patch-2.3.99-pre2 linux/net/ipv4/netfilter/ip_conntrack_ftp.c
Next file: linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c
Previous file: linux/net/ipv4/netfilter/ip_conntrack_core.c
Back to the patch index
Back to the overall index
- Lines: 252
- Date:
Fri Mar 17 10:56:20 2000
- Orig file:
v2.3.99-pre1/linux/net/ipv4/netfilter/ip_conntrack_ftp.c
- Orig date:
Wed Dec 31 16:00:00 1969
diff -u --recursive --new-file v2.3.99-pre1/linux/net/ipv4/netfilter/ip_conntrack_ftp.c linux/net/ipv4/netfilter/ip_conntrack_ftp.c
@@ -0,0 +1,251 @@
+/* FTP extension for IP connection tracking. */
+#ifdef MODULE
+#define EXPORT_SYMTAB
+#endif
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
+
+DECLARE_LOCK(ip_ftp_lock);
+
+#define SERVER_STRING "227 Entering Passive Mode ("
+#define CLIENT_STRING "PORT "
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#define IP_PARTS_NATIVE(n) \
+(unsigned int)((n)>>24)&0xFF, \
+(unsigned int)((n)>>16)&0xFF, \
+(unsigned int)((n)>>8)&0xFF, \
+(unsigned int)((n)&0xFF)
+
+#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
+
+static struct {
+ const char *pattern;
+ size_t plen;
+ char term;
+} search[2] = {
+ [IP_CT_FTP_PORT] { CLIENT_STRING, sizeof(CLIENT_STRING) - 1, '\r' },
+ [IP_CT_FTP_PASV] { SERVER_STRING, sizeof(SERVER_STRING) - 1, ')' }
+};
+
+/* Returns 0, or length of numbers */
+static int try_number(const char *data, size_t dlen, u_int32_t array[6],
+ char term)
+{
+ u_int32_t i, len;
+
+ /* Keep data pointing at next char. */
+ for (i = 0, len = 0; len < dlen; len++, data++) {
+ if (*data >= '0' && *data <= '9') {
+ array[i] = array[i]*10 + *data - '0';
+ }
+ else if (*data == ',')
+ i++;
+ else {
+ /* Unexpected character; true if it's the
+ terminator and we're finished. */
+ if (*data == term && i == 5)
+ return len;
+
+ DEBUGP("Char %u (got %u nums) `%u' unexpected\n",
+ len, i, *data);
+ return 0;
+ }
+ }
+
+ return 0;
+}
+
+/* Return 1 for match, 0 for accept, -1 for partial. */
+static int find_pattern(const char *data, size_t dlen,
+ const char *pattern, size_t plen,
+ char term,
+ unsigned int *numoff,
+ unsigned int *numlen,
+ u_int32_t array[6])
+{
+ if (dlen == 0)
+ return 0;
+
+ if (dlen < plen) {
+ /* Short packet: try for partial? */
+ if (strnicmp(data, pattern, dlen) == 0)
+ return -1;
+ else return 0;
+ }
+
+ if (strnicmp(data, pattern, plen) != 0) {
+#if 0
+ size_t i;
+
+ DEBUGP("ftp: string mismatch\n");
+ for (i = 0; i < plen; i++) {
+ DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
+ i, data[i], data[i],
+ pattern[i], pattern[i]);
+ }
+#endif
+ return 0;
+ }
+
+ *numoff = plen;
+ *numlen = try_number(data + plen, dlen - plen, array, term);
+ if (!*numlen)
+ return -1;
+
+ return 1;
+}
+
+/* FIXME: This should be in userspace. Later. */
+static int help(const struct iphdr *iph, size_t len,
+ struct ip_conntrack *ct,
+ enum ip_conntrack_info ctinfo)
+{
+ /* tcplen not negative guarenteed by ip_conntrack_tcp.c */
+ struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
+ const char *data = (const char *)tcph + tcph->doff * 4;
+ unsigned int tcplen = len - iph->ihl * 4;
+ unsigned int datalen = tcplen - tcph->doff * 4;
+ u_int32_t old_seq_aft_nl;
+ int old_seq_aft_nl_set;
+ u_int32_t array[6] = { 0 };
+ int dir = CTINFO2DIR(ctinfo);
+ unsigned int matchlen, matchoff;
+ struct ip_conntrack_tuple t;
+ struct ip_ct_ftp *info = &ct->help.ct_ftp_info;
+
+ /* Can't track connections formed before we registered */
+ if (!info)
+ return NF_ACCEPT;
+
+ /* Until there's been traffic both ways, don't look in packets. */
+ if (ctinfo != IP_CT_ESTABLISHED
+ && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
+ DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo);
+ return NF_ACCEPT;
+ }
+
+ /* Not whole TCP header? */
+ if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
+ DEBUGP("ftp: tcplen = %u\n", (unsigned)tcplen);
+ return NF_ACCEPT;
+ }
+
+ /* Checksum invalid? Ignore. */
+ /* FIXME: Source route IP option packets --RR */
+ if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
+ csum_partial((char *)tcph, tcplen, 0))) {
+ DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
+ tcph, tcplen, IP_PARTS(iph->saddr),
+ IP_PARTS(iph->daddr));
+ return NF_ACCEPT;
+ }
+
+ LOCK_BH(&ip_ftp_lock);
+ old_seq_aft_nl_set = info->seq_aft_nl_set[dir];
+ old_seq_aft_nl = info->seq_aft_nl[dir];
+
+ DEBUGP("conntrack_ftp: datalen %u\n", datalen);
+ if ((datalen > 0) && (data[datalen-1] == '\n')) {
+ DEBUGP("conntrack_ftp: datalen %u ends in \\n\n", datalen);
+ if (!old_seq_aft_nl_set
+ || after(ntohl(tcph->seq) + datalen, old_seq_aft_nl)) {
+ DEBUGP("conntrack_ftp: updating nl to %u\n",
+ ntohl(tcph->seq) + datalen);
+ info->seq_aft_nl[dir] = ntohl(tcph->seq) + datalen;
+ info->seq_aft_nl_set[dir] = 1;
+ }
+ }
+ UNLOCK_BH(&ip_ftp_lock);
+
+ if(!old_seq_aft_nl_set ||
+ (ntohl(tcph->seq) != old_seq_aft_nl)) {
+ DEBUGP("ip_conntrack_ftp_help: wrong seq pos %s(%u)\n",
+ old_seq_aft_nl_set ? "":"(UNSET) ", old_seq_aft_nl);
+ return NF_ACCEPT;
+ }
+
+ switch (find_pattern(data, datalen,
+ search[dir].pattern,
+ search[dir].plen, search[dir].term,
+ &matchoff, &matchlen,
+ array)) {
+ case -1: /* partial */
+ /* We don't usually drop packets. After all, this is
+ connection tracking, not packet filtering.
+ However, it is neccessary for accurate tracking in
+ this case. */
+ DEBUGP("conntrack_ftp: partial `%.*s'\n",
+ (int)datalen, data);
+ return NF_DROP;
+
+ case 0: /* no match */
+ DEBUGP("ip_conntrack_ftp_help: no match\n");
+ return NF_ACCEPT;
+ }
+
+ DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
+ (int)matchlen, data + matchoff,
+ matchlen, ntohl(tcph->seq) + matchoff);
+
+ /* Update the ftp info */
+ LOCK_BH(&ip_ftp_lock);
+ info->is_ftp = 1;
+ info->seq = ntohl(tcph->seq) + matchoff;
+ info->len = matchlen;
+ info->ftptype = dir;
+ info->port = array[4] << 8 | array[5];
+
+ t = ((struct ip_conntrack_tuple)
+ { { ct->tuplehash[!dir].tuple.src.ip,
+ { 0 }, 0 },
+ { htonl((array[0] << 24) | (array[1] << 16)
+ | (array[2] << 8) | array[3]),
+ { htons(array[4] << 8 | array[5]) },
+ IPPROTO_TCP }});
+ ip_conntrack_expect_related(ct, &t);
+ UNLOCK_BH(&ip_ftp_lock);
+
+ return NF_ACCEPT;
+}
+
+/* Returns TRUE if it wants to help this connection (tuple is the
+ tuple of REPLY packets from server). */
+static int ftp_will_help(const struct ip_conntrack_tuple *rtuple)
+{
+ return (rtuple->dst.protonum == IPPROTO_TCP
+ && rtuple->src.u.tcp.port == __constant_htons(21));
+}
+
+static struct ip_conntrack_helper ftp = { { NULL, NULL },
+ ftp_will_help,
+ help };
+
+static int __init init(void)
+{
+ return ip_conntrack_helper_register(&ftp);
+}
+
+static void __exit fini(void)
+{
+ ip_conntrack_helper_unregister(&ftp);
+}
+
+struct module *ip_conntrack_ftp = THIS_MODULE;
+EXPORT_SYMBOL(ip_conntrack_ftp);
+EXPORT_SYMBOL(ip_ftp_lock);
+
+module_init(init);
+module_exit(fini);
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)