32_t)ntohl(tcp->th_ack)); return ch ? 2 : 0; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_rule_rev */ /* Returns: ipnat_t * - NULL = failure, else pointer to new rule */ /* Parameters: nat(I) - pointer to NAT session to create rule from */ /* */ /* This function creates a NAT rule that is based upon the reverse packet */ /* flow associated with this NAT session. Thus if this NAT session was */ /* created with a map rule then this function will create a rdr rule. */ /* Only address fields and network interfaces are assigned in this function */ /* and the address fields are formed such that an exact is required. If the */ /* original rule had a netmask, that is not replicated here not is it */ /* desired. The ultimate goal here is to create a NAT rule to support a NAT */ /* session being created that does not have a user configured rule. The */ /* classic example is supporting the FTP proxy, where a data channel needs */ /* to be setup, based on the addresses used for the control connection. In */ /* that case, this function is used to handle creating NAT rules to support */ /* data connections with the PORT and EPRT commands. */ /* ------------------------------------------------------------------------ */ ipnat_t * ipf_proxy_rule_rev(nat) nat_t *nat; { ipnat_t *old; ipnat_t *ipn; int size; old = nat->nat_ptr; size = old->in_size; KMALLOCS(ipn, ipnat_t *, size); if (ipn == NULL) return NULL; bzero((char *)ipn, size); ipn->in_use = 1; ipn->in_hits = 1; ipn->in_ippip = 1; ipn->in_apr = NULL; ipn->in_size = size; ipn->in_pr[0] = old->in_pr[1]; ipn->in_pr[1] = old->in_pr[0]; ipn->in_v[0] = old->in_v[1]; ipn->in_v[1] = old->in_v[0]; ipn->in_ifps[0] = old->in_ifps[1]; ipn->in_ifps[1] = old->in_ifps[0]; ipn->in_flags = (old->in_flags | IPN_PROXYRULE); ipn->in_nsrcip6 = nat->nat_odst6; ipn->in_osrcip6 = nat->nat_ndst6; if ((old->in_redir & NAT_REDIRECT) != 0) { ipn->in_redir = NAT_MAP; if (ipn->in_v[0] == 4) { ipn->in_snip = ntohl(nat->nat_odstaddr); ipn->in_dnip = ntohl(nat->nat_nsrcaddr); - } else { #ifdef USE_INET6 + } else { ipn->in_snip6 = nat->nat_odst6; ipn->in_dnip6 = nat->nat_nsrc6; #endif } ipn->in_ndstip6 = nat->nat_nsrc6; ipn->in_odstip6 = nat->nat_osrc6; } else { ipn->in_redir = NAT_REDIRECT; if (ipn->in_v[0] == 4) { ipn->in_snip = ntohl(nat->nat_odstaddr); ipn->in_dnip = ntohl(nat->nat_osrcaddr); } else { #ifdef USE_INET6 ipn->in_snip6 = nat->nat_odst6; ipn->in_dnip6 = nat->nat_osrc6; #endif } ipn->in_ndstip6 = nat->nat_osrc6; ipn->in_odstip6 = nat->nat_nsrc6; } IP6_SETONES(&ipn->in_osrcmsk6); IP6_SETONES(&ipn->in_nsrcmsk6); IP6_SETONES(&ipn->in_odstmsk6); IP6_SETONES(&ipn->in_ndstmsk6); ipn->in_namelen = old->in_namelen; ipn->in_ifnames[0] = old->in_ifnames[1]; ipn->in_ifnames[1] = old->in_ifnames[0]; bcopy(old->in_names, ipn->in_names, ipn->in_namelen); MUTEX_INIT(&ipn->in_lock, "ipnat rev rule lock"); return ipn; } /* ------------------------------------------------------------------------ */ /* Function: ipf_proxy_rule_fwd */ /* Returns: ipnat_t * - NULL = failure, else pointer to new rule */ /* Parameters: nat(I) - pointer to NAT session to create rule from */ /* */ /* The purpose and rationale of this function is much the same as the above */ /* function, ipf_proxy_rule_rev, except that a rule is created that matches */ /* the same direction as that of the existing NAT session. Thus if this NAT */ /* session was created with a map rule then this function will also create */ /* a data structure to represent a map rule. Whereas ipf_proxy_rule_rev is */ /* used to support PORT/EPRT, this function supports PASV/EPSV. */ /* ------------------------------------------------------------------------ */ ipnat_t * ipf_proxy_rule_fwd(nat) nat_t *nat; { ipnat_t *old; ipnat_t *ipn; int size; old = nat->nat_ptr; size = old->in_size; KMALLOCS(ipn, ipnat_t *, size); if (ipn == NULL) return NULL; bzero((char *)ipn, size); ipn->in_use = 1; ipn->in_hits = 1; ipn->in_ippip = 1; ipn->in_apr = NULL; ipn->in_size = size; ipn->in_pr[0] = old->in_pr[0]; ipn->in_pr[1] = old->in_pr[1]; ipn->in_v[0] = old->in_v[0]; ipn->in_v[1] = old->in_v[1]; ipn->in_ifps[0] = nat->nat_ifps[0]; ipn->in_ifps[1] = nat->nat_ifps[1]; ipn->in_flags = (old->in_flags | IPN_PROXYRULE); ipn->in_nsrcip6 = nat->nat_nsrc6; ipn->in_osrcip6 = nat->nat_osrc6; ipn->in_ndstip6 = nat->nat_ndst6; ipn->in_odstip6 = nat->nat_odst6; ipn->in_redir = old->in_redir; if (ipn->in_v[0] == 4) { ipn->in_snip = ntohl(nat->nat_nsrcaddr); ipn->in_dnip = ntohl(nat->nat_ndstaddr); } else { #ifdef USE_INET6 ipn->in_snip6 = nat->nat_nsrc6; ipn->in_dnip6 = nat->nat_ndst6; #endif } IP6_SETONES(&ipn->in_osrcmsk6); IP6_SETONES(&ipn->in_nsrcmsk6); IP6_SETONES(&ipn->in_odstmsk6); IP6_SETONES(&ipn->in_ndstmsk6); ipn->in_namelen = old->in_namelen; ipn->in_ifnames[0] = old->in_ifnames[0]; ipn->in_ifnames[1] = old->in_ifnames[1]; bcopy(old->in_names, ipn->in_names, ipn->in_namelen); MUTEX_INIT(&ipn->in_lock, "ipnat fwd rule lock"); return ipn; }