1 // SPDX-License-Identifier: GPL-2.0-only 2 /* FTP extension for connection tracking. */ 3 4 /* (C) 1999-2001 Paul `Rusty' Russell 5 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 6 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org> 7 * (C) 2006-2012 Patrick McHardy <kaber@trash.net> 8 */ 9 10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 12 #include <linux/module.h> 13 #include <linux/moduleparam.h> 14 #include <linux/netfilter.h> 15 #include <linux/ip.h> 16 #include <linux/slab.h> 17 #include <linux/ipv6.h> 18 #include <linux/ctype.h> 19 #include <linux/inet.h> 20 #include <net/checksum.h> 21 #include <net/tcp.h> 22 23 #include <net/netfilter/nf_conntrack.h> 24 #include <net/netfilter/nf_conntrack_expect.h> 25 #include <net/netfilter/nf_conntrack_ecache.h> 26 #include <net/netfilter/nf_conntrack_helper.h> 27 #include <linux/netfilter/nf_conntrack_ftp.h> 28 29 #define HELPER_NAME "ftp" 30 31 MODULE_LICENSE("GPL"); 32 MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); 33 MODULE_DESCRIPTION("ftp connection tracking helper"); 34 MODULE_ALIAS("ip_conntrack_ftp"); 35 MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 36 37 #define MAX_PORTS 8 38 static u_int16_t ports[MAX_PORTS]; 39 static unsigned int ports_c; 40 module_param_array(ports, ushort, &ports_c, 0400); 41 42 static bool loose; 43 module_param(loose, bool, 0600); 44 45 unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb, 46 enum ip_conntrack_info ctinfo, 47 enum nf_ct_ftp_type type, 48 unsigned int protoff, 49 unsigned int matchoff, 50 unsigned int matchlen, 51 struct nf_conntrack_expect *exp); 52 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook); 53 54 static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, 55 char, unsigned int *); 56 static int try_rfc1123(const char *, size_t, struct nf_conntrack_man *, 57 char, unsigned int *); 58 static int try_eprt(const char *, size_t, struct nf_conntrack_man *, 59 char, unsigned int *); 60 static int try_epsv_response(const char *, size_t, struct nf_conntrack_man *, 61 char, unsigned int *); 62 63 static struct ftp_search { 64 const char *pattern; 65 size_t plen; 66 char skip; 67 char term; 68 enum nf_ct_ftp_type ftptype; 69 int (*getnum)(const char *, size_t, struct nf_conntrack_man *, char, unsigned int *); 70 } search[IP_CT_DIR_MAX][2] = { 71 [IP_CT_DIR_ORIGINAL] = { 72 { 73 .pattern = "PORT", 74 .plen = sizeof("PORT") - 1, 75 .skip = ' ', 76 .term = '\r', 77 .ftptype = NF_CT_FTP_PORT, 78 .getnum = try_rfc959, 79 }, 80 { 81 .pattern = "EPRT", 82 .plen = sizeof("EPRT") - 1, 83 .skip = ' ', 84 .term = '\r', 85 .ftptype = NF_CT_FTP_EPRT, 86 .getnum = try_eprt, 87 }, 88 }, 89 [IP_CT_DIR_REPLY] = { 90 { 91 .pattern = "227 ", 92 .plen = sizeof("227 ") - 1, 93 .ftptype = NF_CT_FTP_PASV, 94 .getnum = try_rfc1123, 95 }, 96 { 97 .pattern = "229 ", 98 .plen = sizeof("229 ") - 1, 99 .skip = '(', 100 .term = ')', 101 .ftptype = NF_CT_FTP_EPSV, 102 .getnum = try_epsv_response, 103 }, 104 }, 105 }; 106 107 static int 108 get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term) 109 { 110 const char *end; 111 int ret = in6_pton(src, min_t(size_t, dlen, 0xffff), (u8 *)dst, term, &end); 112 if (ret > 0) 113 return (int)(end - src); 114 return 0; 115 } 116 117 static int try_number(const char *data, size_t dlen, u_int32_t array[], 118 int array_size, char sep, char term) 119 { 120 u_int32_t i, len; 121 122 memset(array, 0, sizeof(array[0])*array_size); 123 124 /* Keep data pointing at next char. */ 125 for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) { 126 if (*data >= '0' && *data <= '9') { 127 array[i] = array[i]*10 + *data - '0'; 128 } 129 else if (*data == sep) 130 i++; 131 else { 132 /* Unexpected character; true if it's the 133 terminator (or we don't care about one) 134 and we're finished. */ 135 if ((*data == term || !term) && i == array_size - 1) 136 return len; 137 138 pr_debug("Char %u (got %u nums) `%u' unexpected\n", 139 len, i, *data); 140 return 0; 141 } 142 } 143 pr_debug("Failed to fill %u numbers separated by %c\n", 144 array_size, sep); 145 return 0; 146 } 147 148 /* Returns 0, or length of numbers: 192,168,1,1,5,6 */ 149 static int try_rfc959(const char *data, size_t dlen, 150 struct nf_conntrack_man *cmd, char term, 151 unsigned int *offset) 152 { 153 int length; 154 u_int32_t array[6]; 155 156 length = try_number(data, dlen, array, 6, ',', term); 157 if (length == 0) 158 return 0; 159 160 cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) | 161 (array[2] << 8) | array[3]); 162 cmd->u.tcp.port = htons((array[4] << 8) | array[5]); 163 return length; 164 } 165 166 /* 167 * From RFC 1123: 168 * The format of the 227 reply to a PASV command is not 169 * well standardized. In particular, an FTP client cannot 170 * assume that the parentheses shown on page 40 of RFC-959 171 * will be present (and in fact, Figure 3 on page 43 omits 172 * them). Therefore, a User-FTP program that interprets 173 * the PASV reply must scan the reply for the first digit 174 * of the host and port numbers. 175 */ 176 static int try_rfc1123(const char *data, size_t dlen, 177 struct nf_conntrack_man *cmd, char term, 178 unsigned int *offset) 179 { 180 int i; 181 for (i = 0; i < dlen; i++) 182 if (isdigit(data[i])) 183 break; 184 185 if (i == dlen) 186 return 0; 187 188 *offset += i; 189 190 return try_rfc959(data + i, dlen - i, cmd, 0, offset); 191 } 192 193 /* Grab port: number up to delimiter */ 194 static int get_port(const char *data, int start, size_t dlen, char delim, 195 __be16 *port) 196 { 197 u_int16_t tmp_port = 0; 198 int i; 199 200 for (i = start; i < dlen; i++) { 201 /* Finished? */ 202 if (data[i] == delim) { 203 if (tmp_port == 0) 204 break; 205 *port = htons(tmp_port); 206 pr_debug("get_port: return %d\n", tmp_port); 207 return i + 1; 208 } 209 else if (data[i] >= '0' && data[i] <= '9') 210 tmp_port = tmp_port*10 + data[i] - '0'; 211 else { /* Some other crap */ 212 pr_debug("get_port: invalid char.\n"); 213 break; 214 } 215 } 216 return 0; 217 } 218 219 /* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */ 220 static int try_eprt(const char *data, size_t dlen, struct nf_conntrack_man *cmd, 221 char term, unsigned int *offset) 222 { 223 char delim; 224 int length; 225 226 /* First character is delimiter, then "1" for IPv4 or "2" for IPv6, 227 then delimiter again. */ 228 if (dlen <= 3) { 229 pr_debug("EPRT: too short\n"); 230 return 0; 231 } 232 delim = data[0]; 233 if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) { 234 pr_debug("try_eprt: invalid delimiter.\n"); 235 return 0; 236 } 237 238 if ((cmd->l3num == PF_INET && data[1] != '1') || 239 (cmd->l3num == PF_INET6 && data[1] != '2')) { 240 pr_debug("EPRT: invalid protocol number.\n"); 241 return 0; 242 } 243 244 pr_debug("EPRT: Got %c%c%c\n", delim, data[1], delim); 245 246 if (data[1] == '1') { 247 u_int32_t array[4]; 248 249 /* Now we have IP address. */ 250 length = try_number(data + 3, dlen - 3, array, 4, '.', delim); 251 if (length != 0) 252 cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) 253 | (array[2] << 8) | array[3]); 254 } else { 255 /* Now we have IPv6 address. */ 256 length = get_ipv6_addr(data + 3, dlen - 3, 257 (struct in6_addr *)cmd->u3.ip6, delim); 258 } 259 260 if (length == 0) 261 return 0; 262 pr_debug("EPRT: Got IP address!\n"); 263 /* Start offset includes initial "|1|", and trailing delimiter */ 264 return get_port(data, 3 + length + 1, dlen, delim, &cmd->u.tcp.port); 265 } 266 267 /* Returns 0, or length of numbers: |||6446| */ 268 static int try_epsv_response(const char *data, size_t dlen, 269 struct nf_conntrack_man *cmd, char term, 270 unsigned int *offset) 271 { 272 char delim; 273 274 /* Three delimiters. */ 275 if (dlen <= 3) return 0; 276 delim = data[0]; 277 if (isdigit(delim) || delim < 33 || delim > 126 || 278 data[1] != delim || data[2] != delim) 279 return 0; 280 281 return get_port(data, 3, dlen, delim, &cmd->u.tcp.port); 282 } 283 284 /* Return 1 for match, 0 for accept, -1 for partial. */ 285 static int find_pattern(const char *data, size_t dlen, 286 const char *pattern, size_t plen, 287 char skip, char term, 288 unsigned int *numoff, 289 unsigned int *numlen, 290 struct nf_conntrack_man *cmd, 291 int (*getnum)(const char *, size_t, 292 struct nf_conntrack_man *, char, 293 unsigned int *)) 294 { 295 size_t i = plen; 296 297 pr_debug("find_pattern `%s': dlen = %zu\n", pattern, dlen); 298 299 if (dlen <= plen) { 300 /* Short packet: try for partial? */ 301 if (strncasecmp(data, pattern, dlen) == 0) 302 return -1; 303 else return 0; 304 } 305 306 if (strncasecmp(data, pattern, plen) != 0) 307 return 0; 308 309 pr_debug("Pattern matches!\n"); 310 /* Now we've found the constant string, try to skip 311 to the 'skip' character */ 312 if (skip) { 313 for (i = plen; data[i] != skip; i++) 314 if (i == dlen - 1) return -1; 315 316 /* Skip over the last character */ 317 i++; 318 } 319 320 pr_debug("Skipped up to 0x%hhx delimiter!\n", skip); 321 322 *numoff = i; 323 *numlen = getnum(data + i, dlen - i, cmd, term, numoff); 324 if (!*numlen) 325 return -1; 326 327 pr_debug("Match succeeded!\n"); 328 return 1; 329 } 330 331 /* Look up to see if we're just after a \n. */ 332 static int find_nl_seq(u32 seq, const struct nf_ct_ftp_master *info, int dir) 333 { 334 unsigned int i; 335 336 for (i = 0; i < info->seq_aft_nl_num[dir]; i++) 337 if (info->seq_aft_nl[dir][i] == seq) 338 return 1; 339 return 0; 340 } 341 342 /* We don't update if it's older than what we have. */ 343 static void update_nl_seq(struct nf_conn *ct, u32 nl_seq, 344 struct nf_ct_ftp_master *info, int dir, 345 struct sk_buff *skb) 346 { 347 unsigned int i, oldest; 348 349 /* Look for oldest: if we find exact match, we're done. */ 350 for (i = 0; i < info->seq_aft_nl_num[dir]; i++) { 351 if (info->seq_aft_nl[dir][i] == nl_seq) 352 return; 353 } 354 355 if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { 356 info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; 357 } else { 358 if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1])) 359 oldest = 0; 360 else 361 oldest = 1; 362 363 if (after(nl_seq, info->seq_aft_nl[dir][oldest])) 364 info->seq_aft_nl[dir][oldest] = nl_seq; 365 } 366 } 367 368 static int help(struct sk_buff *skb, 369 unsigned int protoff, 370 struct nf_conn *ct, 371 enum ip_conntrack_info ctinfo) 372 { 373 unsigned int dataoff, datalen; 374 const struct tcphdr *th; 375 struct tcphdr _tcph; 376 const char *fb_ptr; 377 int ret; 378 u32 seq; 379 int dir = CTINFO2DIR(ctinfo); 380 unsigned int matchlen, matchoff; 381 struct nf_ct_ftp_master *ct_ftp_info = nfct_help_data(ct); 382 struct nf_conntrack_expect *exp; 383 union nf_inet_addr *daddr; 384 struct nf_conntrack_man cmd = {}; 385 unsigned int i; 386 int found = 0, ends_in_nl; 387 typeof(nf_nat_ftp_hook) nf_nat_ftp; 388 389 /* Until there's been traffic both ways, don't look in packets. */ 390 if (ctinfo != IP_CT_ESTABLISHED && 391 ctinfo != IP_CT_ESTABLISHED_REPLY) { 392 pr_debug("ftp: Conntrackinfo = %u\n", ctinfo); 393 return NF_ACCEPT; 394 } 395 396 if (unlikely(skb_linearize(skb))) 397 return NF_DROP; 398 399 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); 400 if (th == NULL) 401 return NF_ACCEPT; 402 403 dataoff = protoff + th->doff * 4; 404 /* No data? */ 405 if (dataoff >= skb->len) { 406 pr_debug("ftp: dataoff(%u) >= skblen(%u)\n", dataoff, 407 skb->len); 408 return NF_ACCEPT; 409 } 410 datalen = skb->len - dataoff; 411 412 spin_lock_bh(&ct->lock); 413 fb_ptr = skb->data + dataoff; 414 415 ends_in_nl = (fb_ptr[datalen - 1] == '\n'); 416 seq = ntohl(th->seq) + datalen; 417 418 /* Look up to see if we're just after a \n. */ 419 if (!find_nl_seq(ntohl(th->seq), ct_ftp_info, dir)) { 420 /* We're picking up this, clear flags and let it continue */ 421 if (unlikely(ct_ftp_info->flags[dir] & NF_CT_FTP_SEQ_PICKUP)) { 422 ct_ftp_info->flags[dir] ^= NF_CT_FTP_SEQ_PICKUP; 423 goto skip_nl_seq; 424 } 425 426 /* Now if this ends in \n, update ftp info. */ 427 pr_debug("nf_conntrack_ftp: wrong seq pos %s(%u) or %s(%u)\n", 428 ct_ftp_info->seq_aft_nl_num[dir] > 0 ? "" : "(UNSET)", 429 ct_ftp_info->seq_aft_nl[dir][0], 430 ct_ftp_info->seq_aft_nl_num[dir] > 1 ? "" : "(UNSET)", 431 ct_ftp_info->seq_aft_nl[dir][1]); 432 ret = NF_ACCEPT; 433 goto out_update_nl; 434 } 435 436 skip_nl_seq: 437 /* Initialize IP/IPv6 addr to expected address (it's not mentioned 438 in EPSV responses) */ 439 cmd.l3num = nf_ct_l3num(ct); 440 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 441 sizeof(cmd.u3.all)); 442 443 for (i = 0; i < ARRAY_SIZE(search[dir]); i++) { 444 found = find_pattern(fb_ptr, datalen, 445 search[dir][i].pattern, 446 search[dir][i].plen, 447 search[dir][i].skip, 448 search[dir][i].term, 449 &matchoff, &matchlen, 450 &cmd, 451 search[dir][i].getnum); 452 if (found) break; 453 } 454 if (found == -1) { 455 /* We don't usually drop packets. After all, this is 456 connection tracking, not packet filtering. 457 However, it is necessary for accurate tracking in 458 this case. */ 459 nf_ct_helper_log(skb, ct, "partial matching of `%s'", 460 search[dir][i].pattern); 461 ret = NF_DROP; 462 goto out; 463 } else if (found == 0) { /* No match */ 464 ret = NF_ACCEPT; 465 goto out_update_nl; 466 } 467 468 pr_debug("conntrack_ftp: match `%.*s' (%u bytes at %u)\n", 469 matchlen, fb_ptr + matchoff, 470 matchlen, ntohl(th->seq) + matchoff); 471 472 exp = nf_ct_expect_alloc(ct); 473 if (exp == NULL) { 474 nf_ct_helper_log(skb, ct, "cannot alloc expectation"); 475 ret = NF_DROP; 476 goto out; 477 } 478 479 /* We refer to the reverse direction ("!dir") tuples here, 480 * because we're expecting something in the other direction. 481 * Doesn't matter unless NAT is happening. */ 482 daddr = &ct->tuplehash[!dir].tuple.dst.u3; 483 484 /* Update the ftp info */ 485 if ((cmd.l3num == nf_ct_l3num(ct)) && 486 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 487 sizeof(cmd.u3.all))) { 488 /* Enrico Scholz's passive FTP to partially RNAT'd ftp 489 server: it really wants us to connect to a 490 different IP address. Simply don't record it for 491 NAT. */ 492 if (cmd.l3num == PF_INET) { 493 pr_debug("NOT RECORDING: %pI4 != %pI4\n", 494 &cmd.u3.ip, 495 &ct->tuplehash[dir].tuple.src.u3.ip); 496 } else { 497 pr_debug("NOT RECORDING: %pI6 != %pI6\n", 498 cmd.u3.ip6, 499 ct->tuplehash[dir].tuple.src.u3.ip6); 500 } 501 502 /* Thanks to Cristiano Lincoln Mattos 503 <lincoln@cesar.org.br> for reporting this potential 504 problem (DMZ machines opening holes to internal 505 networks, or the packet filter itself). */ 506 if (!loose) { 507 ret = NF_ACCEPT; 508 goto out_put_expect; 509 } 510 daddr = &cmd.u3; 511 } 512 513 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, cmd.l3num, 514 &ct->tuplehash[!dir].tuple.src.u3, daddr, 515 IPPROTO_TCP, NULL, &cmd.u.tcp.port); 516 517 /* Now, NAT might want to mangle the packet, and register the 518 * (possibly changed) expectation itself. */ 519 nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); 520 if (nf_nat_ftp && ct->status & IPS_NAT_MASK) 521 ret = nf_nat_ftp(skb, ctinfo, search[dir][i].ftptype, 522 protoff, matchoff, matchlen, exp); 523 else { 524 /* Can't expect this? Best to drop packet now. */ 525 if (nf_ct_expect_related(exp, 0) != 0) { 526 nf_ct_helper_log(skb, ct, "cannot add expectation"); 527 ret = NF_DROP; 528 } else 529 ret = NF_ACCEPT; 530 } 531 532 out_put_expect: 533 nf_ct_expect_put(exp); 534 535 out_update_nl: 536 /* Now if this ends in \n, update ftp info. Seq may have been 537 * adjusted by NAT code. */ 538 if (ends_in_nl) 539 update_nl_seq(ct, seq, ct_ftp_info, dir, skb); 540 out: 541 spin_unlock_bh(&ct->lock); 542 return ret; 543 } 544 545 static int nf_ct_ftp_from_nlattr(struct nlattr *attr, struct nf_conn *ct) 546 { 547 struct nf_ct_ftp_master *ftp = nfct_help_data(ct); 548 549 /* This conntrack has been injected from user-space, always pick up 550 * sequence tracking. Otherwise, the first FTP command after the 551 * failover breaks. 552 */ 553 ftp->flags[IP_CT_DIR_ORIGINAL] |= NF_CT_FTP_SEQ_PICKUP; 554 ftp->flags[IP_CT_DIR_REPLY] |= NF_CT_FTP_SEQ_PICKUP; 555 return 0; 556 } 557 558 static struct nf_conntrack_helper ftp[MAX_PORTS * 2] __read_mostly; 559 560 static const struct nf_conntrack_expect_policy ftp_exp_policy = { 561 .max_expected = 1, 562 .timeout = 5 * 60, 563 }; 564 565 static void __exit nf_conntrack_ftp_fini(void) 566 { 567 nf_conntrack_helpers_unregister(ftp, ports_c * 2); 568 } 569 570 static int __init nf_conntrack_ftp_init(void) 571 { 572 int i, ret = 0; 573 574 NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_ftp_master)); 575 576 if (ports_c == 0) 577 ports[ports_c++] = FTP_PORT; 578 579 /* FIXME should be configurable whether IPv4 and IPv6 FTP connections 580 are tracked or not - YK */ 581 for (i = 0; i < ports_c; i++) { 582 nf_ct_helper_init(&ftp[2 * i], AF_INET, IPPROTO_TCP, 583 HELPER_NAME, FTP_PORT, ports[i], ports[i], 584 &ftp_exp_policy, 0, help, 585 nf_ct_ftp_from_nlattr, THIS_MODULE); 586 nf_ct_helper_init(&ftp[2 * i + 1], AF_INET6, IPPROTO_TCP, 587 HELPER_NAME, FTP_PORT, ports[i], ports[i], 588 &ftp_exp_policy, 0, help, 589 nf_ct_ftp_from_nlattr, THIS_MODULE); 590 } 591 592 ret = nf_conntrack_helpers_register(ftp, ports_c * 2); 593 if (ret < 0) { 594 pr_err("failed to register helpers\n"); 595 return ret; 596 } 597 598 return 0; 599 } 600 601 module_init(nf_conntrack_ftp_init); 602 module_exit(nf_conntrack_ftp_fini); 603