2 * ip_vs_ftp.c: IPVS ftp application module
4 * Authors: Wensong Zhang <wensong@linuxvirtualserver.org>
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version
12 * 2 of the License, or (at your option) any later version.
14 * Most code here is taken from ip_masq_ftp.c in kernel 2.2. The difference
15 * is that ip_vs_ftp module handles the reverse direction to ip_masq_ftp.
17 * IP_MASQ_FTP ftp masquerading module
19 * Version: @(#)ip_masq_ftp.c 0.04 02/05/96
21 * Author: Wouter Gadeyne
25 #define KMSG_COMPONENT "IPVS"
26 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
28 #include <linux/module.h>
29 #include <linux/moduleparam.h>
30 #include <linux/kernel.h>
31 #include <linux/skbuff.h>
32 #include <linux/ctype.h>
33 #include <linux/inet.h>
36 #include <linux/netfilter.h>
37 #include <net/netfilter/nf_conntrack.h>
38 #include <net/netfilter/nf_conntrack_expect.h>
39 #include <net/netfilter/nf_nat.h>
40 #include <net/netfilter/nf_nat_helper.h>
41 #include <linux/gfp.h>
42 #include <net/protocol.h>
44 #include <asm/unaligned.h>
46 #include <net/ip_vs.h>
49 #define SERVER_STRING_PASV "227 "
50 #define CLIENT_STRING_PORT "PORT"
51 #define SERVER_STRING_EPSV "229 "
52 #define CLIENT_STRING_EPRT "EPRT"
63 * List of ports (up to IP_VS_APP_MAX_PORTS) to be handled by helper
64 * First port is set to the default port.
66 static unsigned int ports_count = 1;
67 static unsigned short ports[IP_VS_APP_MAX_PORTS] = {21, 0};
68 module_param_array(ports, ushort, &ports_count, 0444);
69 MODULE_PARM_DESC(ports, "Ports to monitor for FTP control commands");
72 static char *ip_vs_ftp_data_ptr(struct sk_buff *skb, struct ip_vs_iphdr *ipvsh)
74 struct tcphdr *th = (struct tcphdr *)((char *)skb->data + ipvsh->len);
76 if ((th->doff << 2) < sizeof(struct tcphdr))
79 return (char *)th + (th->doff << 2);
83 ip_vs_ftp_init_conn(struct ip_vs_app *app, struct ip_vs_conn *cp)
85 /* We use connection tracking for the command connection */
86 cp->flags |= IP_VS_CONN_F_NFCT;
92 ip_vs_ftp_done_conn(struct ip_vs_app *app, struct ip_vs_conn *cp)
98 /* Get <addr,port> from the string "xxx.xxx.xxx.xxx,ppp,ppp", started
99 * with the "pattern". <addr,port> is in network order.
100 * Parse extended format depending on ext. In this case addr can be pre-set.
102 static int ip_vs_ftp_get_addrport(char *data, char *data_limit,
103 const char *pattern, size_t plen,
104 char skip, bool ext, int mode,
105 union nf_inet_addr *addr, __be16 *port,
106 __u16 af, char **start, char **end)
114 if (data_limit - data < plen) {
115 /* check if there is partial match */
116 if (strncasecmp(data, pattern, data_limit - data) == 0)
122 if (strncasecmp(data, pattern, plen) != 0) {
133 /* "(" is optional for non-extended format,
134 * so catch the start of IPv4 address
136 if (!ext && isdigit(*s))
140 } else if (*s != skip) {
145 /* Old IPv4-only format? */
148 for (data = s; ; data++) {
149 if (data == data_limit)
153 p[i] = p[i]*10 + c - '0';
154 } else if (c == ',' && i < 5) {
158 /* unexpected character or terminator */
168 addr->ip = get_unaligned((__be32 *) p);
169 *port = get_unaligned((__be16 *) (p + 4));
176 if (edelim < 33 || edelim > 126)
181 /* Address family is usually missing for EPSV response */
182 if (mode != IP_VS_FTP_EPSV)
187 /* Then address should be missing too */
190 /* Caller can pre-set addr, if needed */
195 /* We allow address only from same family */
196 if (af == AF_INET6 && *s != '2')
198 if (af == AF_INET && *s != '1')
208 if (af == AF_INET6) {
209 if (in6_pton(s, data_limit - s, (u8 *)addr, edelim,
213 if (in4_pton(s, data_limit - s, (u8 *)addr, edelim,
224 for (hport = 0; ; s++)
230 hport = hport * 10 + *s - '0';
232 if (s == data_limit || !hport || *s != edelim)
236 *port = htons(hport);
240 /* Look at outgoing ftp packets to catch the response to a PASV/EPSV command
241 * from the server (inside-to-outside).
242 * When we see one, we build a connection entry with the client address,
243 * client port 0 (unknown at the moment), the server address and the
244 * server port. Mark the current connection entry as a control channel
245 * of the new entry. All this work is just to make the data connection
246 * can be scheduled to the right server later.
248 * The outgoing packet should be something like
249 * "227 Entering Passive Mode (xxx,xxx,xxx,xxx,ppp,ppp)".
250 * xxx,xxx,xxx,xxx is the server address, ppp,ppp is the server port number.
251 * The extended format for EPSV response provides usually only port:
252 * "229 Entering Extended Passive Mode (|||ppp|)"
254 static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
255 struct sk_buff *skb, int *diff,
256 struct ip_vs_iphdr *ipvsh)
258 char *data, *data_limit;
260 union nf_inet_addr from;
262 struct ip_vs_conn *n_cp;
263 char buf[24]; /* xxx.xxx.xxx.xxx,ppp,ppp\000 */
264 unsigned int buf_len;
266 enum ip_conntrack_info ctinfo;
271 /* Only useful for established sessions */
272 if (cp->state != IP_VS_TCP_S_ESTABLISHED)
275 /* Linear packets are much easier to deal with. */
276 if (!skb_make_writable(skb, skb->len))
279 if (cp->app_data == (void *) IP_VS_FTP_PASV) {
280 data = ip_vs_ftp_data_ptr(skb, ipvsh);
281 data_limit = skb_tail_pointer(skb);
283 if (!data || data >= data_limit)
286 if (ip_vs_ftp_get_addrport(data, data_limit,
288 sizeof(SERVER_STRING_PASV)-1,
289 '(', false, IP_VS_FTP_PASV,
290 &from, &port, cp->af,
294 IP_VS_DBG(7, "PASV response (%pI4:%u) -> %pI4:%u detected\n",
295 &from.ip, ntohs(port), &cp->caddr.ip, 0);
296 } else if (cp->app_data == (void *) IP_VS_FTP_EPSV) {
297 data = ip_vs_ftp_data_ptr(skb, ipvsh);
298 data_limit = skb_tail_pointer(skb);
300 if (!data || data >= data_limit)
303 /* Usually, data address is not specified but
304 * we support different address, so pre-set it.
307 if (ip_vs_ftp_get_addrport(data, data_limit,
309 sizeof(SERVER_STRING_EPSV)-1,
310 '(', true, IP_VS_FTP_EPSV,
311 &from, &port, cp->af,
315 IP_VS_DBG_BUF(7, "EPSV response (%s:%u) -> %s:%u detected\n",
316 IP_VS_DBG_ADDR(cp->af, &from), ntohs(port),
317 IP_VS_DBG_ADDR(cp->af, &cp->caddr), 0);
322 /* Now update or create a connection entry for it */
324 struct ip_vs_conn_param p;
326 ip_vs_conn_fill_param(cp->ipvs, cp->af,
327 ipvsh->protocol, &from, port,
329 n_cp = ip_vs_conn_out_get(&p);
332 struct ip_vs_conn_param p;
334 ip_vs_conn_fill_param(cp->ipvs,
335 cp->af, ipvsh->protocol, &cp->caddr,
336 0, &cp->vaddr, port, &p);
337 n_cp = ip_vs_conn_new(&p, cp->af, &from, port,
338 IP_VS_CONN_F_NO_CPORT |
340 cp->dest, skb->mark);
344 /* add its controller */
345 ip_vs_control_add(n_cp, cp);
348 /* Replace the old passive address with the new one */
349 if (cp->app_data == (void *) IP_VS_FTP_PASV) {
350 from.ip = n_cp->vaddr.ip;
352 snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u",
353 ((unsigned char *)&from.ip)[0],
354 ((unsigned char *)&from.ip)[1],
355 ((unsigned char *)&from.ip)[2],
356 ((unsigned char *)&from.ip)[3],
359 } else if (cp->app_data == (void *) IP_VS_FTP_EPSV) {
362 /* Only port, client will use VIP for the data connection */
363 snprintf(buf, sizeof(buf), "|||%u|",
368 buf_len = strlen(buf);
370 ct = nf_ct_get(skb, &ctinfo);
374 /* If mangling fails this function will return 0
375 * which will cause the packet to be dropped.
376 * Mangling can only fail under memory pressure,
377 * hopefully it will succeed on the retransmitted
380 mangled = nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
386 ip_vs_nfct_expect_related(skb, ct, n_cp,
387 ipvsh->protocol, 0, 0);
388 if (skb->ip_summed == CHECKSUM_COMPLETE)
389 skb->ip_summed = CHECKSUM_UNNECESSARY;
390 /* csum is updated */
395 /* Not setting 'diff' is intentional, otherwise the sequence
396 * would be adjusted twice.
399 cp->app_data = (void *) IP_VS_FTP_ACTIVE;
400 ip_vs_tcp_conn_listen(n_cp);
401 ip_vs_conn_put(n_cp);
406 /* Look at incoming ftp packets to catch the PASV/PORT/EPRT/EPSV command
407 * (outside-to-inside).
409 * The incoming packet having the PORT command should be something like
410 * "PORT xxx,xxx,xxx,xxx,ppp,ppp\n".
411 * xxx,xxx,xxx,xxx is the client address, ppp,ppp is the client port number.
412 * In this case, we create a connection entry using the client address and
413 * port, so that the active ftp data connection from the server can reach
416 * "EPSV\r\n" when client requests server address from same family
417 * "EPSV 1\r\n" when client requests IPv4 server address
418 * "EPSV 2\r\n" when client requests IPv6 server address
419 * "EPSV ALL\r\n" - not supported
420 * EPRT with specified delimiter (ASCII 33..126), "|" by default:
421 * "EPRT |1|IPv4ADDR|PORT|\r\n" when client provides IPv4 addrport
422 * "EPRT |2|IPv6ADDR|PORT|\r\n" when client provides IPv6 addrport
424 static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
425 struct sk_buff *skb, int *diff,
426 struct ip_vs_iphdr *ipvsh)
428 char *data, *data_start, *data_limit;
430 union nf_inet_addr to;
432 struct ip_vs_conn *n_cp;
434 /* no diff required for incoming packets */
437 /* Only useful for established sessions */
438 if (cp->state != IP_VS_TCP_S_ESTABLISHED)
441 /* Linear packets are much easier to deal with. */
442 if (!skb_make_writable(skb, skb->len))
445 data = data_start = ip_vs_ftp_data_ptr(skb, ipvsh);
446 data_limit = skb_tail_pointer(skb);
447 if (!data || data >= data_limit)
450 while (data <= data_limit - 6) {
451 if (cp->af == AF_INET &&
452 strncasecmp(data, "PASV\r\n", 6) == 0) {
453 /* Passive mode on */
454 IP_VS_DBG(7, "got PASV at %td of %td\n",
456 data_limit - data_start);
457 cp->app_data = (void *) IP_VS_FTP_PASV;
461 /* EPSV or EPSV<space><net-prt> */
462 if (strncasecmp(data, "EPSV", 4) == 0 &&
463 (data[4] == ' ' || data[4] == '\r')) {
464 if (data[4] == ' ') {
465 char proto = data[5];
467 if (data > data_limit - 7 || data[6] != '\r')
470 #ifdef CONFIG_IP_VS_IPV6
471 if (cp->af == AF_INET6 && proto == '2') {
474 if (cp->af == AF_INET && proto == '1') {
479 /* Extended Passive mode on */
480 IP_VS_DBG(7, "got EPSV at %td of %td\n",
482 data_limit - data_start);
483 cp->app_data = (void *) IP_VS_FTP_EPSV;
491 * To support virtual FTP server, the scenerio is as follows:
492 * FTP client ----> Load Balancer ----> FTP server
493 * First detect the port number in the application data,
494 * then create a new connection entry for the coming data
497 if (cp->af == AF_INET &&
498 ip_vs_ftp_get_addrport(data_start, data_limit,
500 sizeof(CLIENT_STRING_PORT)-1,
501 ' ', false, IP_VS_FTP_PORT,
503 &start, &end) == 1) {
505 IP_VS_DBG(7, "PORT %pI4:%u detected\n", &to.ip, ntohs(port));
507 /* Now update or create a connection entry for it */
508 IP_VS_DBG(7, "protocol %s %pI4:%u %pI4:%u\n",
509 ip_vs_proto_name(ipvsh->protocol),
510 &to.ip, ntohs(port), &cp->vaddr.ip,
512 } else if (ip_vs_ftp_get_addrport(data_start, data_limit,
514 sizeof(CLIENT_STRING_EPRT)-1,
515 ' ', true, IP_VS_FTP_EPRT,
517 &start, &end) == 1) {
519 IP_VS_DBG_BUF(7, "EPRT %s:%u detected\n",
520 IP_VS_DBG_ADDR(cp->af, &to), ntohs(port));
522 /* Now update or create a connection entry for it */
523 IP_VS_DBG_BUF(7, "protocol %s %s:%u %s:%u\n",
524 ip_vs_proto_name(ipvsh->protocol),
525 IP_VS_DBG_ADDR(cp->af, &to), ntohs(port),
526 IP_VS_DBG_ADDR(cp->af, &cp->vaddr),
532 /* Passive mode off */
533 cp->app_data = (void *) IP_VS_FTP_ACTIVE;
536 struct ip_vs_conn_param p;
537 ip_vs_conn_fill_param(cp->ipvs, cp->af,
538 ipvsh->protocol, &to, port, &cp->vaddr,
539 htons(ntohs(cp->vport)-1), &p);
540 n_cp = ip_vs_conn_in_get(&p);
542 n_cp = ip_vs_conn_new(&p, cp->af, &cp->daddr,
543 htons(ntohs(cp->dport)-1),
544 IP_VS_CONN_F_NFCT, cp->dest,
549 /* add its controller */
550 ip_vs_control_add(n_cp, cp);
555 * Move tunnel to listen state
557 ip_vs_tcp_conn_listen(n_cp);
558 ip_vs_conn_put(n_cp);
564 static struct ip_vs_app ip_vs_ftp = {
566 .type = IP_VS_APP_TYPE_FTP,
567 .protocol = IPPROTO_TCP,
568 .module = THIS_MODULE,
569 .incs_list = LIST_HEAD_INIT(ip_vs_ftp.incs_list),
570 .init_conn = ip_vs_ftp_init_conn,
571 .done_conn = ip_vs_ftp_done_conn,
574 .pkt_out = ip_vs_ftp_out,
575 .pkt_in = ip_vs_ftp_in,
579 * per netns ip_vs_ftp initialization
581 static int __net_init __ip_vs_ftp_init(struct net *net)
584 struct ip_vs_app *app;
585 struct netns_ipvs *ipvs = net_ipvs(net);
590 app = register_ip_vs_app(ipvs, &ip_vs_ftp);
594 for (i = 0; i < ports_count; i++) {
597 ret = register_ip_vs_app_inc(ipvs, app, app->protocol, ports[i]);
600 pr_info("%s: loaded support on port[%d] = %u\n",
601 app->name, i, ports[i]);
606 unregister_ip_vs_app(ipvs, &ip_vs_ftp);
612 static void __ip_vs_ftp_exit(struct net *net)
614 struct netns_ipvs *ipvs = net_ipvs(net);
619 unregister_ip_vs_app(ipvs, &ip_vs_ftp);
622 static struct pernet_operations ip_vs_ftp_ops = {
623 .init = __ip_vs_ftp_init,
624 .exit = __ip_vs_ftp_exit,
627 static int __init ip_vs_ftp_init(void)
629 /* rcu_barrier() is called by netns on error */
630 return register_pernet_subsys(&ip_vs_ftp_ops);
636 static void __exit ip_vs_ftp_exit(void)
638 unregister_pernet_subsys(&ip_vs_ftp_ops);
639 /* rcu_barrier() is called by netns */
643 module_init(ip_vs_ftp_init);
644 module_exit(ip_vs_ftp_exit);
645 MODULE_LICENSE("GPL");