1 /* $OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
2
3 /*
4 * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <sys/cdefs.h>
20 __FBSDID("$FreeBSD$");
21
22 #include <sys/queue.h>
23 #include <sys/types.h>
24 #include <sys/time.h>
25 #include <sys/resource.h>
26 #include <sys/socket.h>
27
28 #include <net/if.h>
29 #include <net/pfvar.h>
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32
33 #include <err.h>
34 #include <errno.h>
35 #include <event.h>
36 #include <fcntl.h>
37 #include <netdb.h>
38 #include <pwd.h>
39 #include <signal.h>
40 #include <stdarg.h>
41 #include <stdio.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <syslog.h>
45 #include <unistd.h>
46 #include <vis.h>
47
48 #include "filter.h"
49
50 #define CONNECT_TIMEOUT 30
51 #define MIN_PORT 1024
52 #define MAX_LINE 500
53 #define MAX_LOGLINE 300
54 #define NTOP_BUFS 3
55 #define TCP_BACKLOG 10
56
57 #define CHROOT_DIR "/var/empty"
58 #define NOPRIV_USER "proxy"
59
60 /* pfctl standard NAT range. */
61 #define PF_NAT_PROXY_PORT_LOW 50001
62 #define PF_NAT_PROXY_PORT_HIGH 65535
63
64 #ifndef LIST_END
65 #define LIST_END(a) NULL
66 #endif
67
68 #ifndef getrtable
69 #define getrtable(a) 0
70 #endif
71
72 #define sstosa(ss) ((struct sockaddr *)(ss))
73
74 enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
75
76 struct session {
77 u_int32_t id;
78 struct sockaddr_storage client_ss;
79 struct sockaddr_storage proxy_ss;
80 struct sockaddr_storage server_ss;
81 struct sockaddr_storage orig_server_ss;
82 struct bufferevent *client_bufev;
83 struct bufferevent *server_bufev;
84 int client_fd;
85 int server_fd;
86 char cbuf[MAX_LINE];
87 size_t cbuf_valid;
88 char sbuf[MAX_LINE];
89 size_t sbuf_valid;
90 int cmd;
91 u_int16_t port;
92 u_int16_t proxy_port;
93 LIST_ENTRY(session) entry;
94 };
95
96 LIST_HEAD(, session) sessions = LIST_HEAD_INITIALIZER(sessions);
97
98 void client_error(struct bufferevent *, short, void *);
99 int client_parse(struct session *s);
100 int client_parse_anon(struct session *s);
101 int client_parse_cmd(struct session *s);
102 void client_read(struct bufferevent *, void *);
103 int drop_privs(void);
104 void end_session(struct session *);
105 void exit_daemon(void);
106 int get_line(char *, size_t *);
107 void handle_connection(const int, short, void *);
108 void handle_signal(int, short, void *);
109 struct session * init_session(void);
110 void logmsg(int, const char *, ...);
111 u_int16_t parse_port(int);
112 u_int16_t pick_proxy_port(void);
113 void proxy_reply(int, struct sockaddr *, u_int16_t);
114 void server_error(struct bufferevent *, short, void *);
115 int server_parse(struct session *s);
116 int allow_data_connection(struct session *s);
117 void server_read(struct bufferevent *, void *);
118 const char *sock_ntop(struct sockaddr *);
119 void usage(void);
120
121 char linebuf[MAX_LINE + 1];
122 size_t linelen;
123
124 char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
125
126 struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
127 const char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
128 *qname, *tagname;
129 int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
130 rfc_mode, session_count, timeout, verbose;
131 extern char *__progname;
132
133 void
client_error(struct bufferevent * bufev __unused,short what,void * arg)134 client_error(struct bufferevent *bufev __unused, short what, void *arg)
135 {
136 struct session *s = arg;
137
138 if (what & EVBUFFER_EOF)
139 logmsg(LOG_INFO, "#%d client close", s->id);
140 else if (what == (EVBUFFER_ERROR | EVBUFFER_READ))
141 logmsg(LOG_ERR, "#%d client reset connection", s->id);
142 else if (what & EVBUFFER_TIMEOUT)
143 logmsg(LOG_ERR, "#%d client timeout", s->id);
144 else if (what & EVBUFFER_WRITE)
145 logmsg(LOG_ERR, "#%d client write error: %d", s->id, what);
146 else
147 logmsg(LOG_ERR, "#%d abnormal client error: %d", s->id, what);
148
149 end_session(s);
150 }
151
152 int
client_parse(struct session * s)153 client_parse(struct session *s)
154 {
155 /* Reset any previous command. */
156 s->cmd = CMD_NONE;
157 s->port = 0;
158
159 /* Commands we are looking for are at least 4 chars long. */
160 if (linelen < 4)
161 return (1);
162
163 if (linebuf[0] == 'P' || linebuf[0] == 'p' ||
164 linebuf[0] == 'E' || linebuf[0] == 'e') {
165 if (!client_parse_cmd(s))
166 return (0);
167
168 /*
169 * Allow active mode connections immediately, instead of
170 * waiting for a positive reply from the server. Some
171 * rare servers/proxies try to probe or setup the data
172 * connection before an actual transfer request.
173 */
174 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT)
175 return (allow_data_connection(s));
176 }
177
178 if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u'))
179 return (client_parse_anon(s));
180
181 return (1);
182 }
183
184 int
client_parse_anon(struct session * s)185 client_parse_anon(struct session *s)
186 {
187 if (strcasecmp("USER ftp\r\n", linebuf) != 0 &&
188 strcasecmp("USER anonymous\r\n", linebuf) != 0) {
189 snprintf(linebuf, sizeof linebuf,
190 "500 Only anonymous FTP allowed\r\n");
191 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
192
193 /* Talk back to the client ourself. */
194 linelen = strlen(linebuf);
195 bufferevent_write(s->client_bufev, linebuf, linelen);
196
197 /* Clear buffer so it's not sent to the server. */
198 linebuf[0] = '\0';
199 linelen = 0;
200 }
201
202 return (1);
203 }
204
205 int
client_parse_cmd(struct session * s)206 client_parse_cmd(struct session *s)
207 {
208 if (strncasecmp("PASV", linebuf, 4) == 0)
209 s->cmd = CMD_PASV;
210 else if (strncasecmp("PORT ", linebuf, 5) == 0)
211 s->cmd = CMD_PORT;
212 else if (strncasecmp("EPSV", linebuf, 4) == 0)
213 s->cmd = CMD_EPSV;
214 else if (strncasecmp("EPRT ", linebuf, 5) == 0)
215 s->cmd = CMD_EPRT;
216 else
217 return (1);
218
219 if (ipv6_mode && (s->cmd == CMD_PASV || s->cmd == CMD_PORT)) {
220 logmsg(LOG_CRIT, "PASV and PORT not allowed with IPv6");
221 return (0);
222 }
223
224 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
225 s->port = parse_port(s->cmd);
226 if (s->port < MIN_PORT) {
227 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
228 linebuf);
229 return (0);
230 }
231 s->proxy_port = pick_proxy_port();
232 proxy_reply(s->cmd, sstosa(&s->proxy_ss), s->proxy_port);
233 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
234 }
235
236 return (1);
237 }
238
239 void
client_read(struct bufferevent * bufev,void * arg)240 client_read(struct bufferevent *bufev, void *arg)
241 {
242 struct session *s = arg;
243 size_t buf_avail, clientread;
244 int n;
245
246 do {
247 buf_avail = sizeof s->cbuf - s->cbuf_valid;
248 clientread = bufferevent_read(bufev, s->cbuf + s->cbuf_valid,
249 buf_avail);
250 s->cbuf_valid += clientread;
251
252 while ((n = get_line(s->cbuf, &s->cbuf_valid)) > 0) {
253 logmsg(LOG_DEBUG, "#%d client: %s", s->id, linebuf);
254 if (!client_parse(s)) {
255 end_session(s);
256 return;
257 }
258 bufferevent_write(s->server_bufev, linebuf, linelen);
259 }
260
261 if (n == -1) {
262 logmsg(LOG_ERR, "#%d client command too long or not"
263 " clean", s->id);
264 end_session(s);
265 return;
266 }
267 } while (clientread == buf_avail);
268 }
269
270 int
drop_privs(void)271 drop_privs(void)
272 {
273 struct passwd *pw;
274
275 pw = getpwnam(NOPRIV_USER);
276 if (pw == NULL)
277 return (0);
278
279 tzset();
280 if (chroot(CHROOT_DIR) != 0 || chdir("/") != 0 ||
281 setgroups(1, &pw->pw_gid) != 0 ||
282 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
283 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
284 return (0);
285
286 return (1);
287 }
288
289 void
end_session(struct session * s)290 end_session(struct session *s)
291 {
292 int serr;
293
294 logmsg(LOG_INFO, "#%d ending session", s->id);
295
296 /* Flush output buffers. */
297 if (s->client_bufev && s->client_fd != -1)
298 evbuffer_write(s->client_bufev->output, s->client_fd);
299 if (s->server_bufev && s->server_fd != -1)
300 evbuffer_write(s->server_bufev->output, s->server_fd);
301
302 if (s->client_fd != -1)
303 close(s->client_fd);
304 if (s->server_fd != -1)
305 close(s->server_fd);
306
307 if (s->client_bufev)
308 bufferevent_free(s->client_bufev);
309 if (s->server_bufev)
310 bufferevent_free(s->server_bufev);
311
312 /* Remove rulesets by commiting empty ones. */
313 serr = 0;
314 if (prepare_commit(s->id) == -1)
315 serr = errno;
316 else if (do_commit() == -1) {
317 serr = errno;
318 do_rollback();
319 }
320 if (serr)
321 logmsg(LOG_ERR, "#%d pf rule removal failed: %s", s->id,
322 strerror(serr));
323
324 LIST_REMOVE(s, entry);
325 free(s);
326 session_count--;
327 }
328
329 void
exit_daemon(void)330 exit_daemon(void)
331 {
332 struct session *s, *next;
333
334 for (s = LIST_FIRST(&sessions); s != LIST_END(&sessions); s = next) {
335 next = LIST_NEXT(s, entry);
336 end_session(s);
337 }
338
339 if (daemonize)
340 closelog();
341
342 exit(0);
343 }
344
345 int
get_line(char * buf,size_t * valid)346 get_line(char *buf, size_t *valid)
347 {
348 size_t i;
349
350 if (*valid > MAX_LINE)
351 return (-1);
352
353 /* Copy to linebuf while searching for a newline. */
354 for (i = 0; i < *valid; i++) {
355 linebuf[i] = buf[i];
356 if (buf[i] == '\0')
357 return (-1);
358 if (buf[i] == '\n')
359 break;
360 }
361
362 if (i == *valid) {
363 /* No newline found. */
364 linebuf[0] = '\0';
365 linelen = 0;
366 if (i < MAX_LINE)
367 return (0);
368 return (-1);
369 }
370
371 linelen = i + 1;
372 linebuf[linelen] = '\0';
373 *valid -= linelen;
374
375 /* Move leftovers to the start. */
376 if (*valid != 0)
377 bcopy(buf + linelen, buf, *valid);
378
379 return ((int)linelen);
380 }
381
382 void
handle_connection(const int listen_fd,short event __unused,void * ev __unused)383 handle_connection(const int listen_fd, short event __unused, void *ev __unused)
384 {
385 struct sockaddr_storage tmp_ss;
386 struct sockaddr *client_sa, *server_sa, *fixed_server_sa;
387 struct sockaddr *client_to_proxy_sa, *proxy_to_server_sa;
388 struct session *s;
389 socklen_t len;
390 int client_fd, fc, on;
391
392 /*
393 * We _must_ accept the connection, otherwise libevent will keep
394 * coming back, and we will chew up all CPU.
395 */
396 client_sa = sstosa(&tmp_ss);
397 len = sizeof(struct sockaddr_storage);
398 if ((client_fd = accept(listen_fd, client_sa, &len)) < 0) {
399 logmsg(LOG_CRIT, "accept failed: %s", strerror(errno));
400 return;
401 }
402
403 /* Refuse connection if the maximum is reached. */
404 if (session_count >= max_sessions) {
405 logmsg(LOG_ERR, "client limit (%d) reached, refusing "
406 "connection from %s", max_sessions, sock_ntop(client_sa));
407 close(client_fd);
408 return;
409 }
410
411 /* Allocate session and copy back the info from the accept(). */
412 s = init_session();
413 if (s == NULL) {
414 logmsg(LOG_CRIT, "init_session failed");
415 close(client_fd);
416 return;
417 }
418 s->client_fd = client_fd;
419 memcpy(sstosa(&s->client_ss), client_sa, client_sa->sa_len);
420
421 /* Cast it once, and be done with it. */
422 client_sa = sstosa(&s->client_ss);
423 server_sa = sstosa(&s->server_ss);
424 client_to_proxy_sa = sstosa(&tmp_ss);
425 proxy_to_server_sa = sstosa(&s->proxy_ss);
426 fixed_server_sa = sstosa(&fixed_server_ss);
427
428 /* Log id/client early to ease debugging. */
429 logmsg(LOG_DEBUG, "#%d accepted connection from %s", s->id,
430 sock_ntop(client_sa));
431
432 /*
433 * Find out the real server and port that the client wanted.
434 */
435 len = sizeof(struct sockaddr_storage);
436 if ((getsockname(s->client_fd, client_to_proxy_sa, &len)) < 0) {
437 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
438 strerror(errno));
439 goto fail;
440 }
441 if (server_lookup(client_sa, client_to_proxy_sa, server_sa) != 0) {
442 logmsg(LOG_CRIT, "#%d server lookup failed (no rdr?)", s->id);
443 goto fail;
444 }
445 if (fixed_server) {
446 memcpy(sstosa(&s->orig_server_ss), server_sa,
447 server_sa->sa_len);
448 memcpy(server_sa, fixed_server_sa, fixed_server_sa->sa_len);
449 }
450
451 /* XXX: check we are not connecting to ourself. */
452
453 /*
454 * Setup socket and connect to server.
455 */
456 if ((s->server_fd = socket(server_sa->sa_family, SOCK_STREAM,
457 IPPROTO_TCP)) < 0) {
458 logmsg(LOG_CRIT, "#%d server socket failed: %s", s->id,
459 strerror(errno));
460 goto fail;
461 }
462 if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
463 fixed_proxy_ss.ss_len) != 0) {
464 logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s",
465 s->id, strerror(errno));
466 goto fail;
467 }
468
469 /* Use non-blocking connect(), see CONNECT_TIMEOUT below. */
470 if ((fc = fcntl(s->server_fd, F_GETFL)) == -1 ||
471 fcntl(s->server_fd, F_SETFL, fc | O_NONBLOCK) == -1) {
472 logmsg(LOG_CRIT, "#%d cannot mark socket non-blocking: %s",
473 s->id, strerror(errno));
474 goto fail;
475 }
476 if (connect(s->server_fd, server_sa, server_sa->sa_len) < 0 &&
477 errno != EINPROGRESS) {
478 logmsg(LOG_CRIT, "#%d proxy cannot connect to server %s: %s",
479 s->id, sock_ntop(server_sa), strerror(errno));
480 goto fail;
481 }
482
483 len = sizeof(struct sockaddr_storage);
484 if ((getsockname(s->server_fd, proxy_to_server_sa, &len)) < 0) {
485 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
486 strerror(errno));
487 goto fail;
488 }
489
490 logmsg(LOG_INFO, "#%d FTP session %d/%d started: client %s to server "
491 "%s via proxy %s ", s->id, session_count, max_sessions,
492 sock_ntop(client_sa), sock_ntop(server_sa),
493 sock_ntop(proxy_to_server_sa));
494
495 /* Keepalive is nice, but don't care if it fails. */
496 on = 1;
497 setsockopt(s->client_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
498 sizeof on);
499 setsockopt(s->server_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
500 sizeof on);
501
502 /*
503 * Setup buffered events.
504 */
505 s->client_bufev = bufferevent_new(s->client_fd, &client_read, NULL,
506 &client_error, s);
507 if (s->client_bufev == NULL) {
508 logmsg(LOG_CRIT, "#%d bufferevent_new client failed", s->id);
509 goto fail;
510 }
511 bufferevent_settimeout(s->client_bufev, timeout, 0);
512 bufferevent_enable(s->client_bufev, EV_READ | EV_TIMEOUT);
513
514 s->server_bufev = bufferevent_new(s->server_fd, &server_read, NULL,
515 &server_error, s);
516 if (s->server_bufev == NULL) {
517 logmsg(LOG_CRIT, "#%d bufferevent_new server failed", s->id);
518 goto fail;
519 }
520 bufferevent_settimeout(s->server_bufev, CONNECT_TIMEOUT, 0);
521 bufferevent_enable(s->server_bufev, EV_READ | EV_TIMEOUT);
522
523 return;
524
525 fail:
526 end_session(s);
527 }
528
529 void
handle_signal(int sig,short event __unused,void * arg __unused)530 handle_signal(int sig, short event __unused, void *arg __unused)
531 {
532 /*
533 * Signal handler rules don't apply, libevent decouples for us.
534 */
535
536 logmsg(LOG_ERR, "exiting on signal %d", sig);
537
538 exit_daemon();
539 }
540
541
542 struct session *
init_session(void)543 init_session(void)
544 {
545 struct session *s;
546
547 s = calloc(1, sizeof(struct session));
548 if (s == NULL)
549 return (NULL);
550
551 s->id = id_count++;
552 s->client_fd = -1;
553 s->server_fd = -1;
554 s->cbuf[0] = '\0';
555 s->cbuf_valid = 0;
556 s->sbuf[0] = '\0';
557 s->sbuf_valid = 0;
558 s->client_bufev = NULL;
559 s->server_bufev = NULL;
560 s->cmd = CMD_NONE;
561 s->port = 0;
562
563 LIST_INSERT_HEAD(&sessions, s, entry);
564 session_count++;
565
566 return (s);
567 }
568
569 void
logmsg(int pri,const char * message,...)570 logmsg(int pri, const char *message, ...)
571 {
572 va_list ap;
573
574 if (pri > loglevel)
575 return;
576
577 va_start(ap, message);
578
579 if (daemonize)
580 /* syslog does its own vissing. */
581 vsyslog(pri, message, ap);
582 else {
583 char buf[MAX_LOGLINE];
584 char visbuf[2 * MAX_LOGLINE];
585
586 /* We don't care about truncation. */
587 vsnprintf(buf, sizeof buf, message, ap);
588 #ifdef __FreeBSD__
589 strvis(visbuf, buf, VIS_CSTYLE | VIS_NL);
590 #else
591 strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL);
592 #endif
593 fprintf(stderr, "%s\n", visbuf);
594 }
595
596 va_end(ap);
597 }
598
599 int
main(int argc,char * argv[])600 main(int argc, char *argv[])
601 {
602 struct rlimit rlp;
603 struct addrinfo hints, *res;
604 struct event ev, ev_sighup, ev_sigint, ev_sigterm;
605 int ch, error, listenfd, on;
606 const char *errstr;
607
608 /* Defaults. */
609 anonymous_only = 0;
610 daemonize = 1;
611 fixed_proxy = NULL;
612 fixed_server = NULL;
613 fixed_server_port = "21";
614 ipv6_mode = 0;
615 listen_ip = NULL;
616 listen_port = "8021";
617 loglevel = LOG_NOTICE;
618 max_sessions = 100;
619 qname = NULL;
620 rfc_mode = 0;
621 tagname = NULL;
622 timeout = 24 * 3600;
623 verbose = 0;
624
625 /* Other initialization. */
626 id_count = 1;
627 session_count = 0;
628
629 while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) {
630 switch (ch) {
631 case '6':
632 ipv6_mode = 1;
633 break;
634 case 'A':
635 anonymous_only = 1;
636 break;
637 case 'a':
638 fixed_proxy = optarg;
639 break;
640 case 'b':
641 listen_ip = optarg;
642 break;
643 case 'D':
644 loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG,
645 &errstr);
646 if (errstr)
647 errx(1, "loglevel %s", errstr);
648 break;
649 case 'd':
650 daemonize = 0;
651 break;
652 case 'm':
653 max_sessions = strtonum(optarg, 1, 500, &errstr);
654 if (errstr)
655 errx(1, "max sessions %s", errstr);
656 break;
657 case 'P':
658 fixed_server_port = optarg;
659 break;
660 case 'p':
661 listen_port = optarg;
662 break;
663 case 'q':
664 if (strlen(optarg) >= PF_QNAME_SIZE)
665 errx(1, "queuename too long");
666 qname = optarg;
667 break;
668 case 'R':
669 fixed_server = optarg;
670 break;
671 case 'r':
672 rfc_mode = 1;
673 break;
674 case 'T':
675 if (strlen(optarg) >= PF_TAG_NAME_SIZE)
676 errx(1, "tagname too long");
677 tagname = optarg;
678 break;
679 case 't':
680 timeout = strtonum(optarg, 0, 86400, &errstr);
681 if (errstr)
682 errx(1, "timeout %s", errstr);
683 break;
684 case 'v':
685 verbose++;
686 if (verbose > 2)
687 usage();
688 break;
689 default:
690 usage();
691 }
692 }
693
694 if (listen_ip == NULL)
695 listen_ip = ipv6_mode ? "::1" : "127.0.0.1";
696
697 /* Check for root to save the user from cryptic failure messages. */
698 if (getuid() != 0)
699 errx(1, "needs to start as root");
700
701 /* Raise max. open files limit to satisfy max. sessions. */
702 rlp.rlim_cur = rlp.rlim_max = (2 * max_sessions) + 10;
703 if (setrlimit(RLIMIT_NOFILE, &rlp) == -1)
704 err(1, "setrlimit");
705
706 if (fixed_proxy) {
707 memset(&hints, 0, sizeof hints);
708 hints.ai_flags = AI_NUMERICHOST;
709 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
710 hints.ai_socktype = SOCK_STREAM;
711 error = getaddrinfo(fixed_proxy, NULL, &hints, &res);
712 if (error)
713 errx(1, "getaddrinfo fixed proxy address failed: %s",
714 gai_strerror(error));
715 memcpy(&fixed_proxy_ss, res->ai_addr, res->ai_addrlen);
716 logmsg(LOG_INFO, "using %s to connect to servers",
717 sock_ntop(sstosa(&fixed_proxy_ss)));
718 freeaddrinfo(res);
719 }
720
721 if (fixed_server) {
722 memset(&hints, 0, sizeof hints);
723 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
724 hints.ai_socktype = SOCK_STREAM;
725 error = getaddrinfo(fixed_server, fixed_server_port, &hints,
726 &res);
727 if (error)
728 errx(1, "getaddrinfo fixed server address failed: %s",
729 gai_strerror(error));
730 memcpy(&fixed_server_ss, res->ai_addr, res->ai_addrlen);
731 logmsg(LOG_INFO, "using fixed server %s",
732 sock_ntop(sstosa(&fixed_server_ss)));
733 freeaddrinfo(res);
734 }
735
736 /* Setup listener. */
737 memset(&hints, 0, sizeof hints);
738 hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
739 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
740 hints.ai_socktype = SOCK_STREAM;
741 error = getaddrinfo(listen_ip, listen_port, &hints, &res);
742 if (error)
743 errx(1, "getaddrinfo listen address failed: %s",
744 gai_strerror(error));
745 if ((listenfd = socket(res->ai_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
746 errx(1, "socket failed");
747 on = 1;
748 if (setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
749 sizeof on) != 0)
750 err(1, "setsockopt failed");
751 if (bind(listenfd, (struct sockaddr *)res->ai_addr,
752 (socklen_t)res->ai_addrlen) != 0)
753 err(1, "bind failed");
754 if (listen(listenfd, TCP_BACKLOG) != 0)
755 err(1, "listen failed");
756 freeaddrinfo(res);
757
758 /* Initialize pf. */
759 init_filter(qname, tagname, verbose);
760
761 if (daemonize) {
762 if (daemon(0, 0) == -1)
763 err(1, "cannot daemonize");
764 openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON);
765 }
766
767 /* Use logmsg for output from here on. */
768
769 if (!drop_privs()) {
770 logmsg(LOG_ERR, "cannot drop privileges: %s", strerror(errno));
771 exit(1);
772 }
773
774 event_init();
775
776 /* Setup signal handler. */
777 signal(SIGPIPE, SIG_IGN);
778 signal_set(&ev_sighup, SIGHUP, handle_signal, NULL);
779 signal_set(&ev_sigint, SIGINT, handle_signal, NULL);
780 signal_set(&ev_sigterm, SIGTERM, handle_signal, NULL);
781 signal_add(&ev_sighup, NULL);
782 signal_add(&ev_sigint, NULL);
783 signal_add(&ev_sigterm, NULL);
784
785 event_set(&ev, listenfd, EV_READ | EV_PERSIST, handle_connection, &ev);
786 event_add(&ev, NULL);
787
788 logmsg(LOG_NOTICE, "listening on %s port %s", listen_ip, listen_port);
789
790 /* Vroom, vroom. */
791 event_dispatch();
792
793 logmsg(LOG_ERR, "event_dispatch error: %s", strerror(errno));
794 exit_daemon();
795
796 /* NOTREACHED */
797 return (1);
798 }
799
800 u_int16_t
parse_port(int mode)801 parse_port(int mode)
802 {
803 unsigned int port, v[6];
804 int n;
805 char *p;
806
807 /* Find the last space or left-parenthesis. */
808 for (p = linebuf + linelen; p > linebuf; p--)
809 if (*p == ' ' || *p == '(')
810 break;
811 if (p == linebuf)
812 return (0);
813
814 switch (mode) {
815 case CMD_PORT:
816 n = sscanf(p, " %u,%u,%u,%u,%u,%u", &v[0], &v[1], &v[2],
817 &v[3], &v[4], &v[5]);
818 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
819 v[3] < 256 && v[4] < 256 && v[5] < 256)
820 return ((v[4] << 8) | v[5]);
821 break;
822 case CMD_PASV:
823 n = sscanf(p, "(%u,%u,%u,%u,%u,%u)", &v[0], &v[1], &v[2],
824 &v[3], &v[4], &v[5]);
825 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
826 v[3] < 256 && v[4] < 256 && v[5] < 256)
827 return ((v[4] << 8) | v[5]);
828 break;
829 case CMD_EPSV:
830 n = sscanf(p, "(|||%u|)", &port);
831 if (n == 1 && port < 65536)
832 return (port);
833 break;
834 case CMD_EPRT:
835 n = sscanf(p, " |1|%u.%u.%u.%u|%u|", &v[0], &v[1], &v[2],
836 &v[3], &port);
837 if (n == 5 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
838 v[3] < 256 && port < 65536)
839 return (port);
840 n = sscanf(p, " |2|%*[a-fA-F0-9:]|%u|", &port);
841 if (n == 1 && port < 65536)
842 return (port);
843 break;
844 default:
845 return (0);
846 }
847
848 return (0);
849 }
850
851 u_int16_t
pick_proxy_port(void)852 pick_proxy_port(void)
853 {
854 /* Random should be good enough for avoiding port collisions. */
855 return (IPPORT_HIFIRSTAUTO +
856 arc4random_uniform(IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO));
857 }
858
859 void
proxy_reply(int cmd,struct sockaddr * sa,u_int16_t port)860 proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port)
861 {
862 u_int i;
863 int r = 0;
864
865 switch (cmd) {
866 case CMD_PORT:
867 r = snprintf(linebuf, sizeof linebuf,
868 "PORT %s,%u,%u\r\n", sock_ntop(sa), port / 256,
869 port % 256);
870 break;
871 case CMD_PASV:
872 r = snprintf(linebuf, sizeof linebuf,
873 "227 Entering Passive Mode (%s,%u,%u)\r\n", sock_ntop(sa),
874 port / 256, port % 256);
875 break;
876 case CMD_EPRT:
877 if (sa->sa_family == AF_INET)
878 r = snprintf(linebuf, sizeof linebuf,
879 "EPRT |1|%s|%u|\r\n", sock_ntop(sa), port);
880 else if (sa->sa_family == AF_INET6)
881 r = snprintf(linebuf, sizeof linebuf,
882 "EPRT |2|%s|%u|\r\n", sock_ntop(sa), port);
883 break;
884 case CMD_EPSV:
885 r = snprintf(linebuf, sizeof linebuf,
886 "229 Entering Extended Passive Mode (|||%u|)\r\n", port);
887 break;
888 }
889
890 if (r < 0 || ((u_int)r) >= sizeof linebuf) {
891 logmsg(LOG_ERR, "proxy_reply failed: %d", r);
892 linebuf[0] = '\0';
893 linelen = 0;
894 return;
895 }
896 linelen = (size_t)r;
897
898 if (cmd == CMD_PORT || cmd == CMD_PASV) {
899 /* Replace dots in IP address with commas. */
900 for (i = 0; i < linelen; i++)
901 if (linebuf[i] == '.')
902 linebuf[i] = ',';
903 }
904 }
905
906 void
server_error(struct bufferevent * bufev __unused,short what,void * arg)907 server_error(struct bufferevent *bufev __unused, short what, void *arg)
908 {
909 struct session *s = arg;
910
911 if (what & EVBUFFER_EOF)
912 logmsg(LOG_INFO, "#%d server close", s->id);
913 else if (what == (EVBUFFER_ERROR | EVBUFFER_READ))
914 logmsg(LOG_ERR, "#%d server refused connection", s->id);
915 else if (what & EVBUFFER_WRITE)
916 logmsg(LOG_ERR, "#%d server write error: %d", s->id, what);
917 else if (what & EVBUFFER_TIMEOUT)
918 logmsg(LOG_NOTICE, "#%d server timeout", s->id);
919 else
920 logmsg(LOG_ERR, "#%d abnormal server error: %d", s->id, what);
921
922 end_session(s);
923 }
924
925 int
server_parse(struct session * s)926 server_parse(struct session *s)
927 {
928 if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2')
929 goto out;
930
931 if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
932 (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0))
933 return (allow_data_connection(s));
934
935 out:
936 s->cmd = CMD_NONE;
937 s->port = 0;
938
939 return (1);
940 }
941
942 int
allow_data_connection(struct session * s)943 allow_data_connection(struct session *s)
944 {
945 struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
946 int prepared = 0;
947
948 /*
949 * The pf rules below do quite some NAT rewriting, to keep up
950 * appearances. Points to keep in mind:
951 * 1) The client must think it's talking to the real server,
952 * for both control and data connections. Transparently.
953 * 2) The server must think that the proxy is the client.
954 * 3) Source and destination ports are rewritten to minimize
955 * port collisions, to aid security (some systems pick weak
956 * ports) or to satisfy RFC requirements (source port 20).
957 */
958
959 /* Cast this once, to make code below it more readable. */
960 client_sa = sstosa(&s->client_ss);
961 server_sa = sstosa(&s->server_ss);
962 proxy_sa = sstosa(&s->proxy_ss);
963 if (fixed_server)
964 /* Fixed server: data connections must appear to come
965 from / go to the original server, not the fixed one. */
966 orig_sa = sstosa(&s->orig_server_ss);
967 else
968 /* Server not fixed: orig_server == server. */
969 orig_sa = sstosa(&s->server_ss);
970
971 /* Passive modes. */
972 if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) {
973 s->port = parse_port(s->cmd);
974 if (s->port < MIN_PORT) {
975 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
976 linebuf);
977 return (0);
978 }
979 s->proxy_port = pick_proxy_port();
980 logmsg(LOG_INFO, "#%d passive: client to server port %d"
981 " via port %d", s->id, s->port, s->proxy_port);
982
983 if (prepare_commit(s->id) == -1)
984 goto fail;
985 prepared = 1;
986
987 proxy_reply(s->cmd, orig_sa, s->proxy_port);
988 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
989
990 /* rdr from $client to $orig_server port $proxy_port -> $server
991 port $port */
992 if (add_rdr(s->id, client_sa, orig_sa, s->proxy_port,
993 server_sa, s->port) == -1)
994 goto fail;
995
996 /* nat from $client to $server port $port -> $proxy */
997 if (add_nat(s->id, client_sa, server_sa, s->port, proxy_sa,
998 PF_NAT_PROXY_PORT_LOW, PF_NAT_PROXY_PORT_HIGH) == -1)
999 goto fail;
1000
1001 /* pass in from $client to $server port $port */
1002 if (add_filter(s->id, PF_IN, client_sa, server_sa,
1003 s->port) == -1)
1004 goto fail;
1005
1006 /* pass out from $proxy to $server port $port */
1007 if (add_filter(s->id, PF_OUT, proxy_sa, server_sa,
1008 s->port) == -1)
1009 goto fail;
1010 }
1011
1012 /* Active modes. */
1013 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
1014 logmsg(LOG_INFO, "#%d active: server to client port %d"
1015 " via port %d", s->id, s->port, s->proxy_port);
1016
1017 if (prepare_commit(s->id) == -1)
1018 goto fail;
1019 prepared = 1;
1020
1021 /* rdr from $server to $proxy port $proxy_port -> $client port
1022 $port */
1023 if (add_rdr(s->id, server_sa, proxy_sa, s->proxy_port,
1024 client_sa, s->port) == -1)
1025 goto fail;
1026
1027 /* nat from $server to $client port $port -> $orig_server port
1028 $natport */
1029 if (rfc_mode && s->cmd == CMD_PORT) {
1030 /* Rewrite sourceport to RFC mandated 20. */
1031 if (add_nat(s->id, server_sa, client_sa, s->port,
1032 orig_sa, 20, 20) == -1)
1033 goto fail;
1034 } else {
1035 /* Let pf pick a source port from the standard range. */
1036 if (add_nat(s->id, server_sa, client_sa, s->port,
1037 orig_sa, PF_NAT_PROXY_PORT_LOW,
1038 PF_NAT_PROXY_PORT_HIGH) == -1)
1039 goto fail;
1040 }
1041
1042 /* pass in from $server to $client port $port */
1043 if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) ==
1044 -1)
1045 goto fail;
1046
1047 /* pass out from $orig_server to $client port $port */
1048 if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) ==
1049 -1)
1050 goto fail;
1051 }
1052
1053 /* Commit rules if they were prepared. */
1054 if (prepared && (do_commit() == -1)) {
1055 if (errno != EBUSY)
1056 goto fail;
1057 /* One more try if busy. */
1058 usleep(5000);
1059 if (do_commit() == -1)
1060 goto fail;
1061 }
1062
1063 s->cmd = CMD_NONE;
1064 s->port = 0;
1065
1066 return (1);
1067
1068 fail:
1069 logmsg(LOG_CRIT, "#%d pf operation failed: %s", s->id, strerror(errno));
1070 if (prepared)
1071 do_rollback();
1072 return (0);
1073 }
1074
1075 void
server_read(struct bufferevent * bufev,void * arg)1076 server_read(struct bufferevent *bufev, void *arg)
1077 {
1078 struct session *s = arg;
1079 size_t buf_avail, srvread;
1080 int n;
1081
1082 bufferevent_settimeout(bufev, timeout, 0);
1083
1084 do {
1085 buf_avail = sizeof s->sbuf - s->sbuf_valid;
1086 srvread = bufferevent_read(bufev, s->sbuf + s->sbuf_valid,
1087 buf_avail);
1088 s->sbuf_valid += srvread;
1089
1090 while ((n = get_line(s->sbuf, &s->sbuf_valid)) > 0) {
1091 logmsg(LOG_DEBUG, "#%d server: %s", s->id, linebuf);
1092 if (!server_parse(s)) {
1093 end_session(s);
1094 return;
1095 }
1096 bufferevent_write(s->client_bufev, linebuf, linelen);
1097 }
1098
1099 if (n == -1) {
1100 logmsg(LOG_ERR, "#%d server reply too long or not"
1101 " clean", s->id);
1102 end_session(s);
1103 return;
1104 }
1105 } while (srvread == buf_avail);
1106 }
1107
1108 const char *
sock_ntop(struct sockaddr * sa)1109 sock_ntop(struct sockaddr *sa)
1110 {
1111 static int n = 0;
1112
1113 /* Cycle to next buffer. */
1114 n = (n + 1) % NTOP_BUFS;
1115 ntop_buf[n][0] = '\0';
1116
1117 if (sa->sa_family == AF_INET) {
1118 struct sockaddr_in *sin = (struct sockaddr_in *)sa;
1119
1120 return (inet_ntop(AF_INET, &sin->sin_addr, ntop_buf[n],
1121 sizeof ntop_buf[0]));
1122 }
1123
1124 if (sa->sa_family == AF_INET6) {
1125 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
1126
1127 return (inet_ntop(AF_INET6, &sin6->sin6_addr, ntop_buf[n],
1128 sizeof ntop_buf[0]));
1129 }
1130
1131 return (NULL);
1132 }
1133
1134 void
usage(void)1135 usage(void)
1136 {
1137 fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
1138 " [-D level] [-m maxsessions]\n [-P port]"
1139 " [-p port] [-q queue] [-R address] [-T tag]\n"
1140 " [-t timeout]\n", __progname);
1141 exit(1);
1142 }
1143