patch-2.3.99-pre2 linux/net/ipv4/netfilter/ip_conntrack_ftp.c

• Lines: 252
• Date: Fri Mar 17 10:56:20 2000
• Orig file: v2.3.99-pre1/linux/net/ipv4/netfilter/ip_conntrack_ftp.c
• Orig date: Wed Dec 31 16:00:00 1969

diff -u --recursive --new-file v2.3.99-pre1/linux/net/ipv4/netfilter/ip_conntrack_ftp.c linux/net/ipv4/netfilter/ip_conntrack_ftp.c
@@ -0,0 +1,251 @@
+/* FTP extension for IP connection tracking. */
+#ifdef MODULE
+#define EXPORT_SYMTAB
+#endif
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
+
+DECLARE_LOCK(ip_ftp_lock);
+
+#define SERVER_STRING "227 Entering Passive Mode ("
+#define CLIENT_STRING "PORT "
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#define IP_PARTS_NATIVE(n)			\
+(unsigned int)((n)>>24)&0xFF,			\
+(unsigned int)((n)>>16)&0xFF,			\
+(unsigned int)((n)>>8)&0xFF,			\
+(unsigned int)((n)&0xFF)
+
+#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
+
+static struct {
+	const char *pattern;
+	size_t plen;
+	char term;
+} search[2] = {
+	[IP_CT_FTP_PORT] { CLIENT_STRING, sizeof(CLIENT_STRING) - 1, '\r' },
+	[IP_CT_FTP_PASV] { SERVER_STRING, sizeof(SERVER_STRING) - 1, ')' }
+};
+
+/* Returns 0, or length of numbers */
+static int try_number(const char *data, size_t dlen, u_int32_t array[6],
+		      char term)
+{
+	u_int32_t i, len;
+
+	/* Keep data pointing at next char. */
+	for (i = 0, len = 0; len < dlen; len++, data++) {
+		if (*data >= '0' && *data <= '9') {
+			array[i] = array[i]*10 + *data - '0';
+		}
+		else if (*data == ',')
+			i++;
+		else {
+			/* Unexpected character; true if it's the
+			   terminator and we're finished. */
+			if (*data == term && i == 5)
+				return len;
+
+			DEBUGP("Char %u (got %u nums) `%u' unexpected\n",
+			       len, i, *data);
+			return 0;
+		}
+	}
+
+	return 0;
+}
+
+/* Return 1 for match, 0 for accept, -1 for partial. */
+static int find_pattern(const char *data, size_t dlen,
+			const char *pattern, size_t plen,
+			char term,
+			unsigned int *numoff,
+			unsigned int *numlen,
+			u_int32_t array[6])
+{
+	if (dlen == 0)
+		return 0;
+
+	if (dlen < plen) {
+		/* Short packet: try for partial? */
+		if (strnicmp(data, pattern, dlen) == 0)
+			return -1;
+		else return 0;
+	}
+
+	if (strnicmp(data, pattern, plen) != 0) {
+#if 0
+		size_t i;
+
+		DEBUGP("ftp: string mismatch\n");
+		for (i = 0; i < plen; i++) {
+			DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
+				 i, data[i], data[i],
+				 pattern[i], pattern[i]);
+		}
+#endif
+		return 0;
+	}
+
+	*numoff = plen;
+	*numlen = try_number(data + plen, dlen - plen, array, term);
+	if (!*numlen)
+		return -1;
+
+	return 1;
+}
+
+/* FIXME: This should be in userspace.  Later. */
+static int help(const struct iphdr *iph, size_t len,
+		struct ip_conntrack *ct,
+		enum ip_conntrack_info ctinfo)
+{
+	/* tcplen not negative guarenteed by ip_conntrack_tcp.c */
+	struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
+	const char *data = (const char *)tcph + tcph->doff * 4;
+	unsigned int tcplen = len - iph->ihl * 4;
+	unsigned int datalen = tcplen - tcph->doff * 4;
+	u_int32_t old_seq_aft_nl;
+	int old_seq_aft_nl_set;
+	u_int32_t array[6] = { 0 };
+	int dir = CTINFO2DIR(ctinfo);
+	unsigned int matchlen, matchoff;
+	struct ip_conntrack_tuple t;
+	struct ip_ct_ftp *info = &ct->help.ct_ftp_info;
+
+	/* Can't track connections formed before we registered */
+	if (!info)
+		return NF_ACCEPT;
+
+	/* Until there's been traffic both ways, don't look in packets. */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
+		DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo);
+		return NF_ACCEPT;
+	}
+
+	/* Not whole TCP header? */
+	if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
+		DEBUGP("ftp: tcplen = %u\n", (unsigned)tcplen);
+		return NF_ACCEPT;
+	}
+
+	/* Checksum invalid?  Ignore. */
+	/* FIXME: Source route IP option packets --RR */
+	if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
+			 csum_partial((char *)tcph, tcplen, 0))) {
+		DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
+		       tcph, tcplen, IP_PARTS(iph->saddr),
+		       IP_PARTS(iph->daddr));
+		return NF_ACCEPT;
+	}
+
+	LOCK_BH(&ip_ftp_lock);
+	old_seq_aft_nl_set = info->seq_aft_nl_set[dir];
+	old_seq_aft_nl = info->seq_aft_nl[dir];
+
+	DEBUGP("conntrack_ftp: datalen %u\n", datalen);
+	if ((datalen > 0) && (data[datalen-1] == '\n')) {
+		DEBUGP("conntrack_ftp: datalen %u ends in \\n\n", datalen);
+		if (!old_seq_aft_nl_set
+		    || after(ntohl(tcph->seq) + datalen, old_seq_aft_nl)) {
+			DEBUGP("conntrack_ftp: updating nl to %u\n",
+			       ntohl(tcph->seq) + datalen);
+			info->seq_aft_nl[dir] = ntohl(tcph->seq) + datalen;
+			info->seq_aft_nl_set[dir] = 1;
+		}
+	}
+	UNLOCK_BH(&ip_ftp_lock);
+
+	if(!old_seq_aft_nl_set ||
+			(ntohl(tcph->seq) != old_seq_aft_nl)) {
+		DEBUGP("ip_conntrack_ftp_help: wrong seq pos %s(%u)\n",
+		       old_seq_aft_nl_set ? "":"(UNSET) ", old_seq_aft_nl);
+		return NF_ACCEPT;
+	}
+
+	switch (find_pattern(data, datalen,
+			     search[dir].pattern,
+			     search[dir].plen, search[dir].term,
+			     &matchoff, &matchlen,
+			     array)) {
+	case -1: /* partial */
+		/* We don't usually drop packets.  After all, this is
+		   connection tracking, not packet filtering.
+		   However, it is neccessary for accurate tracking in
+		   this case. */
+		DEBUGP("conntrack_ftp: partial `%.*s'\n",
+		       (int)datalen, data);
+		return NF_DROP;
+
+	case 0: /* no match */
+		DEBUGP("ip_conntrack_ftp_help: no match\n");
+		return NF_ACCEPT;
+	}
+
+	DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
+	       (int)matchlen, data + matchoff,
+	       matchlen, ntohl(tcph->seq) + matchoff);
+
+	/* Update the ftp info */
+	LOCK_BH(&ip_ftp_lock);
+	info->is_ftp = 1;
+	info->seq = ntohl(tcph->seq) + matchoff;
+	info->len = matchlen;
+	info->ftptype = dir;
+	info->port = array[4] << 8 | array[5];
+
+	t = ((struct ip_conntrack_tuple)
+		{ { ct->tuplehash[!dir].tuple.src.ip,
+		    { 0 }, 0 },
+		  { htonl((array[0] << 24) | (array[1] << 16)
+			  | (array[2] << 8) | array[3]),
+		    { htons(array[4] << 8 | array[5]) },
+		    IPPROTO_TCP }});
+	ip_conntrack_expect_related(ct, &t);
+	UNLOCK_BH(&ip_ftp_lock);
+
+	return NF_ACCEPT;
+}
+
+/* Returns TRUE if it wants to help this connection (tuple is the
+   tuple of REPLY packets from server). */
+static int ftp_will_help(const struct ip_conntrack_tuple *rtuple)
+{
+	return (rtuple->dst.protonum == IPPROTO_TCP
+		&& rtuple->src.u.tcp.port == __constant_htons(21));
+}
+
+static struct ip_conntrack_helper ftp = { { NULL, NULL },
+					  ftp_will_help,
+					  help };
+
+static int __init init(void)
+{
+	return ip_conntrack_helper_register(&ftp);
+}
+
+static void __exit fini(void)
+{
+	ip_conntrack_helper_unregister(&ftp);
+}
+
+struct module *ip_conntrack_ftp = THIS_MODULE;
+EXPORT_SYMBOL(ip_conntrack_ftp);
+EXPORT_SYMBOL(ip_ftp_lock);
+
+module_init(init);
+module_exit(fini);