]>
Commit | Line | Data |
---|---|---|
9fb9cbb1 YK |
1 | /* FTP extension for connection tracking. */ |
2 | ||
3 | /* (C) 1999-2001 Paul `Rusty' Russell | |
4 | * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> | |
5 | * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org> | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License version 2 as | |
9 | * published by the Free Software Foundation. | |
10 | * | |
11 | * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> | |
12 | * - enable working with Layer 3 protocol independent connection tracking. | |
13 | * - track EPRT and EPSV commands with IPv6 address. | |
14 | * | |
15 | * Derived from net/ipv4/netfilter/ip_conntrack_ftp.c | |
16 | */ | |
17 | ||
18 | #include <linux/config.h> | |
19 | #include <linux/module.h> | |
20 | #include <linux/moduleparam.h> | |
21 | #include <linux/netfilter.h> | |
22 | #include <linux/ip.h> | |
23 | #include <linux/ipv6.h> | |
24 | #include <linux/ctype.h> | |
25 | #include <net/checksum.h> | |
26 | #include <net/tcp.h> | |
27 | ||
28 | #include <net/netfilter/nf_conntrack.h> | |
29 | #include <net/netfilter/nf_conntrack_helper.h> | |
30 | #include <linux/netfilter/nf_conntrack_ftp.h> | |
31 | ||
32 | MODULE_LICENSE("GPL"); | |
33 | MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); | |
34 | MODULE_DESCRIPTION("ftp connection tracking helper"); | |
35 | ||
36 | /* This is slow, but it's simple. --RR */ | |
37 | static char *ftp_buffer; | |
38 | ||
39 | static DEFINE_SPINLOCK(nf_ftp_lock); | |
40 | ||
41 | #define MAX_PORTS 8 | |
42 | static u_int16_t ports[MAX_PORTS]; | |
43 | static unsigned int ports_c; | |
44 | module_param_array(ports, ushort, &ports_c, 0400); | |
45 | ||
46 | static int loose; | |
e7be6994 | 47 | module_param(loose, bool, 0600); |
9fb9cbb1 YK |
48 | |
49 | unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb, | |
50 | enum ip_conntrack_info ctinfo, | |
51 | enum ip_ct_ftp_type type, | |
52 | unsigned int matchoff, | |
53 | unsigned int matchlen, | |
54 | struct nf_conntrack_expect *exp, | |
55 | u32 *seq); | |
56 | EXPORT_SYMBOL_GPL(nf_nat_ftp_hook); | |
57 | ||
58 | #if 0 | |
59 | #define DEBUGP printk | |
60 | #else | |
61 | #define DEBUGP(format, args...) | |
62 | #endif | |
63 | ||
64 | static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, char); | |
65 | static int try_eprt(const char *, size_t, struct nf_conntrack_man *, char); | |
66 | static int try_epsv_response(const char *, size_t, struct nf_conntrack_man *, | |
67 | char); | |
68 | ||
69 | static struct ftp_search { | |
70 | enum ip_conntrack_dir dir; | |
71 | const char *pattern; | |
72 | size_t plen; | |
73 | char skip; | |
74 | char term; | |
75 | enum ip_ct_ftp_type ftptype; | |
76 | int (*getnum)(const char *, size_t, struct nf_conntrack_man *, char); | |
77 | } search[] = { | |
78 | { | |
79 | IP_CT_DIR_ORIGINAL, | |
80 | "PORT", sizeof("PORT") - 1, ' ', '\r', | |
81 | IP_CT_FTP_PORT, | |
82 | try_rfc959, | |
83 | }, | |
84 | { | |
85 | IP_CT_DIR_REPLY, | |
86 | "227 ", sizeof("227 ") - 1, '(', ')', | |
87 | IP_CT_FTP_PASV, | |
88 | try_rfc959, | |
89 | }, | |
90 | { | |
91 | IP_CT_DIR_ORIGINAL, | |
92 | "EPRT", sizeof("EPRT") - 1, ' ', '\r', | |
93 | IP_CT_FTP_EPRT, | |
94 | try_eprt, | |
95 | }, | |
96 | { | |
97 | IP_CT_DIR_REPLY, | |
98 | "229 ", sizeof("229 ") - 1, '(', ')', | |
99 | IP_CT_FTP_EPSV, | |
100 | try_epsv_response, | |
101 | }, | |
102 | }; | |
103 | ||
104 | /* This code is based on inet_pton() in glibc-2.2.4 */ | |
105 | static int | |
106 | get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term) | |
107 | { | |
108 | static const char xdigits[] = "0123456789abcdef"; | |
109 | u_int8_t tmp[16], *tp, *endp, *colonp; | |
110 | int ch, saw_xdigit; | |
111 | u_int32_t val; | |
112 | size_t clen = 0; | |
113 | ||
114 | tp = memset(tmp, '\0', sizeof(tmp)); | |
115 | endp = tp + sizeof(tmp); | |
116 | colonp = NULL; | |
117 | ||
118 | /* Leading :: requires some special handling. */ | |
119 | if (*src == ':'){ | |
120 | if (*++src != ':') { | |
121 | DEBUGP("invalid \":\" at the head of addr\n"); | |
122 | return 0; | |
123 | } | |
124 | clen++; | |
125 | } | |
126 | ||
127 | saw_xdigit = 0; | |
128 | val = 0; | |
129 | while ((clen < dlen) && (*src != term)) { | |
130 | const char *pch; | |
131 | ||
132 | ch = tolower(*src++); | |
133 | clen++; | |
134 | ||
135 | pch = strchr(xdigits, ch); | |
136 | if (pch != NULL) { | |
137 | val <<= 4; | |
138 | val |= (pch - xdigits); | |
139 | if (val > 0xffff) | |
140 | return 0; | |
141 | ||
142 | saw_xdigit = 1; | |
143 | continue; | |
144 | } | |
145 | if (ch != ':') { | |
146 | DEBUGP("get_ipv6_addr: invalid char. \'%c\'\n", ch); | |
147 | return 0; | |
148 | } | |
149 | ||
150 | if (!saw_xdigit) { | |
151 | if (colonp) { | |
152 | DEBUGP("invalid location of \"::\".\n"); | |
153 | return 0; | |
154 | } | |
155 | colonp = tp; | |
156 | continue; | |
157 | } else if (*src == term) { | |
158 | DEBUGP("trancated IPv6 addr\n"); | |
159 | return 0; | |
160 | } | |
161 | ||
162 | if (tp + 2 > endp) | |
163 | return 0; | |
164 | *tp++ = (u_int8_t) (val >> 8) & 0xff; | |
165 | *tp++ = (u_int8_t) val & 0xff; | |
166 | ||
167 | saw_xdigit = 0; | |
168 | val = 0; | |
169 | continue; | |
170 | } | |
171 | if (saw_xdigit) { | |
172 | if (tp + 2 > endp) | |
173 | return 0; | |
174 | *tp++ = (u_int8_t) (val >> 8) & 0xff; | |
175 | *tp++ = (u_int8_t) val & 0xff; | |
176 | } | |
177 | if (colonp != NULL) { | |
178 | /* | |
179 | * Since some memmove()'s erroneously fail to handle | |
180 | * overlapping regions, we'll do the shift by hand. | |
181 | */ | |
182 | const int n = tp - colonp; | |
183 | int i; | |
184 | ||
185 | if (tp == endp) | |
186 | return 0; | |
187 | ||
188 | for (i = 1; i <= n; i++) { | |
189 | endp[- i] = colonp[n - i]; | |
190 | colonp[n - i] = 0; | |
191 | } | |
192 | tp = endp; | |
193 | } | |
194 | if (tp != endp || (*src != term)) | |
195 | return 0; | |
196 | ||
197 | memcpy(dst->s6_addr, tmp, sizeof(dst->s6_addr)); | |
198 | return clen; | |
199 | } | |
200 | ||
201 | static int try_number(const char *data, size_t dlen, u_int32_t array[], | |
202 | int array_size, char sep, char term) | |
203 | { | |
204 | u_int32_t i, len; | |
205 | ||
206 | memset(array, 0, sizeof(array[0])*array_size); | |
207 | ||
208 | /* Keep data pointing at next char. */ | |
209 | for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) { | |
210 | if (*data >= '0' && *data <= '9') { | |
211 | array[i] = array[i]*10 + *data - '0'; | |
212 | } | |
213 | else if (*data == sep) | |
214 | i++; | |
215 | else { | |
216 | /* Unexpected character; true if it's the | |
217 | terminator and we're finished. */ | |
218 | if (*data == term && i == array_size - 1) | |
219 | return len; | |
220 | ||
221 | DEBUGP("Char %u (got %u nums) `%u' unexpected\n", | |
222 | len, i, *data); | |
223 | return 0; | |
224 | } | |
225 | } | |
226 | DEBUGP("Failed to fill %u numbers separated by %c\n", array_size, sep); | |
227 | ||
228 | return 0; | |
229 | } | |
230 | ||
231 | /* Returns 0, or length of numbers: 192,168,1,1,5,6 */ | |
232 | static int try_rfc959(const char *data, size_t dlen, | |
233 | struct nf_conntrack_man *cmd, char term) | |
234 | { | |
235 | int length; | |
236 | u_int32_t array[6]; | |
237 | ||
238 | length = try_number(data, dlen, array, 6, ',', term); | |
239 | if (length == 0) | |
240 | return 0; | |
241 | ||
242 | cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) | | |
243 | (array[2] << 8) | array[3]); | |
244 | cmd->u.tcp.port = htons((array[4] << 8) | array[5]); | |
245 | return length; | |
246 | } | |
247 | ||
248 | /* Grab port: number up to delimiter */ | |
249 | static int get_port(const char *data, int start, size_t dlen, char delim, | |
250 | u_int16_t *port) | |
251 | { | |
252 | u_int16_t tmp_port = 0; | |
253 | int i; | |
254 | ||
255 | for (i = start; i < dlen; i++) { | |
256 | /* Finished? */ | |
257 | if (data[i] == delim) { | |
258 | if (tmp_port == 0) | |
259 | break; | |
260 | *port = htons(tmp_port); | |
261 | DEBUGP("get_port: return %d\n", tmp_port); | |
262 | return i + 1; | |
263 | } | |
264 | else if (data[i] >= '0' && data[i] <= '9') | |
265 | tmp_port = tmp_port*10 + data[i] - '0'; | |
266 | else { /* Some other crap */ | |
267 | DEBUGP("get_port: invalid char.\n"); | |
268 | break; | |
269 | } | |
270 | } | |
271 | return 0; | |
272 | } | |
273 | ||
274 | /* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */ | |
275 | static int try_eprt(const char *data, size_t dlen, struct nf_conntrack_man *cmd, | |
276 | char term) | |
277 | { | |
278 | char delim; | |
279 | int length; | |
280 | ||
281 | /* First character is delimiter, then "1" for IPv4 or "2" for IPv6, | |
282 | then delimiter again. */ | |
283 | if (dlen <= 3) { | |
284 | DEBUGP("EPRT: too short\n"); | |
285 | return 0; | |
286 | } | |
287 | delim = data[0]; | |
288 | if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) { | |
289 | DEBUGP("try_eprt: invalid delimitter.\n"); | |
290 | return 0; | |
291 | } | |
292 | ||
293 | if ((cmd->l3num == PF_INET && data[1] != '1') || | |
294 | (cmd->l3num == PF_INET6 && data[1] != '2')) { | |
295 | DEBUGP("EPRT: invalid protocol number.\n"); | |
296 | return 0; | |
297 | } | |
298 | ||
299 | DEBUGP("EPRT: Got %c%c%c\n", delim, data[1], delim); | |
300 | ||
301 | if (data[1] == '1') { | |
302 | u_int32_t array[4]; | |
303 | ||
304 | /* Now we have IP address. */ | |
305 | length = try_number(data + 3, dlen - 3, array, 4, '.', delim); | |
306 | if (length != 0) | |
307 | cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) | |
308 | | (array[2] << 8) | array[3]); | |
309 | } else { | |
310 | /* Now we have IPv6 address. */ | |
311 | length = get_ipv6_addr(data + 3, dlen - 3, | |
312 | (struct in6_addr *)cmd->u3.ip6, delim); | |
313 | } | |
314 | ||
315 | if (length == 0) | |
316 | return 0; | |
317 | DEBUGP("EPRT: Got IP address!\n"); | |
318 | /* Start offset includes initial "|1|", and trailing delimiter */ | |
319 | return get_port(data, 3 + length + 1, dlen, delim, &cmd->u.tcp.port); | |
320 | } | |
321 | ||
322 | /* Returns 0, or length of numbers: |||6446| */ | |
323 | static int try_epsv_response(const char *data, size_t dlen, | |
324 | struct nf_conntrack_man *cmd, char term) | |
325 | { | |
326 | char delim; | |
327 | ||
328 | /* Three delimiters. */ | |
329 | if (dlen <= 3) return 0; | |
330 | delim = data[0]; | |
331 | if (isdigit(delim) || delim < 33 || delim > 126 | |
332 | || data[1] != delim || data[2] != delim) | |
333 | return 0; | |
334 | ||
335 | return get_port(data, 3, dlen, delim, &cmd->u.tcp.port); | |
336 | } | |
337 | ||
338 | /* Return 1 for match, 0 for accept, -1 for partial. */ | |
339 | static int find_pattern(const char *data, size_t dlen, | |
340 | const char *pattern, size_t plen, | |
341 | char skip, char term, | |
342 | unsigned int *numoff, | |
343 | unsigned int *numlen, | |
344 | struct nf_conntrack_man *cmd, | |
345 | int (*getnum)(const char *, size_t, | |
346 | struct nf_conntrack_man *, char)) | |
347 | { | |
348 | size_t i; | |
349 | ||
350 | DEBUGP("find_pattern `%s': dlen = %u\n", pattern, dlen); | |
351 | if (dlen == 0) | |
352 | return 0; | |
353 | ||
354 | if (dlen <= plen) { | |
355 | /* Short packet: try for partial? */ | |
356 | if (strnicmp(data, pattern, dlen) == 0) | |
357 | return -1; | |
358 | else return 0; | |
359 | } | |
360 | ||
361 | if (strnicmp(data, pattern, plen) != 0) { | |
362 | #if 0 | |
363 | size_t i; | |
364 | ||
365 | DEBUGP("ftp: string mismatch\n"); | |
366 | for (i = 0; i < plen; i++) { | |
367 | DEBUGP("ftp:char %u `%c'(%u) vs `%c'(%u)\n", | |
368 | i, data[i], data[i], | |
369 | pattern[i], pattern[i]); | |
370 | } | |
371 | #endif | |
372 | return 0; | |
373 | } | |
374 | ||
375 | DEBUGP("Pattern matches!\n"); | |
376 | /* Now we've found the constant string, try to skip | |
377 | to the 'skip' character */ | |
378 | for (i = plen; data[i] != skip; i++) | |
379 | if (i == dlen - 1) return -1; | |
380 | ||
381 | /* Skip over the last character */ | |
382 | i++; | |
383 | ||
384 | DEBUGP("Skipped up to `%c'!\n", skip); | |
385 | ||
386 | *numoff = i; | |
387 | *numlen = getnum(data + i, dlen - i, cmd, term); | |
388 | if (!*numlen) | |
389 | return -1; | |
390 | ||
391 | DEBUGP("Match succeeded!\n"); | |
392 | return 1; | |
393 | } | |
394 | ||
395 | /* Look up to see if we're just after a \n. */ | |
396 | static int find_nl_seq(u32 seq, const struct ip_ct_ftp_master *info, int dir) | |
397 | { | |
398 | unsigned int i; | |
399 | ||
400 | for (i = 0; i < info->seq_aft_nl_num[dir]; i++) | |
401 | if (info->seq_aft_nl[dir][i] == seq) | |
402 | return 1; | |
403 | return 0; | |
404 | } | |
405 | ||
406 | /* We don't update if it's older than what we have. */ | |
407 | static void update_nl_seq(u32 nl_seq, struct ip_ct_ftp_master *info, int dir, | |
408 | struct sk_buff *skb) | |
409 | { | |
410 | unsigned int i, oldest = NUM_SEQ_TO_REMEMBER; | |
411 | ||
412 | /* Look for oldest: if we find exact match, we're done. */ | |
413 | for (i = 0; i < info->seq_aft_nl_num[dir]; i++) { | |
414 | if (info->seq_aft_nl[dir][i] == nl_seq) | |
415 | return; | |
416 | ||
417 | if (oldest == info->seq_aft_nl_num[dir] | |
418 | || before(info->seq_aft_nl[dir][i], oldest)) | |
419 | oldest = i; | |
420 | } | |
421 | ||
422 | if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { | |
423 | info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; | |
424 | nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb); | |
425 | } else if (oldest != NUM_SEQ_TO_REMEMBER) { | |
426 | info->seq_aft_nl[dir][oldest] = nl_seq; | |
427 | nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb); | |
428 | } | |
429 | } | |
430 | ||
431 | static int help(struct sk_buff **pskb, | |
432 | unsigned int protoff, | |
433 | struct nf_conn *ct, | |
434 | enum ip_conntrack_info ctinfo) | |
435 | { | |
436 | unsigned int dataoff, datalen; | |
437 | struct tcphdr _tcph, *th; | |
438 | char *fb_ptr; | |
439 | int ret; | |
440 | u32 seq; | |
441 | int dir = CTINFO2DIR(ctinfo); | |
442 | unsigned int matchlen, matchoff; | |
dc808fe2 | 443 | struct ip_ct_ftp_master *ct_ftp_info = &nfct_help(ct)->help.ct_ftp_info; |
9fb9cbb1 YK |
444 | struct nf_conntrack_expect *exp; |
445 | struct nf_conntrack_man cmd = {}; | |
446 | ||
447 | unsigned int i; | |
448 | int found = 0, ends_in_nl; | |
449 | ||
450 | /* Until there's been traffic both ways, don't look in packets. */ | |
451 | if (ctinfo != IP_CT_ESTABLISHED | |
452 | && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { | |
453 | DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo); | |
454 | return NF_ACCEPT; | |
455 | } | |
456 | ||
457 | th = skb_header_pointer(*pskb, protoff, sizeof(_tcph), &_tcph); | |
458 | if (th == NULL) | |
459 | return NF_ACCEPT; | |
460 | ||
461 | dataoff = protoff + th->doff * 4; | |
462 | /* No data? */ | |
463 | if (dataoff >= (*pskb)->len) { | |
464 | DEBUGP("ftp: dataoff(%u) >= skblen(%u)\n", dataoff, | |
465 | (*pskb)->len); | |
466 | return NF_ACCEPT; | |
467 | } | |
468 | datalen = (*pskb)->len - dataoff; | |
469 | ||
470 | spin_lock_bh(&nf_ftp_lock); | |
471 | fb_ptr = skb_header_pointer(*pskb, dataoff, datalen, ftp_buffer); | |
472 | BUG_ON(fb_ptr == NULL); | |
473 | ||
474 | ends_in_nl = (fb_ptr[datalen - 1] == '\n'); | |
475 | seq = ntohl(th->seq) + datalen; | |
476 | ||
477 | /* Look up to see if we're just after a \n. */ | |
478 | if (!find_nl_seq(ntohl(th->seq), ct_ftp_info, dir)) { | |
479 | /* Now if this ends in \n, update ftp info. */ | |
480 | DEBUGP("nf_conntrack_ftp_help: wrong seq pos %s(%u) or %s(%u)\n", | |
481 | ct_ftp_info->seq_aft_nl_num[dir] > 0 ? "" : "(UNSET)", | |
482 | ct_ftp_info->seq_aft_nl[dir][0], | |
483 | ct_ftp_info->seq_aft_nl_num[dir] > 1 ? "" : "(UNSET)", | |
484 | ct_ftp_info->seq_aft_nl[dir][1]); | |
485 | ret = NF_ACCEPT; | |
486 | goto out_update_nl; | |
487 | } | |
488 | ||
489 | /* Initialize IP/IPv6 addr to expected address (it's not mentioned | |
490 | in EPSV responses) */ | |
491 | cmd.l3num = ct->tuplehash[dir].tuple.src.l3num; | |
492 | memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, | |
493 | sizeof(cmd.u3.all)); | |
494 | ||
495 | for (i = 0; i < ARRAY_SIZE(search); i++) { | |
496 | if (search[i].dir != dir) continue; | |
497 | ||
498 | found = find_pattern(fb_ptr, datalen, | |
499 | search[i].pattern, | |
500 | search[i].plen, | |
501 | search[i].skip, | |
502 | search[i].term, | |
503 | &matchoff, &matchlen, | |
504 | &cmd, | |
505 | search[i].getnum); | |
506 | if (found) break; | |
507 | } | |
508 | if (found == -1) { | |
509 | /* We don't usually drop packets. After all, this is | |
510 | connection tracking, not packet filtering. | |
511 | However, it is necessary for accurate tracking in | |
512 | this case. */ | |
513 | if (net_ratelimit()) | |
514 | printk("conntrack_ftp: partial %s %u+%u\n", | |
515 | search[i].pattern, | |
516 | ntohl(th->seq), datalen); | |
517 | ret = NF_DROP; | |
518 | goto out; | |
519 | } else if (found == 0) { /* No match */ | |
520 | ret = NF_ACCEPT; | |
521 | goto out_update_nl; | |
522 | } | |
523 | ||
524 | DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n", | |
525 | (int)matchlen, fb_ptr + matchoff, | |
526 | matchlen, ntohl(th->seq) + matchoff); | |
527 | ||
528 | exp = nf_conntrack_expect_alloc(ct); | |
529 | if (exp == NULL) { | |
530 | ret = NF_DROP; | |
531 | goto out; | |
532 | } | |
533 | ||
534 | /* We refer to the reverse direction ("!dir") tuples here, | |
535 | * because we're expecting something in the other direction. | |
536 | * Doesn't matter unless NAT is happening. */ | |
537 | exp->tuple.dst.u3 = ct->tuplehash[!dir].tuple.dst.u3; | |
538 | ||
539 | /* Update the ftp info */ | |
540 | if ((cmd.l3num == ct->tuplehash[dir].tuple.src.l3num) && | |
541 | memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, | |
542 | sizeof(cmd.u3.all))) { | |
543 | /* Enrico Scholz's passive FTP to partially RNAT'd ftp | |
544 | server: it really wants us to connect to a | |
545 | different IP address. Simply don't record it for | |
546 | NAT. */ | |
547 | if (cmd.l3num == PF_INET) { | |
46b86a2d | 548 | DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n", |
9fb9cbb1 YK |
549 | NIPQUAD(cmd.u3.ip), |
550 | NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip)); | |
551 | } else { | |
46b86a2d | 552 | DEBUGP("conntrack_ftp: NOT RECORDING: " NIP6_FMT " != " NIP6_FMT "\n", |
9fb9cbb1 YK |
553 | NIP6(*((struct in6_addr *)cmd.u3.ip6)), |
554 | NIP6(*((struct in6_addr *)ct->tuplehash[dir] | |
555 | .tuple.src.u3.ip6))); | |
556 | } | |
557 | ||
558 | /* Thanks to Cristiano Lincoln Mattos | |
559 | <lincoln@cesar.org.br> for reporting this potential | |
560 | problem (DMZ machines opening holes to internal | |
561 | networks, or the packet filter itself). */ | |
562 | if (!loose) { | |
563 | ret = NF_ACCEPT; | |
564 | goto out_put_expect; | |
565 | } | |
566 | memcpy(&exp->tuple.dst.u3, &cmd.u3.all, | |
567 | sizeof(exp->tuple.dst.u3)); | |
568 | } | |
569 | ||
570 | exp->tuple.src.u3 = ct->tuplehash[!dir].tuple.src.u3; | |
571 | exp->tuple.src.l3num = cmd.l3num; | |
572 | exp->tuple.src.u.tcp.port = 0; | |
573 | exp->tuple.dst.u.tcp.port = cmd.u.tcp.port; | |
574 | exp->tuple.dst.protonum = IPPROTO_TCP; | |
575 | ||
576 | exp->mask = (struct nf_conntrack_tuple) | |
577 | { .src = { .l3num = 0xFFFF, | |
578 | .u = { .tcp = { 0 }}, | |
579 | }, | |
580 | .dst = { .protonum = 0xFF, | |
581 | .u = { .tcp = { 0xFFFF }}, | |
582 | }, | |
583 | }; | |
584 | if (cmd.l3num == PF_INET) { | |
585 | exp->mask.src.u3.ip = 0xFFFFFFFF; | |
586 | exp->mask.dst.u3.ip = 0xFFFFFFFF; | |
587 | } else { | |
588 | memset(exp->mask.src.u3.ip6, 0xFF, | |
589 | sizeof(exp->mask.src.u3.ip6)); | |
590 | memset(exp->mask.dst.u3.ip6, 0xFF, | |
591 | sizeof(exp->mask.src.u3.ip6)); | |
592 | } | |
593 | ||
594 | exp->expectfn = NULL; | |
595 | exp->flags = 0; | |
596 | ||
597 | /* Now, NAT might want to mangle the packet, and register the | |
598 | * (possibly changed) expectation itself. */ | |
599 | if (nf_nat_ftp_hook) | |
600 | ret = nf_nat_ftp_hook(pskb, ctinfo, search[i].ftptype, | |
601 | matchoff, matchlen, exp, &seq); | |
602 | else { | |
603 | /* Can't expect this? Best to drop packet now. */ | |
604 | if (nf_conntrack_expect_related(exp) != 0) | |
605 | ret = NF_DROP; | |
606 | else | |
607 | ret = NF_ACCEPT; | |
608 | } | |
609 | ||
610 | out_put_expect: | |
611 | nf_conntrack_expect_put(exp); | |
612 | ||
613 | out_update_nl: | |
614 | /* Now if this ends in \n, update ftp info. Seq may have been | |
615 | * adjusted by NAT code. */ | |
616 | if (ends_in_nl) | |
617 | update_nl_seq(seq, ct_ftp_info, dir, *pskb); | |
618 | out: | |
619 | spin_unlock_bh(&nf_ftp_lock); | |
620 | return ret; | |
621 | } | |
622 | ||
623 | static struct nf_conntrack_helper ftp[MAX_PORTS][2]; | |
624 | static char ftp_names[MAX_PORTS][2][sizeof("ftp-65535")]; | |
625 | ||
626 | /* don't make this __exit, since it's called from __init ! */ | |
627 | static void fini(void) | |
628 | { | |
629 | int i, j; | |
630 | for (i = 0; i < ports_c; i++) { | |
631 | for (j = 0; j < 2; j++) { | |
632 | if (ftp[i][j].me == NULL) | |
633 | continue; | |
634 | ||
635 | DEBUGP("nf_ct_ftp: unregistering helper for pf: %d " | |
636 | "port: %d\n", | |
637 | ftp[i][j].tuple.src.l3num, ports[i]); | |
638 | nf_conntrack_helper_unregister(&ftp[i][j]); | |
639 | } | |
640 | } | |
641 | ||
642 | kfree(ftp_buffer); | |
643 | } | |
644 | ||
645 | static int __init init(void) | |
646 | { | |
647 | int i, j = -1, ret = 0; | |
648 | char *tmpname; | |
649 | ||
650 | ftp_buffer = kmalloc(65536, GFP_KERNEL); | |
651 | if (!ftp_buffer) | |
652 | return -ENOMEM; | |
653 | ||
654 | if (ports_c == 0) | |
655 | ports[ports_c++] = FTP_PORT; | |
656 | ||
657 | /* FIXME should be configurable whether IPv4 and IPv6 FTP connections | |
658 | are tracked or not - YK */ | |
659 | for (i = 0; i < ports_c; i++) { | |
9fb9cbb1 YK |
660 | ftp[i][0].tuple.src.l3num = PF_INET; |
661 | ftp[i][1].tuple.src.l3num = PF_INET6; | |
662 | for (j = 0; j < 2; j++) { | |
663 | ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]); | |
664 | ftp[i][j].tuple.dst.protonum = IPPROTO_TCP; | |
665 | ftp[i][j].mask.src.u.tcp.port = 0xFFFF; | |
666 | ftp[i][j].mask.dst.protonum = 0xFF; | |
667 | ftp[i][j].max_expected = 1; | |
668 | ftp[i][j].timeout = 5 * 60; /* 5 Minutes */ | |
669 | ftp[i][j].me = THIS_MODULE; | |
670 | ftp[i][j].help = help; | |
671 | tmpname = &ftp_names[i][j][0]; | |
672 | if (ports[i] == FTP_PORT) | |
673 | sprintf(tmpname, "ftp"); | |
674 | else | |
675 | sprintf(tmpname, "ftp-%d", ports[i]); | |
676 | ftp[i][j].name = tmpname; | |
677 | ||
678 | DEBUGP("nf_ct_ftp: registering helper for pf: %d " | |
679 | "port: %d\n", | |
680 | ftp[i][j].tuple.src.l3num, ports[i]); | |
681 | ret = nf_conntrack_helper_register(&ftp[i][j]); | |
682 | if (ret) { | |
683 | printk("nf_ct_ftp: failed to register helper " | |
684 | " for pf: %d port: %d\n", | |
685 | ftp[i][j].tuple.src.l3num, ports[i]); | |
686 | fini(); | |
687 | return ret; | |
688 | } | |
689 | } | |
690 | } | |
691 | ||
692 | return 0; | |
693 | } | |
694 | ||
695 | module_init(init); | |
696 | module_exit(fini); |