1 /* $OpenBSD: ftp-proxy.c,v 1.15 2007/08/15 15:18:02 camield Exp $ */ 2 3 /* 4 * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/queue.h> 20 #include <sys/types.h> 21 #include <sys/event.h> 22 #include <sys/time.h> 23 #include <sys/resource.h> 24 #include <sys/socket.h> 25 26 #include <net/if.h> 27 #include <net/pf/pfvar.h> 28 #include <netinet/in.h> 29 #include <arpa/inet.h> 30 31 #include <err.h> 32 #include <errno.h> 33 #include <fcntl.h> 34 #include <netdb.h> 35 #include <pwd.h> 36 #include <signal.h> 37 #include <stdarg.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <syslog.h> 42 #include <unistd.h> 43 #include <vis.h> 44 45 #include "filter.h" 46 47 #define CONNECT_TIMEOUT 30 48 #define MIN_PORT 1024 49 #define MAX_LINE 500 50 #define MAX_LOGLINE 300 51 #define NTOP_BUFS 3 52 #define TCP_BACKLOG 10 53 54 #define CHROOT_DIR "/var/empty" 55 #define NOPRIV_USER "proxy" 56 57 /* pfctl standard NAT range. */ 58 #define PF_NAT_PROXY_PORT_LOW 50001 59 #define PF_NAT_PROXY_PORT_HIGH 65535 60 61 #define sstosa(ss) ((struct sockaddr *)(ss)) 62 63 enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV }; 64 65 struct cbuf { 66 char *buffer; 67 size_t buffer_size; 68 size_t buffer_offset; 69 }; 70 71 struct session { 72 u_int32_t id; 73 struct sockaddr_storage client_ss; 74 struct sockaddr_storage proxy_ss; 75 struct sockaddr_storage server_ss; 76 struct sockaddr_storage orig_server_ss; 77 struct cbuf client; 78 struct cbuf server; 79 int client_fd; 80 int server_fd; 81 char cbuf[MAX_LINE]; 82 size_t cbuf_valid; 83 char sbuf[MAX_LINE]; 84 size_t sbuf_valid; 85 int cmd; 86 u_int16_t port; 87 u_int16_t proxy_port; 88 LIST_ENTRY(session) entry; 89 }; 90 91 LIST_HEAD(, session) sessions = LIST_HEAD_INITIALIZER(sessions); 92 93 void buffer_data(struct session *, struct cbuf *, char *, size_t); 94 int client_parse(struct session *); 95 int client_parse_anon(struct session *); 96 int client_parse_cmd(struct session *); 97 void client_read(struct session *); 98 void client_write(struct session *); 99 int drop_privs(void); 100 void end_session(struct session *); 101 void exit_daemon(void) __dead2; 102 int get_line(char *, size_t *); 103 void handle_connection(const int); 104 void handle_signal(int) __dead2; 105 struct session * init_session(void); 106 void logmsg(int, const char *, ...) __printflike(2, 3); 107 u_int16_t parse_port(int); 108 u_int16_t pick_proxy_port(void); 109 void proxy_reply(int, struct sockaddr *, u_int16_t); 110 int server_parse(struct session *); 111 void server_read(struct session *); 112 void server_write(struct session *); 113 int allow_data_connection(struct session *s); 114 const char *sock_ntop(struct sockaddr *); 115 void usage(void) __dead2; 116 117 char linebuf[MAX_LINE + 1]; 118 size_t linelen; 119 120 char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN]; 121 122 #define KQ_NEVENTS 64 123 struct kevent changes[KQ_NEVENTS]; 124 int nchanges; 125 126 struct sockaddr_storage fixed_server_ss, fixed_proxy_ss; 127 char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port, 128 *qname, *tagname; 129 int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions, 130 rfc_mode, session_count, timeout, verbose; 131 extern char *__progname; 132 133 void 134 buffer_data(struct session *s, struct cbuf *cb, char *buf, size_t len) 135 { 136 if (len < 1) 137 return; 138 139 if (cb->buffer == NULL) 140 if ((cb->buffer = malloc(MAX_LINE)) == NULL) 141 goto error; 142 143 memcpy(cb->buffer, buf, len); 144 cb->buffer_size = len; 145 return; 146 147 error: 148 logmsg(LOG_ERR, "#%d could not allocate memory for buffer", s->id); 149 end_session(s); 150 } 151 152 int 153 client_parse(struct session *s) 154 { 155 /* Reset any previous command. */ 156 s->cmd = CMD_NONE; 157 s->port = 0; 158 159 /* Commands we are looking for are at least 4 chars long. */ 160 if (linelen < 4) 161 return (1); 162 163 if (linebuf[0] == 'P' || linebuf[0] == 'p' || 164 linebuf[0] == 'E' || linebuf[0] == 'e') { 165 if (!client_parse_cmd(s)) 166 return (0); 167 168 /* 169 * Allow active mode connections immediately, instead of 170 * waiting for a positive reply from the server. Some 171 * rare servers/proxies try to probe or setup the data 172 * connection before an actual transfer request. 173 */ 174 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) 175 return (allow_data_connection(s)); 176 } 177 178 if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u')) 179 return (client_parse_anon(s)); 180 181 return (1); 182 } 183 184 int 185 client_parse_anon(struct session *s) 186 { 187 size_t written; 188 189 if (strcasecmp("USER ftp\r\n", linebuf) != 0 && 190 strcasecmp("USER anonymous\r\n", linebuf) != 0) { 191 snprintf(linebuf, sizeof linebuf, 192 "500 Only anonymous FTP allowed\r\n"); 193 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf); 194 195 /* Talk back to the client ourself. */ 196 linelen = strlen(linebuf); 197 written = write(s->client_fd, linebuf, linelen); 198 if (written == -1) { 199 logmsg(LOG_ERR, "#%d write failed", s->id); 200 return (0); /* Session will be ended for us */ 201 } else if (written < linelen) { 202 EV_SET(&changes[nchanges++], s->server_fd, 203 EVFILT_READ, EV_DISABLE, 0, 0, s); 204 EV_SET(&changes[nchanges++], s->client_fd, 205 EVFILT_WRITE, EV_ADD, 0, 0, s); 206 buffer_data(s, &s->client, linebuf + written, 207 linelen - written); 208 return (1); 209 } 210 211 /* Clear buffer so it's not sent to the server. */ 212 linebuf[0] = '\0'; 213 linelen = 0; 214 } 215 216 return (1); 217 } 218 219 int 220 client_parse_cmd(struct session *s) 221 { 222 if (strncasecmp("PASV", linebuf, 4) == 0) 223 s->cmd = CMD_PASV; 224 else if (strncasecmp("PORT ", linebuf, 5) == 0) 225 s->cmd = CMD_PORT; 226 else if (strncasecmp("EPSV", linebuf, 4) == 0) 227 s->cmd = CMD_EPSV; 228 else if (strncasecmp("EPRT ", linebuf, 5) == 0) 229 s->cmd = CMD_EPRT; 230 else 231 return (1); 232 233 if (ipv6_mode && (s->cmd == CMD_PASV || s->cmd == CMD_PORT)) { 234 logmsg(LOG_CRIT, "PASV and PORT not allowed with IPv6"); 235 return (0); 236 } 237 238 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) { 239 s->port = parse_port(s->cmd); 240 if (s->port < MIN_PORT) { 241 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id, 242 linebuf); 243 return (0); 244 } 245 s->proxy_port = pick_proxy_port(); 246 proxy_reply(s->cmd, sstosa(&s->proxy_ss), s->proxy_port); 247 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf); 248 } 249 250 return (1); 251 } 252 253 void 254 client_read(struct session *s) 255 { 256 size_t buf_avail, bread, bwritten; 257 int n; 258 259 do { 260 buf_avail = sizeof s->cbuf - s->cbuf_valid; 261 bread = read(s->client_fd, s->cbuf + s->cbuf_valid, buf_avail); 262 s->cbuf_valid += bread; 263 264 while ((n = get_line(s->cbuf, &s->cbuf_valid)) > 0) { 265 logmsg(LOG_DEBUG, "#%d client: %s", s->id, linebuf); 266 if (!client_parse(s)) { 267 end_session(s); 268 return; 269 } 270 bwritten = write(s->server_fd, linebuf, linelen); 271 if (bwritten == -1) { 272 } else if (bwritten < linelen) { 273 EV_SET(&changes[nchanges++], s->client_fd, 274 EVFILT_READ, EV_DISABLE, 0, 0, s); 275 EV_SET(&changes[nchanges++], s->server_fd, 276 EVFILT_WRITE, EV_ADD, 0, 0, s); 277 buffer_data(s, &s->server, linebuf + bwritten, 278 linelen - bwritten); 279 return; 280 } 281 } 282 283 if (n == -1) { 284 logmsg(LOG_ERR, "#%d client command too long or not" 285 " clean", s->id); 286 end_session(s); 287 return; 288 } 289 } while (bread == buf_avail); 290 } 291 292 void 293 client_write(struct session *s) 294 { 295 size_t written; 296 297 written = write(s->client_fd, s->client.buffer + s->client.buffer_offset, 298 s->client.buffer_size - s->client.buffer_offset); 299 if (written == -1) { 300 logmsg(LOG_ERR, "#%d write failed", s->id); 301 end_session(s); 302 } else if (written == (s->client.buffer_size - s->client.buffer_offset)) { 303 free(s->client.buffer); 304 s->client.buffer = NULL; 305 s->client.buffer_size = 0; 306 s->client.buffer_offset = 0; 307 EV_SET(&changes[nchanges++], s->server_fd, 308 EVFILT_READ, EV_ENABLE, 0, 0, s); 309 } else { 310 s->client.buffer_offset += written; 311 } 312 } 313 314 int 315 drop_privs(void) 316 { 317 struct passwd *pw; 318 319 pw = getpwnam(NOPRIV_USER); 320 if (pw == NULL) 321 return (0); 322 323 tzset(); 324 if (chroot(CHROOT_DIR) != 0 || chdir("/") != 0 || 325 setgroups(1, &pw->pw_gid) != 0 || 326 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 || 327 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) 328 return (0); 329 330 return (1); 331 } 332 333 void 334 end_session(struct session *s) 335 { 336 int err; 337 338 logmsg(LOG_INFO, "#%d ending session", s->id); 339 340 if (s->client_fd != -1) 341 close(s->client_fd); 342 if (s->server_fd != -1) 343 close(s->server_fd); 344 345 if (s->client.buffer) 346 free(s->client.buffer); 347 if (s->server.buffer) 348 free(s->server.buffer); 349 350 /* Remove rulesets by commiting empty ones. */ 351 err = 0; 352 if (prepare_commit(s->id) == -1) 353 err = errno; 354 else if (do_commit() == -1) { 355 err = errno; 356 do_rollback(); 357 } 358 if (err) 359 logmsg(LOG_ERR, "#%d pf rule removal failed: %s", s->id, 360 strerror(err)); 361 362 LIST_REMOVE(s, entry); 363 free(s); 364 session_count--; 365 } 366 367 void 368 exit_daemon(void) 369 { 370 struct session *s, *tmp; 371 372 LIST_FOREACH_MUTABLE(s, &sessions, entry, tmp) { 373 end_session(s); 374 } 375 376 if (daemonize) 377 closelog(); 378 379 exit(0); 380 } 381 382 int 383 get_line(char *buf, size_t *valid) 384 { 385 size_t i; 386 387 if (*valid > MAX_LINE) 388 return (-1); 389 390 /* Copy to linebuf while searching for a newline. */ 391 for (i = 0; i < *valid; i++) { 392 linebuf[i] = buf[i]; 393 if (buf[i] == '\0') 394 return (-1); 395 if (buf[i] == '\n') 396 break; 397 } 398 399 if (i == *valid) { 400 /* No newline found. */ 401 linebuf[0] = '\0'; 402 linelen = 0; 403 if (i < MAX_LINE) 404 return (0); 405 return (-1); 406 } 407 408 linelen = i + 1; 409 linebuf[linelen] = '\0'; 410 *valid -= linelen; 411 412 /* Move leftovers to the start. */ 413 if (*valid != 0) 414 bcopy(buf + linelen, buf, *valid); 415 416 return ((int)linelen); 417 } 418 419 void 420 handle_connection(const int listen_fd) 421 { 422 struct sockaddr_storage tmp_ss; 423 struct sockaddr *client_sa, *server_sa, *fixed_server_sa; 424 struct sockaddr *client_to_proxy_sa, *proxy_to_server_sa; 425 struct session *s; 426 socklen_t len; 427 int client_fd, fc, on; 428 429 /* 430 * We _must_ accept the connection, otherwise libevent will keep 431 * coming back, and we will chew up all CPU. 432 */ 433 client_sa = sstosa(&tmp_ss); 434 len = sizeof(struct sockaddr_storage); 435 if ((client_fd = accept(listen_fd, client_sa, &len)) < 0) { 436 logmsg(LOG_CRIT, "accept failed: %s", strerror(errno)); 437 return; 438 } 439 440 /* Refuse connection if the maximum is reached. */ 441 if (session_count >= max_sessions) { 442 logmsg(LOG_ERR, "client limit (%d) reached, refusing " 443 "connection from %s", max_sessions, sock_ntop(client_sa)); 444 close(client_fd); 445 return; 446 } 447 448 /* Allocate session and copy back the info from the accept(). */ 449 s = init_session(); 450 if (s == NULL) { 451 logmsg(LOG_CRIT, "init_session failed"); 452 close(client_fd); 453 return; 454 } 455 s->client_fd = client_fd; 456 memcpy(sstosa(&s->client_ss), client_sa, client_sa->sa_len); 457 458 /* Cast it once, and be done with it. */ 459 client_sa = sstosa(&s->client_ss); 460 server_sa = sstosa(&s->server_ss); 461 client_to_proxy_sa = sstosa(&tmp_ss); 462 proxy_to_server_sa = sstosa(&s->proxy_ss); 463 fixed_server_sa = sstosa(&fixed_server_ss); 464 465 /* Log id/client early to ease debugging. */ 466 logmsg(LOG_DEBUG, "#%d accepted connection from %s", s->id, 467 sock_ntop(client_sa)); 468 469 /* 470 * Find out the real server and port that the client wanted. 471 */ 472 len = sizeof(struct sockaddr_storage); 473 if ((getsockname(s->client_fd, client_to_proxy_sa, &len)) < 0) { 474 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id, 475 strerror(errno)); 476 goto fail; 477 } 478 if (server_lookup(client_sa, client_to_proxy_sa, server_sa) != 0) { 479 logmsg(LOG_CRIT, "#%d server lookup failed (no rdr?)", s->id); 480 goto fail; 481 } 482 if (fixed_server) { 483 memcpy(sstosa(&s->orig_server_ss), server_sa, 484 server_sa->sa_len); 485 memcpy(server_sa, fixed_server_sa, fixed_server_sa->sa_len); 486 } 487 488 /* XXX: check we are not connecting to ourself. */ 489 490 /* 491 * Setup socket and connect to server. 492 */ 493 if ((s->server_fd = socket(server_sa->sa_family, SOCK_STREAM, 494 IPPROTO_TCP)) < 0) { 495 logmsg(LOG_CRIT, "#%d server socket failed: %s", s->id, 496 strerror(errno)); 497 goto fail; 498 } 499 if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss), 500 fixed_proxy_ss.ss_len) != 0) { 501 logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s", 502 s->id, strerror(errno)); 503 goto fail; 504 } 505 506 /* Use non-blocking connect(), see CONNECT_TIMEOUT below. */ 507 if ((fc = fcntl(s->server_fd, F_GETFL)) == -1 || 508 fcntl(s->server_fd, F_SETFL, fc | O_NONBLOCK) == -1) { 509 logmsg(LOG_CRIT, "#%d cannot mark socket non-blocking: %s", 510 s->id, strerror(errno)); 511 goto fail; 512 } 513 if (connect(s->server_fd, server_sa, server_sa->sa_len) < 0 && 514 errno != EINPROGRESS) { 515 logmsg(LOG_CRIT, "#%d proxy cannot connect to server %s: %s", 516 s->id, sock_ntop(server_sa), strerror(errno)); 517 goto fail; 518 } 519 520 len = sizeof(struct sockaddr_storage); 521 if ((getsockname(s->server_fd, proxy_to_server_sa, &len)) < 0) { 522 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id, 523 strerror(errno)); 524 goto fail; 525 } 526 527 logmsg(LOG_INFO, "#%d FTP session %d/%d started: client %s to server " 528 "%s via proxy %s ", s->id, session_count, max_sessions, 529 sock_ntop(client_sa), sock_ntop(server_sa), 530 sock_ntop(proxy_to_server_sa)); 531 532 /* Keepalive is nice, but don't care if it fails. */ 533 on = 1; 534 setsockopt(s->client_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, 535 sizeof on); 536 setsockopt(s->server_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, 537 sizeof on); 538 539 EV_SET(&changes[nchanges++], s->client_fd, EVFILT_READ, EV_ADD, 0, 0, s); 540 EV_SET(&changes[nchanges++], s->server_fd, EVFILT_READ, EV_ADD, 0, 0, s); 541 542 return; 543 544 fail: 545 end_session(s); 546 } 547 548 void 549 handle_signal(int sig) 550 { 551 /* 552 * Signal handler rules don't apply. 553 */ 554 555 logmsg(LOG_ERR, "%s exiting on signal %d", __progname, sig); 556 557 exit_daemon(); 558 } 559 560 561 struct session * 562 init_session(void) 563 { 564 struct session *s; 565 566 s = calloc(1, sizeof(struct session)); 567 if (s == NULL) 568 return (NULL); 569 570 s->id = id_count++; 571 s->client_fd = -1; 572 s->server_fd = -1; 573 s->cbuf[0] = '\0'; 574 s->cbuf_valid = 0; 575 s->sbuf[0] = '\0'; 576 s->sbuf_valid = 0; 577 s->client.buffer = NULL; 578 s->client.buffer_size = 0; 579 s->client.buffer_offset = 0; 580 s->server.buffer = NULL; 581 s->server.buffer_size = 0; 582 s->server.buffer_offset = 0; 583 s->cmd = CMD_NONE; 584 s->port = 0; 585 586 LIST_INSERT_HEAD(&sessions, s, entry); 587 session_count++; 588 589 return (s); 590 } 591 592 void 593 logmsg(int pri, const char *message, ...) 594 { 595 va_list ap; 596 597 if (pri > loglevel) 598 return; 599 600 va_start(ap, message); 601 602 if (daemonize) 603 /* syslog does its own vissing. */ 604 vsyslog(pri, message, ap); 605 else { 606 char buf[MAX_LOGLINE]; 607 char visbuf[2 * MAX_LOGLINE]; 608 609 /* We don't care about truncation. */ 610 vsnprintf(buf, sizeof buf, message, ap); 611 strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL); 612 fprintf(stderr, "%s\n", visbuf); 613 } 614 615 va_end(ap); 616 } 617 618 int 619 main(int argc, char *argv[]) 620 { 621 struct rlimit rlp; 622 struct addrinfo hints, *res; 623 int kq, ch, error, listenfd, on; 624 const char *errstr; 625 626 /* Defaults. */ 627 anonymous_only = 0; 628 daemonize = 1; 629 fixed_proxy = NULL; 630 fixed_server = NULL; 631 fixed_server_port = "21"; 632 ipv6_mode = 0; 633 listen_ip = NULL; 634 listen_port = "8021"; 635 loglevel = LOG_NOTICE; 636 max_sessions = 100; 637 qname = NULL; 638 rfc_mode = 0; 639 tagname = NULL; 640 timeout = 24 * 3600; 641 verbose = 0; 642 643 /* Other initialization. */ 644 id_count = 1; 645 session_count = 0; 646 nchanges = 0; 647 648 while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rT:t:v")) != -1) { 649 switch (ch) { 650 case '6': 651 ipv6_mode = 1; 652 break; 653 case 'A': 654 anonymous_only = 1; 655 break; 656 case 'a': 657 fixed_proxy = optarg; 658 break; 659 case 'b': 660 listen_ip = optarg; 661 break; 662 case 'D': 663 loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG, 664 &errstr); 665 if (errstr) 666 errx(1, "loglevel %s", errstr); 667 break; 668 case 'd': 669 daemonize = 0; 670 break; 671 case 'm': 672 max_sessions = strtonum(optarg, 1, 500, &errstr); 673 if (errstr) 674 errx(1, "max sessions %s", errstr); 675 break; 676 case 'P': 677 fixed_server_port = optarg; 678 break; 679 case 'p': 680 listen_port = optarg; 681 break; 682 case 'q': 683 if (strlen(optarg) >= PF_QNAME_SIZE) 684 errx(1, "queuename too long"); 685 qname = optarg; 686 break; 687 case 'R': 688 fixed_server = optarg; 689 break; 690 case 'r': 691 rfc_mode = 1; 692 break; 693 case 'T': 694 if (strlen(optarg) >= PF_TAG_NAME_SIZE) 695 errx(1, "tagname too long"); 696 tagname = optarg; 697 break; 698 case 't': 699 timeout = strtonum(optarg, 0, 86400, &errstr); 700 if (errstr) 701 errx(1, "timeout %s", errstr); 702 break; 703 case 'v': 704 verbose++; 705 if (verbose > 2) 706 usage(); 707 break; 708 default: 709 usage(); 710 } 711 } 712 713 if (listen_ip == NULL) 714 listen_ip = ipv6_mode ? "::1" : "127.0.0.1"; 715 716 /* Check for root to save the user from cryptic failure messages. */ 717 if (getuid() != 0) 718 errx(1, "needs to start as root"); 719 720 /* Raise max. open files limit to satisfy max. sessions. */ 721 rlp.rlim_cur = rlp.rlim_max = (2 * max_sessions) + 10; 722 if (setrlimit(RLIMIT_NOFILE, &rlp) == -1) 723 err(1, "setrlimit"); 724 725 if (fixed_proxy) { 726 memset(&hints, 0, sizeof hints); 727 hints.ai_flags = AI_NUMERICHOST; 728 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; 729 hints.ai_socktype = SOCK_STREAM; 730 error = getaddrinfo(fixed_proxy, NULL, &hints, &res); 731 if (error) 732 errx(1, "getaddrinfo fixed proxy address failed: %s", 733 gai_strerror(error)); 734 memcpy(&fixed_proxy_ss, res->ai_addr, res->ai_addrlen); 735 logmsg(LOG_INFO, "using %s to connect to servers", 736 sock_ntop(sstosa(&fixed_proxy_ss))); 737 freeaddrinfo(res); 738 } 739 740 if (fixed_server) { 741 memset(&hints, 0, sizeof hints); 742 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; 743 hints.ai_socktype = SOCK_STREAM; 744 error = getaddrinfo(fixed_server, fixed_server_port, &hints, 745 &res); 746 if (error) 747 errx(1, "getaddrinfo fixed server address failed: %s", 748 gai_strerror(error)); 749 memcpy(&fixed_server_ss, res->ai_addr, res->ai_addrlen); 750 logmsg(LOG_INFO, "using fixed server %s", 751 sock_ntop(sstosa(&fixed_server_ss))); 752 freeaddrinfo(res); 753 } 754 755 /* Setup listener. */ 756 memset(&hints, 0, sizeof hints); 757 hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE; 758 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; 759 hints.ai_socktype = SOCK_STREAM; 760 error = getaddrinfo(listen_ip, listen_port, &hints, &res); 761 if (error) 762 errx(1, "getaddrinfo listen address failed: %s", 763 gai_strerror(error)); 764 if ((listenfd = socket(res->ai_family, SOCK_STREAM, IPPROTO_TCP)) == -1) 765 errx(1, "socket failed"); 766 on = 1; 767 if (setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void *)&on, 768 sizeof on) != 0) 769 err(1, "setsockopt failed"); 770 if (bind(listenfd, (struct sockaddr *)res->ai_addr, 771 (socklen_t)res->ai_addrlen) != 0) 772 err(1, "bind failed"); 773 if (listen(listenfd, TCP_BACKLOG) != 0) 774 err(1, "listen failed"); 775 freeaddrinfo(res); 776 777 /* Initialize pf. */ 778 init_filter(qname, tagname, verbose); 779 780 if (daemonize) { 781 if (daemon(0, 0) == -1) 782 err(1, "cannot daemonize"); 783 openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON); 784 } 785 786 /* Use logmsg for output from here on. */ 787 788 if (!drop_privs()) { 789 logmsg(LOG_ERR, "cannot drop privileges: %s", strerror(errno)); 790 exit(1); 791 } 792 793 if ((kq = kqueue()) == -1) { 794 logmsg(LOG_ERR, "cannot create new kqueue(2): %s", strerror(errno)); 795 exit(1); 796 } 797 798 /* Setup signal handler. */ 799 signal(SIGPIPE, SIG_IGN); 800 EV_SET(&changes[nchanges++], SIGHUP, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); 801 EV_SET(&changes[nchanges++], SIGINT, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); 802 EV_SET(&changes[nchanges++], SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); 803 804 EV_SET(&changes[nchanges++], listenfd, EVFILT_READ, EV_ADD, 0, 0, NULL); 805 806 logmsg(LOG_NOTICE, "listening on %s port %s", listen_ip, listen_port); 807 808 /* Vroom, vroom. */ 809 for ( ; ; ) { 810 int i, nevents; 811 struct kevent events[KQ_NEVENTS], *event; 812 struct session *s; 813 814 nevents = kevent(kq, &changes[0], nchanges, &events[0], 815 KQ_NEVENTS, NULL); 816 if (nevents == -1) { 817 logmsg(LOG_ERR, "cannot create new kqueue(2): %s", strerror(errno)); 818 exit(1); 819 } 820 nchanges = 0; 821 822 for (i = 0; i < nevents; ++i) { 823 event = &events[i]; 824 825 if (event->filter == EVFILT_SIGNAL) { 826 handle_signal(event->ident); 827 continue; 828 } 829 830 if (event->ident == listenfd) { 831 /* Handle new connection */ 832 handle_connection(event->ident); 833 } else { 834 /* Process existing connection */ 835 s = (struct session *)event->udata; 836 837 if (event->ident == s->client_fd) { 838 if (event->filter == EVFILT_READ) 839 client_read(s); 840 else 841 client_write(s); 842 } else { 843 if (event->filter == EVFILT_READ) 844 server_read(s); 845 else 846 server_write(s); 847 } 848 } 849 850 /* The next loop might overflow changes */ 851 if (nchanges > KQ_NEVENTS - 4) 852 break; 853 } 854 } 855 856 exit_daemon(); 857 858 /* NOTREACHED */ 859 return (1); 860 } 861 862 u_int16_t 863 parse_port(int mode) 864 { 865 unsigned int port, v[6]; 866 int n; 867 char *p; 868 869 /* Find the last space or left-parenthesis. */ 870 for (p = linebuf + linelen; p > linebuf; p--) 871 if (*p == ' ' || *p == '(') 872 break; 873 if (p == linebuf) 874 return (0); 875 876 switch (mode) { 877 case CMD_PORT: 878 n = sscanf(p, " %u,%u,%u,%u,%u,%u", &v[0], &v[1], &v[2], 879 &v[3], &v[4], &v[5]); 880 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 && 881 v[3] < 256 && v[4] < 256 && v[5] < 256) 882 return ((v[4] << 8) | v[5]); 883 break; 884 case CMD_PASV: 885 n = sscanf(p, "(%u,%u,%u,%u,%u,%u)", &v[0], &v[1], &v[2], 886 &v[3], &v[4], &v[5]); 887 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 && 888 v[3] < 256 && v[4] < 256 && v[5] < 256) 889 return ((v[4] << 8) | v[5]); 890 break; 891 case CMD_EPSV: 892 n = sscanf(p, "(|||%u|)", &port); 893 if (n == 1 && port < 65536) 894 return (port); 895 break; 896 case CMD_EPRT: 897 n = sscanf(p, " |1|%u.%u.%u.%u|%u|", &v[0], &v[1], &v[2], 898 &v[3], &port); 899 if (n == 5 && v[0] < 256 && v[1] < 256 && v[2] < 256 && 900 v[3] < 256 && port < 65536) 901 return (port); 902 n = sscanf(p, " |2|%*[a-fA-F0-9:]|%u|", &port); 903 if (n == 1 && port < 65536) 904 return (port); 905 break; 906 default: 907 return (0); 908 } 909 910 return (0); 911 } 912 913 u_int16_t 914 pick_proxy_port(void) 915 { 916 /* Random should be good enough for avoiding port collisions. */ 917 return (IPPORT_HIFIRSTAUTO + (arc4random() % 918 (IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO))); 919 } 920 921 void 922 proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port) 923 { 924 int i, r; 925 926 switch (cmd) { 927 case CMD_PORT: 928 r = snprintf(linebuf, sizeof linebuf, 929 "PORT %s,%u,%u\r\n", sock_ntop(sa), port / 256, 930 port % 256); 931 break; 932 case CMD_PASV: 933 r = snprintf(linebuf, sizeof linebuf, 934 "227 Entering Passive Mode (%s,%u,%u)\r\n", sock_ntop(sa), 935 port / 256, port % 256); 936 break; 937 case CMD_EPRT: 938 if (sa->sa_family == AF_INET) 939 r = snprintf(linebuf, sizeof linebuf, 940 "EPRT |1|%s|%u|\r\n", sock_ntop(sa), port); 941 else if (sa->sa_family == AF_INET6) 942 r = snprintf(linebuf, sizeof linebuf, 943 "EPRT |2|%s|%u|\r\n", sock_ntop(sa), port); 944 break; 945 case CMD_EPSV: 946 r = snprintf(linebuf, sizeof linebuf, 947 "229 Entering Extended Passive Mode (|||%u|)\r\n", port); 948 break; 949 } 950 951 if (r < 0 || r >= sizeof linebuf) { 952 logmsg(LOG_ERR, "proxy_reply failed: %d", r); 953 linebuf[0] = '\0'; 954 linelen = 0; 955 return; 956 } 957 linelen = (size_t)r; 958 959 if (cmd == CMD_PORT || cmd == CMD_PASV) { 960 /* Replace dots in IP address with commas. */ 961 for (i = 0; i < linelen; i++) 962 if (linebuf[i] == '.') 963 linebuf[i] = ','; 964 } 965 } 966 967 int 968 server_parse(struct session *s) 969 { 970 if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2') 971 goto out; 972 973 if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) || 974 (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) 975 return (allow_data_connection(s)); 976 977 out: 978 s->cmd = CMD_NONE; 979 s->port = 0; 980 981 return (1); 982 } 983 984 int 985 allow_data_connection(struct session *s) 986 { 987 struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa; 988 int prepared = 0; 989 990 if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2') 991 goto out; 992 993 /* 994 * The pf rules below do quite some NAT rewriting, to keep up 995 * appearances. Points to keep in mind: 996 * 1) The client must think it's talking to the real server, 997 * for both control and data connections. Transparently. 998 * 2) The server must think that the proxy is the client. 999 * 3) Source and destination ports are rewritten to minimize 1000 * port collisions, to aid security (some systems pick weak 1001 * ports) or to satisfy RFC requirements (source port 20). 1002 */ 1003 1004 /* Cast this once, to make code below it more readable. */ 1005 client_sa = sstosa(&s->client_ss); 1006 server_sa = sstosa(&s->server_ss); 1007 proxy_sa = sstosa(&s->proxy_ss); 1008 if (fixed_server) 1009 /* Fixed server: data connections must appear to come 1010 from / go to the original server, not the fixed one. */ 1011 orig_sa = sstosa(&s->orig_server_ss); 1012 else 1013 /* Server not fixed: orig_server == server. */ 1014 orig_sa = sstosa(&s->server_ss); 1015 1016 /* Passive modes. */ 1017 if (s->cmd == CMD_PASV || s->cmd == CMD_EPSV) { 1018 s->port = parse_port(s->cmd); 1019 if (s->port < MIN_PORT) { 1020 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id, 1021 linebuf); 1022 return (0); 1023 } 1024 s->proxy_port = pick_proxy_port(); 1025 logmsg(LOG_INFO, "#%d passive: client to server port %d" 1026 " via port %d", s->id, s->port, s->proxy_port); 1027 1028 if (prepare_commit(s->id) == -1) 1029 goto fail; 1030 prepared = 1; 1031 1032 proxy_reply(s->cmd, orig_sa, s->proxy_port); 1033 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf); 1034 1035 /* rdr from $client to $orig_server port $proxy_port -> $server 1036 port $port */ 1037 if (add_rdr(s->id, client_sa, orig_sa, s->proxy_port, 1038 server_sa, s->port) == -1) 1039 goto fail; 1040 1041 /* nat from $client to $server port $port -> $proxy */ 1042 if (add_nat(s->id, client_sa, server_sa, s->port, proxy_sa, 1043 PF_NAT_PROXY_PORT_LOW, PF_NAT_PROXY_PORT_HIGH) == -1) 1044 goto fail; 1045 1046 /* pass in from $client to $server port $port */ 1047 if (add_filter(s->id, PF_IN, client_sa, server_sa, 1048 s->port) == -1) 1049 goto fail; 1050 1051 /* pass out from $proxy to $server port $port */ 1052 if (add_filter(s->id, PF_OUT, proxy_sa, server_sa, 1053 s->port) == -1) 1054 goto fail; 1055 } 1056 1057 /* Active modes. */ 1058 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) { 1059 logmsg(LOG_INFO, "#%d active: server to client port %d" 1060 " via port %d", s->id, s->port, s->proxy_port); 1061 1062 if (prepare_commit(s->id) == -1) 1063 goto fail; 1064 prepared = 1; 1065 1066 /* rdr from $server to $proxy port $proxy_port -> $client port 1067 $port */ 1068 if (add_rdr(s->id, server_sa, proxy_sa, s->proxy_port, 1069 client_sa, s->port) == -1) 1070 goto fail; 1071 1072 /* nat from $server to $client port $port -> $orig_server port 1073 $natport */ 1074 if (rfc_mode && s->cmd == CMD_PORT) { 1075 /* Rewrite sourceport to RFC mandated 20. */ 1076 if (add_nat(s->id, server_sa, client_sa, s->port, 1077 orig_sa, 20, 20) == -1) 1078 goto fail; 1079 } else { 1080 /* Let pf pick a source port from the standard range. */ 1081 if (add_nat(s->id, server_sa, client_sa, s->port, 1082 orig_sa, PF_NAT_PROXY_PORT_LOW, 1083 PF_NAT_PROXY_PORT_HIGH) == -1) 1084 goto fail; 1085 } 1086 1087 /* pass in from $server to $client port $port */ 1088 if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) == 1089 -1) 1090 goto fail; 1091 1092 /* pass out from $orig_server to $client port $port */ 1093 if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) == 1094 -1) 1095 goto fail; 1096 } 1097 1098 /* Commit rules if they were prepared. */ 1099 if (prepared && (do_commit() == -1)) { 1100 if (errno != EBUSY) 1101 goto fail; 1102 /* One more try if busy. */ 1103 usleep(5000); 1104 if (do_commit() == -1) 1105 goto fail; 1106 } 1107 1108 out: 1109 s->cmd = CMD_NONE; 1110 s->port = 0; 1111 1112 return (1); 1113 1114 fail: 1115 logmsg(LOG_CRIT, "#%d pf operation failed: %s", s->id, strerror(errno)); 1116 if (prepared) 1117 do_rollback(); 1118 return (0); 1119 } 1120 1121 void 1122 server_read(struct session *s) 1123 { 1124 size_t buf_avail, bread, bwritten; 1125 int n; 1126 1127 do { 1128 buf_avail = sizeof s->sbuf - s->sbuf_valid; 1129 bread = read(s->server_fd, s->sbuf + s->sbuf_valid, buf_avail); 1130 s->sbuf_valid += bread; 1131 1132 while ((n = get_line(s->sbuf, &s->sbuf_valid)) > 0) { 1133 logmsg(LOG_DEBUG, "#%d server: %s", s->id, linebuf); 1134 if (!server_parse(s)) { 1135 end_session(s); 1136 return; 1137 } 1138 bwritten = write(s->client_fd, linebuf, linelen); 1139 if (bwritten == -1) { 1140 logmsg(LOG_ERR, "#%d write failed", s->id); 1141 end_session(s); 1142 return; 1143 } else if (bwritten < linelen) { 1144 EV_SET(&changes[nchanges++], s->server_fd, 1145 EVFILT_READ, EV_DISABLE, 0, 0, s); 1146 EV_SET(&changes[nchanges++], s->client_fd, 1147 EVFILT_WRITE, EV_ADD, 0, 0, s); 1148 buffer_data(s, &s->client, linebuf + bwritten, 1149 linelen - bwritten); 1150 return; 1151 } 1152 } 1153 1154 if (n == -1) { 1155 logmsg(LOG_ERR, "#%d server reply too long or not" 1156 " clean", s->id); 1157 end_session(s); 1158 return; 1159 } 1160 } while (bread == buf_avail); 1161 } 1162 1163 void 1164 server_write(struct session *s) 1165 { 1166 size_t written; 1167 1168 written = write(s->server_fd, s->server.buffer + s->server.buffer_offset, 1169 s->server.buffer_size - s->server.buffer_offset); 1170 if (written == -1) { 1171 logmsg(LOG_ERR, "#%d write failed", s->id); 1172 end_session(s); 1173 } else if (written == (s->server.buffer_size - s->server.buffer_offset)) { 1174 free(s->server.buffer); 1175 s->server.buffer = NULL; 1176 s->server.buffer_size = 0; 1177 s->server.buffer_offset = 0; 1178 EV_SET(&changes[nchanges++], s->client_fd, 1179 EVFILT_READ, EV_ENABLE, 0, 0, s); 1180 } else { 1181 s->server.buffer_offset += written; 1182 } 1183 } 1184 1185 const char * 1186 sock_ntop(struct sockaddr *sa) 1187 { 1188 static int n = 0; 1189 1190 /* Cycle to next buffer. */ 1191 n = (n + 1) % NTOP_BUFS; 1192 ntop_buf[n][0] = '\0'; 1193 1194 if (sa->sa_family == AF_INET) { 1195 struct sockaddr_in *sin = (struct sockaddr_in *)sa; 1196 1197 return (inet_ntop(AF_INET, &sin->sin_addr, ntop_buf[n], 1198 sizeof ntop_buf[0])); 1199 } 1200 1201 if (sa->sa_family == AF_INET6) { 1202 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; 1203 1204 return (inet_ntop(AF_INET6, &sin6->sin6_addr, ntop_buf[n], 1205 sizeof ntop_buf[0])); 1206 } 1207 1208 return (NULL); 1209 } 1210 1211 void 1212 usage(void) 1213 { 1214 fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]" 1215 " [-D level] [-m maxsessions]\n [-P port]" 1216 " [-p port] [-q queue] [-R address] [-T tag] [-t timeout]\n", __progname); 1217 exit(1); 1218 } 1219