ipfilter/netinet/ip_ftp_pxy.c

145522Sdarrenr/*	$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c 145522 2005-04-25 18:43:14Z darrenr $	*/
145522Sdarrenr
53642Sguido/*
145522Sdarrenr * Copyright (C) 1997-2003 by Darren Reed
145522Sdarrenr *
145522Sdarrenr * See the IPFILTER.LICENCE file for details on licencing.
145522Sdarrenr *
53642Sguido * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
53642Sguido * code.
72006Sdarrenr *
57126Sguido * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c 145522 2005-04-25 18:43:14Z darrenr $
145522Sdarrenr * Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
53642Sguido */
53642Sguido
53642Sguido#define	IPF_FTP_PROXY
53642Sguido
53642Sguido#define	IPF_MINPORTLEN	18
53642Sguido#define	IPF_MAXPORTLEN	30
53642Sguido#define	IPF_MIN227LEN	39
53642Sguido#define	IPF_MAX227LEN	51
145522Sdarrenr#define	IPF_MIN229LEN	47
145522Sdarrenr#define	IPF_MAX229LEN	51
53642Sguido
80482Sdarrenr#define	FTPXY_GO	0
80482Sdarrenr#define	FTPXY_INIT	1
80482Sdarrenr#define	FTPXY_USER_1	2
80482Sdarrenr#define	FTPXY_USOK_1	3
80482Sdarrenr#define	FTPXY_PASS_1	4
80482Sdarrenr#define	FTPXY_PAOK_1	5
80482Sdarrenr#define	FTPXY_AUTH_1	6
80482Sdarrenr#define	FTPXY_AUOK_1	7
80482Sdarrenr#define	FTPXY_ADAT_1	8
80482Sdarrenr#define	FTPXY_ADOK_1	9
80482Sdarrenr#define	FTPXY_ACCT_1	10
80482Sdarrenr#define	FTPXY_ACOK_1	11
80482Sdarrenr#define	FTPXY_USER_2	12
80482Sdarrenr#define	FTPXY_USOK_2	13
80482Sdarrenr#define	FTPXY_PASS_2	14
80482Sdarrenr#define	FTPXY_PAOK_2	15
53642Sguido
110916Sdarrenr/*
110916Sdarrenr * Values for FTP commands.  Numerics cover 0-999
110916Sdarrenr */
110916Sdarrenr#define	FTPXY_C_PASV	1000
110916Sdarrenr
60857Sdarrenrint ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
60857Sdarrenrint ippr_ftp_complete __P((char *, size_t));
145522Sdarrenrint ippr_ftp_in __P((fr_info_t *, ap_session_t *, nat_t *));
53642Sguidoint ippr_ftp_init __P((void));
145522Sdarrenrvoid ippr_ftp_fini __P((void));
145522Sdarrenrint ippr_ftp_new __P((fr_info_t *, ap_session_t *, nat_t *));
145522Sdarrenrint ippr_ftp_out __P((fr_info_t *, ap_session_t *, nat_t *));
110916Sdarrenrint ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
145522Sdarrenrint ippr_ftp_epsv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
60857Sdarrenrint ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
145522Sdarrenrint ippr_ftp_process __P((fr_info_t *, nat_t *, ftpinfo_t *, int));
60857Sdarrenrint ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
110916Sdarrenrint ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t));
110916Sdarrenrint ippr_ftp_server_valid __P((ftpside_t *, char *, size_t));
110916Sdarrenrint ippr_ftp_client_valid __P((ftpside_t *, char *, size_t));
60857Sdarrenru_short ippr_ftp_atoi __P((char **));
145522Sdarrenrint ippr_ftp_pasvreply __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *,
145522Sdarrenr			    u_int, char *, char *, u_int));
53642Sguido
145522Sdarrenr
145522Sdarrenrint	ftp_proxy_init = 0;
60857Sdarrenrint	ippr_ftp_pasvonly = 0;
145522Sdarrenrint	ippr_ftp_insecure = 0;	/* Do not require logins before transfers */
145522Sdarrenrint	ippr_ftp_pasvrdr = 0;
145522Sdarrenrint	ippr_ftp_forcepasv = 0;	/* PASV must be last command prior to 227 */
145522Sdarrenr#if defined(_KERNEL)
145522Sdarrenrint	ippr_ftp_debug = 0;
145522Sdarrenr#else
145522Sdarrenrint	ippr_ftp_debug = 2;
145522Sdarrenr#endif
145522Sdarrenr/*
145522Sdarrenr * 1 - security
145522Sdarrenr * 2 - errors
145522Sdarrenr * 3 - error debugging
145522Sdarrenr * 4 - parsing errors
145522Sdarrenr * 5 - parsing info
145522Sdarrenr * 6 - parsing debug
145522Sdarrenr */
53642Sguido
145522Sdarrenrstatic	frentry_t	ftppxyfr;
145522Sdarrenrstatic	ipftuneable_t	ftptune = {
145522Sdarrenr	{ &ippr_ftp_debug },
145522Sdarrenr	"ippr_ftp_debug",
145522Sdarrenr	0,
145522Sdarrenr	10,
145522Sdarrenr	sizeof(ippr_ftp_debug),
145522Sdarrenr	0,
145522Sdarrenr	NULL
145522Sdarrenr};
53642Sguido
145522Sdarrenr
53642Sguido/*
53642Sguido * Initialize local structures.
53642Sguido */
53642Sguidoint ippr_ftp_init()
53642Sguido{
92685Sdarrenr	bzero((char *)&ftppxyfr, sizeof(ftppxyfr));
92685Sdarrenr	ftppxyfr.fr_ref = 1;
92685Sdarrenr	ftppxyfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
145522Sdarrenr	MUTEX_INIT(&ftppxyfr.fr_lock, "FTP Proxy Mutex");
145522Sdarrenr	ftp_proxy_init = 1;
145522Sdarrenr	(void) fr_addipftune(&ftptune);
145522Sdarrenr
53642Sguido	return 0;
53642Sguido}
53642Sguido
53642Sguido
145522Sdarrenrvoid ippr_ftp_fini()
145522Sdarrenr{
145522Sdarrenr	(void) fr_delipftune(&ftptune);
145522Sdarrenr
145522Sdarrenr	if (ftp_proxy_init == 1) {
145522Sdarrenr		MUTEX_DESTROY(&ftppxyfr.fr_lock);
145522Sdarrenr		ftp_proxy_init = 0;
145522Sdarrenr	}
145522Sdarrenr}
145522Sdarrenr
145522Sdarrenr
145522Sdarrenrint ippr_ftp_new(fin, aps, nat)
60857Sdarrenrfr_info_t *fin;
60857Sdarrenrap_session_t *aps;
60857Sdarrenrnat_t *nat;
53642Sguido{
60857Sdarrenr	ftpinfo_t *ftp;
60857Sdarrenr	ftpside_t *f;
53642Sguido
60857Sdarrenr	KMALLOC(ftp, ftpinfo_t *);
60857Sdarrenr	if (ftp == NULL)
60857Sdarrenr		return -1;
145522Sdarrenr
145522Sdarrenr	fin = fin;	/* LINT */
145522Sdarrenr	nat = nat;	/* LINT */
145522Sdarrenr
60857Sdarrenr	aps->aps_data = ftp;
60857Sdarrenr	aps->aps_psiz = sizeof(ftpinfo_t);
60857Sdarrenr
60857Sdarrenr	bzero((char *)ftp, sizeof(*ftp));
60857Sdarrenr	f = &ftp->ftp_side[0];
60857Sdarrenr	f->ftps_rptr = f->ftps_buf;
60857Sdarrenr	f->ftps_wptr = f->ftps_buf;
60857Sdarrenr	f = &ftp->ftp_side[1];
60857Sdarrenr	f->ftps_rptr = f->ftps_buf;
60857Sdarrenr	f->ftps_wptr = f->ftps_buf;
80482Sdarrenr	ftp->ftp_passok = FTPXY_INIT;
145522Sdarrenr	ftp->ftp_incok = 0;
60857Sdarrenr	return 0;
53642Sguido}
53642Sguido
53642Sguido
60857Sdarrenrint ippr_ftp_port(fin, ip, nat, f, dlen)
53642Sguidofr_info_t *fin;
53642Sguidoip_t *ip;
53642Sguidonat_t *nat;
60857Sdarrenrftpside_t *f;
60857Sdarrenrint dlen;
53642Sguido{
53642Sguido	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
60857Sdarrenr	char newbuf[IPF_FTPBUFSZ], *s;
145522Sdarrenr	struct in_addr swip, swip2;
53642Sguido	u_int a1, a2, a3, a4;
145522Sdarrenr	int inc, off, flags;
92685Sdarrenr	u_short a5, a6, sp;
60857Sdarrenr	size_t nlen, olen;
53642Sguido	fr_info_t fi;
145522Sdarrenr	nat_t *nat2;
53642Sguido	mb_t *m;
53642Sguido
145522Sdarrenr	m = fin->fin_m;
53642Sguido	tcp = (tcphdr_t *)fin->fin_dp;
145522Sdarrenr	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
145522Sdarrenr
60857Sdarrenr	/*
60857Sdarrenr	 * Check for client sending out PORT message.
60857Sdarrenr	 */
110916Sdarrenr	if (dlen < IPF_MINPORTLEN) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n",
145522Sdarrenr			       dlen);
53642Sguido		return 0;
110916Sdarrenr	}
60857Sdarrenr	/*
53642Sguido	 * Skip the PORT command + space
53642Sguido	 */
60857Sdarrenr	s = f->ftps_rptr + 5;
53642Sguido	/*
53642Sguido	 * Pick out the address components, two at a time.
53642Sguido	 */
60857Sdarrenr	a1 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 1);
53642Sguido		return 0;
110916Sdarrenr	}
60857Sdarrenr	a2 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2);
53642Sguido		return 0;
110916Sdarrenr	}
145522Sdarrenr
53642Sguido	/*
145522Sdarrenr	 * Check that IP address in the PORT/PASV reply is the same as the
53642Sguido	 * sender of the command - prevents using PORT for port scanning.
53642Sguido	 */
53642Sguido	a1 <<= 16;
53642Sguido	a1 |= a2;
145522Sdarrenr	if (((nat->nat_dir == NAT_OUTBOUND) &&
145522Sdarrenr	     (a1 != ntohl(nat->nat_inip.s_addr))) ||
145522Sdarrenr	    ((nat->nat_dir == NAT_INBOUND) &&
145522Sdarrenr	     (a1 != ntohl(nat->nat_oip.s_addr)))) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_port:%s != nat->nat_inip\n", "a1");
145522Sdarrenr		return APR_ERR(1);
110916Sdarrenr	}
53642Sguido
60857Sdarrenr	a5 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 3);
53642Sguido		return 0;
110916Sdarrenr	}
53642Sguido	if (*s == ')')
53642Sguido		s++;
53642Sguido
53642Sguido	/*
53642Sguido	 * check for CR-LF at the end.
53642Sguido	 */
53642Sguido	if (*s == '\n')
53642Sguido		s--;
53642Sguido	if ((*s == '\r') && (*(s + 1) == '\n')) {
53642Sguido		s += 2;
53642Sguido		a6 = a5 & 0xff;
110916Sdarrenr	} else {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_port:missing %s\n", "cr-lf");
53642Sguido		return 0;
110916Sdarrenr	}
145522Sdarrenr
53642Sguido	a5 >>= 8;
67614Sdarrenr	a5 &= 0xff;
145522Sdarrenr	sp = a5 << 8 | a6;
53642Sguido	/*
145522Sdarrenr	 * Don't allow the PORT command to specify a port < 1024 due to
145522Sdarrenr	 * security crap.
145522Sdarrenr	 */
145522Sdarrenr	if (sp < 1024) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_port:sp(%d) < 1024\n", sp);
145522Sdarrenr		return 0;
145522Sdarrenr	}
145522Sdarrenr	/*
53642Sguido	 * Calculate new address parts for PORT command
53642Sguido	 */
145522Sdarrenr	if (nat->nat_dir == NAT_INBOUND)
145522Sdarrenr		a1 = ntohl(nat->nat_oip.s_addr);
145522Sdarrenr	else
145522Sdarrenr		a1 = ntohl(ip->ip_src.s_addr);
53642Sguido	a2 = (a1 >> 16) & 0xff;
53642Sguido	a3 = (a1 >> 8) & 0xff;
53642Sguido	a4 = a1 & 0xff;
53642Sguido	a1 >>= 24;
60857Sdarrenr	olen = s - f->ftps_rptr;
92685Sdarrenr	/* DO NOT change this to snprintf! */
145522Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145522Sdarrenr	SNPRINTF(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n",
145522Sdarrenr		 "PORT", a1, a2, a3, a4, a5, a6);
130886Sdarrenr#else
55929Sguido	(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
53642Sguido		       "PORT", a1, a2, a3, a4, a5, a6);
130886Sdarrenr#endif
53642Sguido
53642Sguido	nlen = strlen(newbuf);
53642Sguido	inc = nlen - olen;
110916Sdarrenr	if ((inc + ip->ip_len) > 65535) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n",
145522Sdarrenr			       inc);
60857Sdarrenr		return 0;
110916Sdarrenr	}
60857Sdarrenr
95563Sdarrenr#if !defined(_KERNEL)
145522Sdarrenr	bcopy(newbuf, MTOD(m, char *) + off, nlen);
95563Sdarrenr#else
145522Sdarrenr# if defined(MENTAT)
53642Sguido	if (inc < 0)
145522Sdarrenr		(void)adjmsg(m, inc);
145522Sdarrenr# else /* defined(MENTAT) */
145522Sdarrenr	/*
145522Sdarrenr	 * m_adj takes care of pkthdr.len, if required and treats inc<0 to
145522Sdarrenr	 * mean remove -len bytes from the end of the packet.
145522Sdarrenr	 * The mbuf chain will be extended if necessary by m_copyback().
145522Sdarrenr	 */
145522Sdarrenr	if (inc < 0)
53642Sguido		m_adj(m, inc);
145522Sdarrenr# endif /* defined(MENTAT) */
145522Sdarrenr#endif /* !defined(_KERNEL) */
145522Sdarrenr	COPYBACK(m, off, nlen, newbuf);
145522Sdarrenr
53642Sguido	if (inc != 0) {
53642Sguido		ip->ip_len += inc;
145522Sdarrenr		fin->fin_dlen += inc;
145522Sdarrenr		fin->fin_plen += inc;
53642Sguido	}
53642Sguido
53642Sguido	/*
53642Sguido	 * The server may not make the connection back from port 20, but
53642Sguido	 * it is the most likely so use it here to check for a conflicting
53642Sguido	 * mapping.
53642Sguido	 */
92685Sdarrenr	bcopy((char *)fin, (char *)&fi, sizeof(fi));
145522Sdarrenr	fi.fin_state = NULL;
145522Sdarrenr	fi.fin_nat = NULL;
145522Sdarrenr	fi.fin_flx |= FI_IGNORE;
92685Sdarrenr	fi.fin_data[0] = sp;
92685Sdarrenr	fi.fin_data[1] = fin->fin_data[1] - 1;
145522Sdarrenr	/*
145522Sdarrenr	 * Add skeleton NAT entry for connection which will come back the
145522Sdarrenr	 * other way.
145522Sdarrenr	 */
145522Sdarrenr	if (nat->nat_dir == NAT_OUTBOUND)
145522Sdarrenr		nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
145522Sdarrenr				     nat->nat_inip, nat->nat_oip);
145522Sdarrenr	else
145522Sdarrenr		nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
145522Sdarrenr				    nat->nat_inip, nat->nat_oip);
145522Sdarrenr	if (nat2 == NULL) {
60857Sdarrenr		int slen;
60857Sdarrenr
60857Sdarrenr		slen = ip->ip_len;
60857Sdarrenr		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
53642Sguido		bzero((char *)tcp2, sizeof(*tcp2));
53642Sguido		tcp2->th_win = htons(8192);
92685Sdarrenr		tcp2->th_sport = htons(sp);
145522Sdarrenr		TCP_OFF_A(tcp2, 5);
95563Sdarrenr		tcp2->th_flags = TH_SYN;
53642Sguido		tcp2->th_dport = 0; /* XXX - don't specify remote port */
53642Sguido		fi.fin_data[1] = 0;
67853Sdarrenr		fi.fin_dlen = sizeof(*tcp2);
145522Sdarrenr		fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
53642Sguido		fi.fin_dp = (char *)tcp2;
92685Sdarrenr		fi.fin_fr = &ftppxyfr;
145522Sdarrenr		fi.fin_out = nat->nat_dir;
145522Sdarrenr		fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
53642Sguido		swip = ip->ip_src;
145522Sdarrenr		swip2 = ip->ip_dst;
145522Sdarrenr		if (nat->nat_dir == NAT_OUTBOUND) {
145522Sdarrenr			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
145522Sdarrenr			ip->ip_src = nat->nat_inip;
145522Sdarrenr		} else if (nat->nat_dir == NAT_INBOUND) {
145522Sdarrenr			fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
145522Sdarrenr			ip->ip_src = nat->nat_oip;
53642Sguido		}
145522Sdarrenr
145522Sdarrenr		flags = NAT_SLAVE|IPN_TCP|SI_W_DPORT;
145522Sdarrenr		if (nat->nat_dir == NAT_INBOUND)
145522Sdarrenr			flags |= NAT_NOTRULEPORT;
145522Sdarrenr		nat2 = nat_new(&fi, nat->nat_ptr, NULL, flags, nat->nat_dir);
145522Sdarrenr
145522Sdarrenr		if (nat2 != NULL) {
145522Sdarrenr			(void) nat_proto(&fi, nat2, IPN_TCP);
145522Sdarrenr			nat_update(&fi, nat2, nat->nat_ptr);
145522Sdarrenr			fi.fin_ifp = NULL;
145522Sdarrenr			if (nat->nat_dir == NAT_INBOUND) {
145522Sdarrenr				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
145522Sdarrenr				ip->ip_dst = nat->nat_inip;
145522Sdarrenr			}
145522Sdarrenr			(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
145522Sdarrenr			if (fi.fin_state != NULL)
145522Sdarrenr				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
145522Sdarrenr		}
60857Sdarrenr		ip->ip_len = slen;
53642Sguido		ip->ip_src = swip;
145522Sdarrenr		ip->ip_dst = swip2;
145522Sdarrenr	} else {
145522Sdarrenr		ipstate_t *is;
145522Sdarrenr
145522Sdarrenr		nat_update(&fi, nat2, nat->nat_ptr);
145522Sdarrenr		READ_ENTER(&ipf_state);
145522Sdarrenr		is = nat2->nat_state;
145522Sdarrenr		if (is != NULL) {
145522Sdarrenr			MUTEX_ENTER(&is->is_lock);
145522Sdarrenr			(void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
145522Sdarrenr					 is->is_flags);
145522Sdarrenr			MUTEX_EXIT(&is->is_lock);
145522Sdarrenr		}
145522Sdarrenr		RWLOCK_EXIT(&ipf_state);
53642Sguido	}
145522Sdarrenr	return APR_INC(inc);
53642Sguido}
53642Sguido
53642Sguido
60857Sdarrenrint ippr_ftp_client(fin, ip, nat, ftp, dlen)
53642Sguidofr_info_t *fin;
60857Sdarrenrnat_t *nat;
60857Sdarrenrftpinfo_t *ftp;
53642Sguidoip_t *ip;
60857Sdarrenrint dlen;
53642Sguido{
63523Sdarrenr	char *rptr, *wptr, cmd[6], c;
60857Sdarrenr	ftpside_t *f;
63523Sdarrenr	int inc, i;
60857Sdarrenr
60857Sdarrenr	inc = 0;
60857Sdarrenr	f = &ftp->ftp_side[0];
60857Sdarrenr	rptr = f->ftps_rptr;
60857Sdarrenr	wptr = f->ftps_wptr;
60857Sdarrenr
63523Sdarrenr	for (i = 0; (i < 5) && (i < dlen); i++) {
63523Sdarrenr		c = rptr[i];
145522Sdarrenr		if (ISALPHA(c)) {
145522Sdarrenr			cmd[i] = TOUPPER(c);
63523Sdarrenr		} else {
63523Sdarrenr			cmd[i] = c;
63523Sdarrenr		}
63523Sdarrenr	}
63523Sdarrenr	cmd[i] = '\0';
63523Sdarrenr
80482Sdarrenr	ftp->ftp_incok = 0;
80482Sdarrenr	if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) {
80482Sdarrenr		if (ftp->ftp_passok == FTPXY_ADOK_1 ||
80482Sdarrenr		    ftp->ftp_passok == FTPXY_AUOK_1) {
80482Sdarrenr			ftp->ftp_passok = FTPXY_USER_2;
80482Sdarrenr			ftp->ftp_incok = 1;
80482Sdarrenr		} else {
80482Sdarrenr			ftp->ftp_passok = FTPXY_USER_1;
80482Sdarrenr			ftp->ftp_incok = 1;
80482Sdarrenr		}
80482Sdarrenr	} else if (!strncmp(cmd, "AUTH ", 5)) {
80482Sdarrenr		ftp->ftp_passok = FTPXY_AUTH_1;
80482Sdarrenr		ftp->ftp_incok = 1;
80482Sdarrenr	} else if (!strncmp(cmd, "PASS ", 5)) {
80482Sdarrenr		if (ftp->ftp_passok == FTPXY_USOK_1) {
80482Sdarrenr			ftp->ftp_passok = FTPXY_PASS_1;
80482Sdarrenr			ftp->ftp_incok = 1;
80482Sdarrenr		} else if (ftp->ftp_passok == FTPXY_USOK_2) {
80482Sdarrenr			ftp->ftp_passok = FTPXY_PASS_2;
80482Sdarrenr			ftp->ftp_incok = 1;
80482Sdarrenr		}
80482Sdarrenr	} else if ((ftp->ftp_passok == FTPXY_AUOK_1) &&
80482Sdarrenr		   !strncmp(cmd, "ADAT ", 5)) {
80482Sdarrenr		ftp->ftp_passok = FTPXY_ADAT_1;
80482Sdarrenr		ftp->ftp_incok = 1;
92685Sdarrenr	} else if ((ftp->ftp_passok == FTPXY_PAOK_1 ||
92685Sdarrenr		    ftp->ftp_passok == FTPXY_PAOK_2) &&
80482Sdarrenr		 !strncmp(cmd, "ACCT ", 5)) {
80482Sdarrenr		ftp->ftp_passok = FTPXY_ACCT_1;
80482Sdarrenr		ftp->ftp_incok = 1;
80482Sdarrenr	} else if ((ftp->ftp_passok == FTPXY_GO) && !ippr_ftp_pasvonly &&
63523Sdarrenr		 !strncmp(cmd, "PORT ", 5)) {
60857Sdarrenr		inc = ippr_ftp_port(fin, ip, nat, f, dlen);
63523Sdarrenr	} else if (ippr_ftp_insecure && !ippr_ftp_pasvonly &&
63523Sdarrenr		   !strncmp(cmd, "PORT ", 5)) {
63523Sdarrenr		inc = ippr_ftp_port(fin, ip, nat, f, dlen);
60857Sdarrenr	}
60857Sdarrenr
60857Sdarrenr	while ((*rptr++ != '\n') && (rptr < wptr))
60857Sdarrenr		;
60857Sdarrenr	f->ftps_rptr = rptr;
60857Sdarrenr	return inc;
53642Sguido}
53642Sguido
53642Sguido
110916Sdarrenrint ippr_ftp_pasv(fin, ip, nat, ftp, dlen)
53642Sguidofr_info_t *fin;
53642Sguidoip_t *ip;
53642Sguidonat_t *nat;
110916Sdarrenrftpinfo_t *ftp;
60857Sdarrenrint dlen;
53642Sguido{
145522Sdarrenr	u_int a1, a2, a3, a4, data_ip;
145522Sdarrenr	char newbuf[IPF_FTPBUFSZ];
145522Sdarrenr	char *s, *brackets[2];
145522Sdarrenr	u_short a5, a6;
110916Sdarrenr	ftpside_t *f;
53642Sguido
110916Sdarrenr	if (ippr_ftp_forcepasv != 0 &&
110916Sdarrenr	    ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
145522Sdarrenr			       ftp->ftp_side[0].ftps_cmds);
110916Sdarrenr		return 0;
110916Sdarrenr	}
110916Sdarrenr
110916Sdarrenr	f = &ftp->ftp_side[1];
110916Sdarrenr
80482Sdarrenr#define	PASV_REPLEN	24
60857Sdarrenr	/*
60857Sdarrenr	 * Check for PASV reply message.
60857Sdarrenr	 */
110916Sdarrenr	if (dlen < IPF_MIN227LEN) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n",
145522Sdarrenr			       dlen);
60857Sdarrenr		return 0;
110916Sdarrenr	} else if (strncmp(f->ftps_rptr,
110916Sdarrenr			   "227 Entering Passive Mod", PASV_REPLEN)) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_pasv:%d reply wrong\n", 227);
60857Sdarrenr		return 0;
110916Sdarrenr	}
60857Sdarrenr
145522Sdarrenr	brackets[0] = "";
145522Sdarrenr	brackets[1] = "";
53642Sguido	/*
110916Sdarrenr	 * Skip the PASV reply + space
53642Sguido	 */
80482Sdarrenr	s = f->ftps_rptr + PASV_REPLEN;
145522Sdarrenr	while (*s && !ISDIGIT(*s)) {
145522Sdarrenr		if (*s == '(') {
145522Sdarrenr			brackets[0] = "(";
145522Sdarrenr			brackets[1] = ")";
145522Sdarrenr		}
53642Sguido		s++;
145522Sdarrenr	}
145522Sdarrenr
53642Sguido	/*
53642Sguido	 * Pick out the address components, two at a time.
53642Sguido	 */
60857Sdarrenr	a1 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 1);
53642Sguido		return 0;
110916Sdarrenr	}
60857Sdarrenr	a2 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 2);
53642Sguido		return 0;
110916Sdarrenr	}
53642Sguido
53642Sguido	/*
145522Sdarrenr	 * check that IP address in the PASV reply is the same as the
145522Sdarrenr	 * sender of the command - prevents using PASV for port scanning.
53642Sguido	 */
53642Sguido	a1 <<= 16;
53642Sguido	a1 |= a2;
145522Sdarrenr
145522Sdarrenr	if (((nat->nat_dir == NAT_INBOUND) &&
145522Sdarrenr	     (a1 != ntohl(nat->nat_inip.s_addr))) ||
145522Sdarrenr	    ((nat->nat_dir == NAT_OUTBOUND) &&
145522Sdarrenr	     (a1 != ntohl(nat->nat_oip.s_addr)))) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_pasv:%s != nat->nat_oip\n", "a1");
53642Sguido		return 0;
110916Sdarrenr	}
53642Sguido
60857Sdarrenr	a5 = ippr_ftp_atoi(&s);
110916Sdarrenr	if (s == NULL) {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 3);
53642Sguido		return 0;
110916Sdarrenr	}
53642Sguido
53642Sguido	if (*s == ')')
53642Sguido		s++;
80482Sdarrenr	if (*s == '.')
80482Sdarrenr		s++;
53642Sguido	if (*s == '\n')
53642Sguido		s--;
53642Sguido	/*
53642Sguido	 * check for CR-LF at the end.
53642Sguido	 */
53642Sguido	if ((*s == '\r') && (*(s + 1) == '\n')) {
53642Sguido		s += 2;
110916Sdarrenr	} else {
145522Sdarrenr		if (ippr_ftp_debug > 1)
145522Sdarrenr			printf("ippr_ftp_pasv:missing %s", "cr-lf\n");
53642Sguido		return 0;
110916Sdarrenr	}
145522Sdarrenr
145522Sdarrenr	a6 = a5 & 0xff;
53642Sguido	a5 >>= 8;
53642Sguido	/*
53642Sguido	 * Calculate new address parts for 227 reply
53642Sguido	 */
145522Sdarrenr	if (nat->nat_dir == NAT_INBOUND) {
145522Sdarrenr		data_ip = nat->nat_outip.s_addr;
145522Sdarrenr		a1 = ntohl(data_ip);
145522Sdarrenr	} else
145522Sdarrenr		data_ip = htonl(a1);
145522Sdarrenr
53642Sguido	a2 = (a1 >> 16) & 0xff;
53642Sguido	a3 = (a1 >> 8) & 0xff;
53642Sguido	a4 = a1 & 0xff;
53642Sguido	a1 >>= 24;
145522Sdarrenr
145522Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145522Sdarrenr	SNPRINTF(newbuf, sizeof(newbuf), "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
145522Sdarrenr		"227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
145522Sdarrenr		a5, a6, brackets[1]);
145522Sdarrenr#else
145522Sdarrenr	(void) sprintf(newbuf, "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
145522Sdarrenr		"227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
145522Sdarrenr		a5, a6, brackets[1]);
145522Sdarrenr#endif
145522Sdarrenr	return ippr_ftp_pasvreply(fin, ip, nat, f, (a5 << 8 | a6),
145522Sdarrenr				  newbuf, s, data_ip);
145522Sdarrenr}
145522Sdarrenr
145522Sdarrenrint ippr_ftp_pasvreply(fin, ip, nat, f, port, newmsg, s, data_ip)
145522Sdarrenrfr_info_t *fin;
145522Sdarrenrip_t *ip;
145522Sdarrenrnat_t *nat;
145522Sdarrenrftpside_t *f;
145522Sdarrenru_int port;
145522Sdarrenrchar *newmsg;
145522Sdarrenrchar *s;
145522Sdarrenru_int data_ip;
145522Sdarrenr{
145522Sdarrenr	int inc, off, nflags, sflags;
145522Sdarrenr	tcphdr_t *tcp, tcph, *tcp2;
145522Sdarrenr	struct in_addr swip, swip2;
145522Sdarrenr	struct in_addr data_addr;
145522Sdarrenr	size_t nlen, olen;
145522Sdarrenr	fr_info_t fi;
145522Sdarrenr	nat_t *nat2;
145522Sdarrenr	mb_t *m;
145522Sdarrenr
145522Sdarrenr	m = fin->fin_m;
145522Sdarrenr	tcp = (tcphdr_t *)fin->fin_dp;
145522Sdarrenr	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
145522Sdarrenr
145522Sdarrenr	data_addr.s_addr = data_ip;
145522Sdarrenr	tcp2 = &tcph;
60857Sdarrenr	inc = 0;
145522Sdarrenr
145522Sdarrenr
60857Sdarrenr	olen = s - f->ftps_rptr;
145522Sdarrenr	nlen = strlen(newmsg);
53642Sguido	inc = nlen - olen;
145522Sdarrenr	if ((inc + ip->ip_len) > 65535) {
145522Sdarrenr		if (ippr_ftp_debug > 0)
145522Sdarrenr			printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n",
145522Sdarrenr			       inc);
60857Sdarrenr		return 0;
145522Sdarrenr	}
60857Sdarrenr
95563Sdarrenr#if !defined(_KERNEL)
145522Sdarrenr	bcopy(newmsg, MTOD(m, char *) + off, nlen);
95563Sdarrenr#else
145522Sdarrenr# if defined(MENTAT)
53642Sguido	if (inc < 0)
145522Sdarrenr		(void)adjmsg(m, inc);
145522Sdarrenr# else /* defined(MENTAT) */
145522Sdarrenr	/*
145522Sdarrenr	 * m_adj takes care of pkthdr.len, if required and treats inc<0 to
145522Sdarrenr	 * mean remove -len bytes from the end of the packet.
145522Sdarrenr	 * The mbuf chain will be extended if necessary by m_copyback().
145522Sdarrenr	 */
145522Sdarrenr	if (inc < 0)
53642Sguido		m_adj(m, inc);
145522Sdarrenr# endif /* defined(MENTAT) */
145522Sdarrenr#endif /* !defined(_KERNEL) */
145522Sdarrenr	COPYBACK(m, off, nlen, newmsg);
145522Sdarrenr
53642Sguido	if (inc != 0) {
53642Sguido		ip->ip_len += inc;
145522Sdarrenr		fin->fin_dlen += inc;
145522Sdarrenr		fin->fin_plen += inc;
53642Sguido	}
53642Sguido
53642Sguido	/*
53642Sguido	 * Add skeleton NAT entry for connection which will come back the
53642Sguido	 * other way.
53642Sguido	 */
92685Sdarrenr	bcopy((char *)fin, (char *)&fi, sizeof(fi));
145522Sdarrenr	fi.fin_state = NULL;
145522Sdarrenr	fi.fin_nat = NULL;
145522Sdarrenr	fi.fin_flx |= FI_IGNORE;
92685Sdarrenr	fi.fin_data[0] = 0;
145522Sdarrenr	fi.fin_data[1] = port;
145522Sdarrenr	nflags = IPN_TCP|SI_W_SPORT;
145522Sdarrenr	if (ippr_ftp_pasvrdr && f->ftps_ifp)
145522Sdarrenr		nflags |= SI_W_DPORT;
145522Sdarrenr	if (nat->nat_dir == NAT_OUTBOUND)
145522Sdarrenr		nat2 = nat_outlookup(&fi, nflags|NAT_SEARCH,
145522Sdarrenr				     nat->nat_p, nat->nat_inip, nat->nat_oip);
145522Sdarrenr	else
145522Sdarrenr		nat2 = nat_inlookup(&fi, nflags|NAT_SEARCH,
145522Sdarrenr				    nat->nat_p, nat->nat_inip, nat->nat_oip);
145522Sdarrenr	if (nat2 == NULL) {
60857Sdarrenr		int slen;
60857Sdarrenr
60857Sdarrenr		slen = ip->ip_len;
60857Sdarrenr		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
53642Sguido		bzero((char *)tcp2, sizeof(*tcp2));
53642Sguido		tcp2->th_win = htons(8192);
53642Sguido		tcp2->th_sport = 0;		/* XXX - fake it for nat_new */
145522Sdarrenr		TCP_OFF_A(tcp2, 5);
95563Sdarrenr		tcp2->th_flags = TH_SYN;
145522Sdarrenr		fi.fin_data[1] = port;
67853Sdarrenr		fi.fin_dlen = sizeof(*tcp2);
145522Sdarrenr		tcp2->th_dport = htons(port);
92685Sdarrenr		fi.fin_data[0] = 0;
53642Sguido		fi.fin_dp = (char *)tcp2;
145522Sdarrenr		fi.fin_plen = fi.fin_hlen + sizeof(*tcp);
92685Sdarrenr		fi.fin_fr = &ftppxyfr;
145522Sdarrenr		fi.fin_out = nat->nat_dir;
145522Sdarrenr		fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
53642Sguido		swip = ip->ip_src;
53642Sguido		swip2 = ip->ip_dst;
145522Sdarrenr		if (nat->nat_dir == NAT_OUTBOUND) {
145522Sdarrenr			fi.fin_fi.fi_daddr = data_addr.s_addr;
145522Sdarrenr			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
145522Sdarrenr			ip->ip_dst = data_addr;
145522Sdarrenr			ip->ip_src = nat->nat_inip;
145522Sdarrenr		} else if (nat->nat_dir == NAT_INBOUND) {
145522Sdarrenr			fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
145522Sdarrenr			fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
145522Sdarrenr			ip->ip_src = nat->nat_oip;
145522Sdarrenr			ip->ip_dst = nat->nat_outip;
53642Sguido		}
145522Sdarrenr
145522Sdarrenr		sflags = nflags;
145522Sdarrenr		nflags |= NAT_SLAVE;
145522Sdarrenr		if (nat->nat_dir == NAT_INBOUND)
145522Sdarrenr			nflags |= NAT_NOTRULEPORT;
145522Sdarrenr		nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir);
145522Sdarrenr		if (nat2 != NULL) {
145522Sdarrenr			(void) nat_proto(&fi, nat2, IPN_TCP);
145522Sdarrenr			nat_update(&fi, nat2, nat->nat_ptr);
145522Sdarrenr			fi.fin_ifp = NULL;
145522Sdarrenr			if (nat->nat_dir == NAT_INBOUND) {
145522Sdarrenr				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
145522Sdarrenr				ip->ip_dst = nat->nat_inip;
145522Sdarrenr			}
145522Sdarrenr			(void) fr_addstate(&fi, &nat2->nat_state, sflags);
145522Sdarrenr			if (fi.fin_state != NULL)
145522Sdarrenr				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
145522Sdarrenr		}
145522Sdarrenr
60857Sdarrenr		ip->ip_len = slen;
53642Sguido		ip->ip_src = swip;
53642Sguido		ip->ip_dst = swip2;
145522Sdarrenr	} else {
145522Sdarrenr		ipstate_t *is;
145522Sdarrenr
145522Sdarrenr		nat_update(&fi, nat2, nat->nat_ptr);
145522Sdarrenr		READ_ENTER(&ipf_state);
145522Sdarrenr		is = nat2->nat_state;
145522Sdarrenr		if (is != NULL) {
145522Sdarrenr			MUTEX_ENTER(&is->is_lock);
145522Sdarrenr			(void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
145522Sdarrenr					 is->is_flags);
145522Sdarrenr			MUTEX_EXIT(&is->is_lock);
145522Sdarrenr		}
145522Sdarrenr		RWLOCK_EXIT(&ipf_state);
53642Sguido	}
53642Sguido	return inc;
53642Sguido}
53642Sguido
53642Sguido
60857Sdarrenrint ippr_ftp_server(fin, ip, nat, ftp, dlen)
60857Sdarrenrfr_info_t *fin;
60857Sdarrenrip_t *ip;
60857Sdarrenrnat_t *nat;
60857Sdarrenrftpinfo_t *ftp;
60857Sdarrenrint dlen;
60857Sdarrenr{
60857Sdarrenr	char *rptr, *wptr;
60857Sdarrenr	ftpside_t *f;
60857Sdarrenr	int inc;
60857Sdarrenr
60857Sdarrenr	inc = 0;
60857Sdarrenr	f = &ftp->ftp_side[1];
60857Sdarrenr	rptr = f->ftps_rptr;
60857Sdarrenr	wptr = f->ftps_wptr;
60857Sdarrenr
145522Sdarrenr	if (*rptr == ' ')
145522Sdarrenr		goto server_cmd_ok;
145522Sdarrenr	if (!ISDIGIT(*rptr) || !ISDIGIT(*(rptr + 1)) || !ISDIGIT(*(rptr + 2)))
102520Sdarrenr		return 0;
80482Sdarrenr	if (ftp->ftp_passok == FTPXY_GO) {
80482Sdarrenr		if (!strncmp(rptr, "227 ", 4))
110916Sdarrenr			inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
145522Sdarrenr		else if (!strncmp(rptr, "229 ", 4))
145522Sdarrenr			inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
63523Sdarrenr	} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
110916Sdarrenr		inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
145522Sdarrenr	} else if (ippr_ftp_insecure && !strncmp(rptr, "229 ", 4)) {
145522Sdarrenr		inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
80482Sdarrenr	} else if (*rptr == '5' || *rptr == '4')
80482Sdarrenr		ftp->ftp_passok = FTPXY_INIT;
80482Sdarrenr	else if (ftp->ftp_incok) {
80482Sdarrenr		if (*rptr == '3') {
80482Sdarrenr			if (ftp->ftp_passok == FTPXY_ACCT_1)
80482Sdarrenr				ftp->ftp_passok = FTPXY_GO;
80482Sdarrenr			else
80482Sdarrenr				ftp->ftp_passok++;
80482Sdarrenr		} else if (*rptr == '2') {
80482Sdarrenr			switch (ftp->ftp_passok)
80482Sdarrenr			{
80482Sdarrenr			case FTPXY_USER_1 :
80482Sdarrenr			case FTPXY_USER_2 :
80482Sdarrenr			case FTPXY_PASS_1 :
80482Sdarrenr			case FTPXY_PASS_2 :
80482Sdarrenr			case FTPXY_ACCT_1 :
80482Sdarrenr				ftp->ftp_passok = FTPXY_GO;
80482Sdarrenr				break;
80482Sdarrenr			default :
80482Sdarrenr				ftp->ftp_passok += 3;
80482Sdarrenr				break;
80482Sdarrenr			}
80482Sdarrenr		}
60857Sdarrenr	}
145522Sdarrenrserver_cmd_ok:
80482Sdarrenr	ftp->ftp_incok = 0;
110916Sdarrenr
60857Sdarrenr	while ((*rptr++ != '\n') && (rptr < wptr))
60857Sdarrenr		;
60857Sdarrenr	f->ftps_rptr = rptr;
60857Sdarrenr	return inc;
60857Sdarrenr}
60857Sdarrenr
60857Sdarrenr
60857Sdarrenr/*
60857Sdarrenr * Look to see if the buffer starts with something which we recognise as
60857Sdarrenr * being the correct syntax for the FTP protocol.
60857Sdarrenr */
110916Sdarrenrint ippr_ftp_client_valid(ftps, buf, len)
110916Sdarrenrftpside_t *ftps;
60857Sdarrenrchar *buf;
60857Sdarrenrsize_t len;
60857Sdarrenr{
145522Sdarrenr	register char *s, c, pc;
60857Sdarrenr	register size_t i = len;
110916Sdarrenr	char cmd[5];
60857Sdarrenr
145522Sdarrenr	s = buf;
145522Sdarrenr
145522Sdarrenr	if (ftps->ftps_junk == 1)
145522Sdarrenr		return 1;
145522Sdarrenr
110916Sdarrenr	if (i < 5) {
145522Sdarrenr		if (ippr_ftp_debug > 3)
145522Sdarrenr			printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i);
60857Sdarrenr		return 2;
110916Sdarrenr	}
145522Sdarrenr
145522Sdarrenr	i--;
60857Sdarrenr	c = *s++;
60857Sdarrenr
145522Sdarrenr	if (ISALPHA(c)) {
145522Sdarrenr		cmd[0] = TOUPPER(c);
60857Sdarrenr		c = *s++;
60857Sdarrenr		i--;
145522Sdarrenr		if (ISALPHA(c)) {
145522Sdarrenr			cmd[1] = TOUPPER(c);
60857Sdarrenr			c = *s++;
60857Sdarrenr			i--;
145522Sdarrenr			if (ISALPHA(c)) {
145522Sdarrenr				cmd[2] = TOUPPER(c);
60857Sdarrenr				c = *s++;
60857Sdarrenr				i--;
145522Sdarrenr				if (ISALPHA(c)) {
145522Sdarrenr					cmd[3] = TOUPPER(c);
92685Sdarrenr					c = *s++;
92685Sdarrenr					i--;
92685Sdarrenr					if ((c != ' ') && (c != '\r'))
110916Sdarrenr						goto bad_client_command;
92685Sdarrenr				} else if ((c != ' ') && (c != '\r'))
110916Sdarrenr					goto bad_client_command;
60857Sdarrenr			} else
110916Sdarrenr				goto bad_client_command;
60857Sdarrenr		} else
110916Sdarrenr			goto bad_client_command;
110916Sdarrenr	} else {
110916Sdarrenrbad_client_command:
145522Sdarrenr		if (ippr_ftp_debug > 3)
145522Sdarrenr			printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
145522Sdarrenr			       "ippr_ftp_client_valid",
145522Sdarrenr			       ftps->ftps_junk, (int)len, (int)i, c,
145522Sdarrenr			       (int)len, (int)len, buf);
92685Sdarrenr		return 1;
110916Sdarrenr	}
110916Sdarrenr
92685Sdarrenr	for (; i; i--) {
145522Sdarrenr		pc = c;
60857Sdarrenr		c = *s++;
145522Sdarrenr		if ((pc == '\r') && (c == '\n')) {
110916Sdarrenr			cmd[4] = '\0';
110916Sdarrenr			if (!strcmp(cmd, "PASV"))
110916Sdarrenr				ftps->ftps_cmds = FTPXY_C_PASV;
110916Sdarrenr			else
110916Sdarrenr				ftps->ftps_cmds = 0;
92685Sdarrenr			return 0;
110916Sdarrenr		}
92685Sdarrenr	}
145522Sdarrenr#if !defined(_KERNEL)
145522Sdarrenr	printf("ippr_ftp_client_valid:junk after cmd[%*.*s]\n",
145522Sdarrenr	       (int)len, (int)len, buf);
110916Sdarrenr#endif
92685Sdarrenr	return 2;
92685Sdarrenr}
92685Sdarrenr
92685Sdarrenr
110916Sdarrenrint ippr_ftp_server_valid(ftps, buf, len)
110916Sdarrenrftpside_t *ftps;
92685Sdarrenrchar *buf;
92685Sdarrenrsize_t len;
92685Sdarrenr{
145522Sdarrenr	register char *s, c, pc;
92685Sdarrenr	register size_t i = len;
110916Sdarrenr	int cmd;
92685Sdarrenr
145522Sdarrenr	s = buf;
145522Sdarrenr	cmd = 0;
145522Sdarrenr
145522Sdarrenr	if (ftps->ftps_junk == 1)
145522Sdarrenr		return 1;
145522Sdarrenr
145522Sdarrenr	if (i < 5) {
145522Sdarrenr		if (ippr_ftp_debug > 3)
145522Sdarrenr			printf("ippr_ftp_servert_valid:i(%d) < 5\n", (int)i);
92685Sdarrenr		return 2;
145522Sdarrenr	}
145522Sdarrenr
92685Sdarrenr	c = *s++;
92685Sdarrenr	i--;
145522Sdarrenr	if (c == ' ')
145522Sdarrenr		goto search_eol;
92685Sdarrenr
145522Sdarrenr	if (ISDIGIT(c)) {
110916Sdarrenr		cmd = (c - '0') * 100;
92685Sdarrenr		c = *s++;
60857Sdarrenr		i--;
145522Sdarrenr		if (ISDIGIT(c)) {
110916Sdarrenr			cmd += (c - '0') * 10;
60857Sdarrenr			c = *s++;
60857Sdarrenr			i--;
145522Sdarrenr			if (ISDIGIT(c)) {
110916Sdarrenr				cmd += (c - '0');
60857Sdarrenr				c = *s++;
60857Sdarrenr				i--;
92685Sdarrenr				if ((c != '-') && (c != ' '))
110916Sdarrenr					goto bad_server_command;
60857Sdarrenr			} else
110916Sdarrenr				goto bad_server_command;
60857Sdarrenr		} else
110916Sdarrenr			goto bad_server_command;
110916Sdarrenr	} else {
110916Sdarrenrbad_server_command:
145522Sdarrenr		if (ippr_ftp_debug > 3)
145522Sdarrenr			printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
145522Sdarrenr			       "ippr_ftp_server_valid",
145522Sdarrenr			       ftps->ftps_junk, (int)len, (int)i,
145522Sdarrenr			       c, (int)len, (int)len, buf);
60857Sdarrenr		return 1;
110916Sdarrenr	}
145522Sdarrenrsearch_eol:
60857Sdarrenr	for (; i; i--) {
145522Sdarrenr		pc = c;
60857Sdarrenr		c = *s++;
145522Sdarrenr		if ((pc == '\r') && (c == '\n')) {
110916Sdarrenr			ftps->ftps_cmds = cmd;
60857Sdarrenr			return 0;
110916Sdarrenr		}
60857Sdarrenr	}
145522Sdarrenr	if (ippr_ftp_debug > 3)
145522Sdarrenr		printf("ippr_ftp_server_valid:junk after cmd[%*.*s]\n",
145522Sdarrenr		       (int)len, (int)len, buf);
60857Sdarrenr	return 2;
60857Sdarrenr}
60857Sdarrenr
60857Sdarrenr
110916Sdarrenrint ippr_ftp_valid(ftp, side, buf, len)
110916Sdarrenrftpinfo_t *ftp;
92685Sdarrenrint side;
92685Sdarrenrchar *buf;
92685Sdarrenrsize_t len;
92685Sdarrenr{
110916Sdarrenr	ftpside_t *ftps;
92685Sdarrenr	int ret;
92685Sdarrenr
110916Sdarrenr	ftps = &ftp->ftp_side[side];
110916Sdarrenr
92685Sdarrenr	if (side == 0)
110916Sdarrenr		ret = ippr_ftp_client_valid(ftps, buf, len);
92685Sdarrenr	else
110916Sdarrenr		ret = ippr_ftp_server_valid(ftps, buf, len);
92685Sdarrenr	return ret;
92685Sdarrenr}
92685Sdarrenr
92685Sdarrenr
102520Sdarrenr/*
145522Sdarrenr * For map rules, the following applies:
102520Sdarrenr * rv == 0 for outbound processing,
102520Sdarrenr * rv == 1 for inbound processing.
145522Sdarrenr * For rdr rules, the following applies:
145522Sdarrenr * rv == 0 for inbound processing,
145522Sdarrenr * rv == 1 for outbound processing.
102520Sdarrenr */
145522Sdarrenrint ippr_ftp_process(fin, nat, ftp, rv)
60857Sdarrenrfr_info_t *fin;
60857Sdarrenrnat_t *nat;
60857Sdarrenrftpinfo_t *ftp;
60857Sdarrenrint rv;
60857Sdarrenr{
102520Sdarrenr	int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
145522Sdarrenr	char *rptr, *wptr, *s;
102520Sdarrenr	u_32_t thseq, thack;
102520Sdarrenr	ap_session_t *aps;
63523Sdarrenr	ftpside_t *f, *t;
60857Sdarrenr	tcphdr_t *tcp;
145522Sdarrenr	ip_t *ip;
60857Sdarrenr	mb_t *m;
60857Sdarrenr
145522Sdarrenr	m = fin->fin_m;
145522Sdarrenr	ip = fin->fin_ip;
60857Sdarrenr	tcp = (tcphdr_t *)fin->fin_dp;
145522Sdarrenr	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
60857Sdarrenr
145522Sdarrenr	f = &ftp->ftp_side[rv];
145522Sdarrenr	t = &ftp->ftp_side[1 - rv];
145522Sdarrenr	thseq = ntohl(tcp->th_seq);
145522Sdarrenr	thack = ntohl(tcp->th_ack);
145522Sdarrenr
145522Sdarrenr#ifdef __sgi
145522Sdarrenr	mlen = fin->fin_plen - off;
60857Sdarrenr#else
145522Sdarrenr	mlen = MSGDSIZE(m) - off;
60857Sdarrenr#endif
145522Sdarrenr	if (ippr_ftp_debug > 4)
145522Sdarrenr		printf("ippr_ftp_process: mlen %d\n", mlen);
72006Sdarrenr
145522Sdarrenr	if (mlen <= 0) {
145522Sdarrenr		if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
145522Sdarrenr			f->ftps_seq[0] = thseq + 1;
145522Sdarrenr			t->ftps_seq[0] = thack;
145522Sdarrenr		}
145522Sdarrenr		return 0;
145522Sdarrenr	}
102520Sdarrenr	aps = nat->nat_aps;
60857Sdarrenr
102520Sdarrenr	sel = aps->aps_sel[1 - rv];
102520Sdarrenr	sel2 = aps->aps_sel[rv];
102520Sdarrenr	if (rv == 0) {
102520Sdarrenr		seqoff = aps->aps_seqoff[sel];
102520Sdarrenr		if (aps->aps_seqmin[sel] > seqoff + thseq)
102520Sdarrenr			seqoff = aps->aps_seqoff[!sel];
102520Sdarrenr		ackoff = aps->aps_ackoff[sel2];
102520Sdarrenr		if (aps->aps_ackmin[sel2] > ackoff + thack)
102520Sdarrenr			ackoff = aps->aps_ackoff[!sel2];
102520Sdarrenr	} else {
102520Sdarrenr		seqoff = aps->aps_ackoff[sel];
145522Sdarrenr		if (ippr_ftp_debug > 2)
145522Sdarrenr			printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
145522Sdarrenr			       aps->aps_ackmin[sel]);
102520Sdarrenr		if (aps->aps_ackmin[sel] > seqoff + thseq)
102520Sdarrenr			seqoff = aps->aps_ackoff[!sel];
60857Sdarrenr
102520Sdarrenr		ackoff = aps->aps_seqoff[sel2];
145522Sdarrenr		if (ippr_ftp_debug > 2)
145522Sdarrenr			printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
145522Sdarrenr			       aps->aps_seqmin[sel2]);
102520Sdarrenr		if (ackoff > 0) {
102520Sdarrenr			if (aps->aps_seqmin[sel2] > ackoff + thack)
102520Sdarrenr				ackoff = aps->aps_seqoff[!sel2];
102520Sdarrenr		} else {
102520Sdarrenr			if (aps->aps_seqmin[sel2] > thack)
102520Sdarrenr				ackoff = aps->aps_seqoff[!sel2];
102520Sdarrenr		}
95563Sdarrenr	}
145522Sdarrenr	if (ippr_ftp_debug > 2) {
145522Sdarrenr		printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n",
145522Sdarrenr		       rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff,
145522Sdarrenr		       thack, ackoff, mlen, fin->fin_plen, off);
145522Sdarrenr		printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
145522Sdarrenr		       aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
145522Sdarrenr		       aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
145522Sdarrenr		printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
145522Sdarrenr		       aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
145522Sdarrenr		       aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
145522Sdarrenr	}
102520Sdarrenr
60857Sdarrenr	/*
60857Sdarrenr	 * XXX - Ideally, this packet should get dropped because we now know
60857Sdarrenr	 * that it is out of order (and there is no real danger in doing so
60857Sdarrenr	 * apart from causing packets to go through here ordered).
60857Sdarrenr	 */
145522Sdarrenr	if (ippr_ftp_debug > 2) {
145522Sdarrenr		printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
145522Sdarrenr		       rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
145522Sdarrenr	}
102520Sdarrenr
102520Sdarrenr	ok = 0;
110916Sdarrenr	if (t->ftps_seq[0] == 0) {
110916Sdarrenr		t->ftps_seq[0] = thack;
110916Sdarrenr		ok = 1;
110916Sdarrenr	} else {
102520Sdarrenr		if (ackoff == 0) {
102520Sdarrenr			if (t->ftps_seq[0] == thack)
102520Sdarrenr				ok = 1;
102520Sdarrenr			else if (t->ftps_seq[1] == thack) {
102520Sdarrenr				t->ftps_seq[0] = thack;
102520Sdarrenr				ok = 1;
102520Sdarrenr			}
102520Sdarrenr		} else {
102520Sdarrenr			if (t->ftps_seq[0] + ackoff == thack)
102520Sdarrenr				ok = 1;
102520Sdarrenr			else if (t->ftps_seq[0] == thack + ackoff)
102520Sdarrenr				ok = 1;
102520Sdarrenr			else if (t->ftps_seq[1] + ackoff == thack) {
102520Sdarrenr				t->ftps_seq[0] = thack - ackoff;
102520Sdarrenr				ok = 1;
102520Sdarrenr			} else if (t->ftps_seq[1] == thack + ackoff) {
102520Sdarrenr				t->ftps_seq[0] = thack - ackoff;
102520Sdarrenr				ok = 1;
102520Sdarrenr			}
102520Sdarrenr		}
102520Sdarrenr	}
102520Sdarrenr
145522Sdarrenr	if (ippr_ftp_debug > 2) {
145522Sdarrenr		if (!ok)
145522Sdarrenr			printf("%s ok\n", "not");
145522Sdarrenr	}
102520Sdarrenr
102520Sdarrenr	if (!mlen) {
110916Sdarrenr		if (t->ftps_seq[0] + ackoff != thack) {
145522Sdarrenr			if (ippr_ftp_debug > 1) {
145522Sdarrenr				printf("%s:seq[0](%x) + (%x) != (%x)\n",
145522Sdarrenr				       "ippr_ftp_process", t->ftps_seq[0],
145522Sdarrenr				       ackoff, thack);
145522Sdarrenr			}
95563Sdarrenr			return APR_ERR(1);
110916Sdarrenr		}
102520Sdarrenr
145522Sdarrenr		if (ippr_ftp_debug > 2) {
145522Sdarrenr			printf("ippr_ftp_process:f:seq[0] %x seq[1] %x\n",
145522Sdarrenr				f->ftps_seq[0], f->ftps_seq[1]);
145522Sdarrenr		}
145522Sdarrenr
102520Sdarrenr		if (tcp->th_flags & TH_FIN) {
110916Sdarrenr			if (thseq == f->ftps_seq[1]) {
110916Sdarrenr				f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
110916Sdarrenr				f->ftps_seq[1] = thseq + 1 - seqoff;
110916Sdarrenr			} else {
145522Sdarrenr				if (ippr_ftp_debug > 1) {
145522Sdarrenr					printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
145522Sdarrenr					       thseq, seqoff, f->ftps_seq[0]);
145522Sdarrenr				}
102520Sdarrenr				return APR_ERR(1);
102520Sdarrenr			}
95563Sdarrenr		}
102520Sdarrenr		f->ftps_len = 0;
102520Sdarrenr		return 0;
60857Sdarrenr	}
102520Sdarrenr
102520Sdarrenr	ok = 0;
110916Sdarrenr	if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) {
102520Sdarrenr		ok = 1;
102520Sdarrenr	/*
102520Sdarrenr	 * Retransmitted data packet.
102520Sdarrenr	 */
110916Sdarrenr	} else if ((thseq + mlen == f->ftps_seq[0]) ||
110916Sdarrenr		   (thseq + mlen == f->ftps_seq[1])) {
102520Sdarrenr		ok = 1;
110916Sdarrenr	}
110916Sdarrenr
102520Sdarrenr	if (ok == 0) {
102520Sdarrenr		inc = thseq - f->ftps_seq[0];
145522Sdarrenr		if (ippr_ftp_debug > 1) {
145522Sdarrenr			printf("inc %d sel %d rv %d\n", inc, sel, rv);
145522Sdarrenr			printf("th_seq %x ftps_seq %x/%x\n",
145522Sdarrenr			       thseq, f->ftps_seq[0], f->ftps_seq[1]);
145522Sdarrenr			printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
145522Sdarrenr			       aps->aps_ackoff[sel]);
145522Sdarrenr			printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
145522Sdarrenr			       aps->aps_seqoff[sel]);
145522Sdarrenr		}
102520Sdarrenr
102520Sdarrenr		return APR_ERR(1);
102520Sdarrenr	}
102520Sdarrenr
95563Sdarrenr	inc = 0;
102520Sdarrenr	rptr = f->ftps_rptr;
102520Sdarrenr	wptr = f->ftps_wptr;
102520Sdarrenr	f->ftps_seq[0] = thseq;
102520Sdarrenr	f->ftps_seq[1] = f->ftps_seq[0] + mlen;
72006Sdarrenr	f->ftps_len = mlen;
60857Sdarrenr
60857Sdarrenr	while (mlen > 0) {
145522Sdarrenr		len = MIN(mlen, sizeof(f->ftps_buf) - (wptr - rptr));
145522Sdarrenr		COPYDATA(m, off, len, wptr);
60857Sdarrenr		mlen -= len;
60857Sdarrenr		off += len;
60857Sdarrenr		wptr += len;
145522Sdarrenr
145522Sdarrenr		if (ippr_ftp_debug > 3)
145522Sdarrenr			printf("%s:len %d/%d off %d wptr %lx junk %d [%*.*s]\n",
145522Sdarrenr			       "ippr_ftp_process",
145522Sdarrenr			       len, mlen, off, (u_long)wptr, f->ftps_junk,
145522Sdarrenr			       len, len, rptr);
145522Sdarrenr
60857Sdarrenr		f->ftps_wptr = wptr;
145522Sdarrenr		if (f->ftps_junk != 0) {
145522Sdarrenr			i = f->ftps_junk;
110916Sdarrenr			f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
110916Sdarrenr						      wptr - rptr);
60857Sdarrenr
145522Sdarrenr			if (ippr_ftp_debug > 5)
145522Sdarrenr				printf("%s:junk %d -> %d\n",
145522Sdarrenr				       "ippr_ftp_process", i, f->ftps_junk);
145522Sdarrenr
145522Sdarrenr			if (f->ftps_junk != 0) {
145522Sdarrenr				if (wptr - rptr == sizeof(f->ftps_buf)) {
145522Sdarrenr					if (ippr_ftp_debug > 4)
145522Sdarrenr						printf("%s:full buffer\n",
145522Sdarrenr						       "ippr_ftp_process");
145522Sdarrenr					f->ftps_rptr = f->ftps_buf;
145522Sdarrenr					f->ftps_wptr = f->ftps_buf;
145522Sdarrenr					rptr = f->ftps_rptr;
145522Sdarrenr					wptr = f->ftps_wptr;
145522Sdarrenr					/*
145522Sdarrenr					 * Because we throw away data here that
145522Sdarrenr					 * we would otherwise parse, set the
145522Sdarrenr					 * junk flag to indicate just ignore
145522Sdarrenr					 * any data upto the next CRLF.
145522Sdarrenr					 */
145522Sdarrenr					f->ftps_junk = 1;
145522Sdarrenr					continue;
145522Sdarrenr				}
145522Sdarrenr			}
145522Sdarrenr		}
145522Sdarrenr
60857Sdarrenr		while ((f->ftps_junk == 0) && (wptr > rptr)) {
145522Sdarrenr			len = wptr - rptr;
145522Sdarrenr			f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, len);
145522Sdarrenr
145522Sdarrenr			if (ippr_ftp_debug > 3) {
145522Sdarrenr				printf("%s=%d len %d rv %d ptr %lx/%lx ",
145522Sdarrenr				       "ippr_ftp_valid",
145522Sdarrenr				       f->ftps_junk, len, rv, (u_long)rptr,
145522Sdarrenr				       (u_long)wptr);
145522Sdarrenr				printf("buf [%*.*s]\n", len, len, rptr);
145522Sdarrenr			}
145522Sdarrenr
60857Sdarrenr			if (f->ftps_junk == 0) {
60857Sdarrenr				f->ftps_rptr = rptr;
60857Sdarrenr				if (rv)
60857Sdarrenr					inc += ippr_ftp_server(fin, ip, nat,
60857Sdarrenr							       ftp, len);
60857Sdarrenr				else
60857Sdarrenr					inc += ippr_ftp_client(fin, ip, nat,
60857Sdarrenr							       ftp, len);
60857Sdarrenr				rptr = f->ftps_rptr;
92685Sdarrenr				wptr = f->ftps_wptr;
60857Sdarrenr			}
60857Sdarrenr		}
60857Sdarrenr
92685Sdarrenr		/*
92685Sdarrenr		 * Off to a bad start so lets just forget about using the
92685Sdarrenr		 * ftp proxy for this connection.
92685Sdarrenr		 */
95563Sdarrenr		if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
102520Sdarrenr			/* f->ftps_seq[1] += inc; */
145522Sdarrenr
145522Sdarrenr			if (ippr_ftp_debug > 1)
145522Sdarrenr				printf("%s:cmds == 0 junk == 1\n",
145522Sdarrenr				       "ippr_ftp_process");
92685Sdarrenr			return APR_ERR(2);
95563Sdarrenr		}
92685Sdarrenr
145522Sdarrenr		if ((f->ftps_junk != 0) && (rptr < wptr)) {
145522Sdarrenr			for (s = rptr; s < wptr; s++) {
145522Sdarrenr				if ((*s == '\r') && (s + 1 < wptr) &&
145522Sdarrenr				    (*(s + 1) == '\n')) {
145522Sdarrenr					rptr = s + 2;
145522Sdarrenr					f->ftps_junk = 0;
67614Sdarrenr					break;
145522Sdarrenr				}
60857Sdarrenr			}
60857Sdarrenr		}
60857Sdarrenr
60857Sdarrenr		if (rptr == wptr) {
60857Sdarrenr			rptr = wptr = f->ftps_buf;
60857Sdarrenr		} else {
145522Sdarrenr			/*
145522Sdarrenr			 * Compact the buffer back to the start.  The junk
145522Sdarrenr			 * flag should already be set and because we're not
145522Sdarrenr			 * throwing away any data, it is preserved from its
145522Sdarrenr			 * current state.
145522Sdarrenr			 */
145522Sdarrenr			if (rptr > f->ftps_buf) {
145522Sdarrenr				bcopy(rptr, f->ftps_buf, len);
145522Sdarrenr				wptr -= rptr - f->ftps_buf;
145522Sdarrenr				rptr = f->ftps_buf;
60857Sdarrenr			}
60857Sdarrenr		}
145522Sdarrenr		f->ftps_rptr = rptr;
145522Sdarrenr		f->ftps_wptr = wptr;
60857Sdarrenr	}
60857Sdarrenr
102520Sdarrenr	/* f->ftps_seq[1] += inc; */
102520Sdarrenr	if (tcp->th_flags & TH_FIN)
102520Sdarrenr		f->ftps_seq[1]++;
145522Sdarrenr	if (ippr_ftp_debug > 3) {
145522Sdarrenr#ifdef __sgi
145522Sdarrenr		mlen = fin->fin_plen;
145522Sdarrenr#else
145522Sdarrenr		mlen = MSGDSIZE(m);
102520Sdarrenr#endif
145522Sdarrenr		mlen -= off;
145522Sdarrenr		printf("ftps_seq[1] = %x inc %d len %d\n",
145522Sdarrenr		       f->ftps_seq[1], inc, mlen);
145522Sdarrenr	}
102520Sdarrenr
60857Sdarrenr	f->ftps_rptr = rptr;
60857Sdarrenr	f->ftps_wptr = wptr;
64580Sdarrenr	return APR_INC(inc);
60857Sdarrenr}
60857Sdarrenr
60857Sdarrenr
145522Sdarrenrint ippr_ftp_out(fin, aps, nat)
60857Sdarrenrfr_info_t *fin;
60857Sdarrenrap_session_t *aps;
60857Sdarrenrnat_t *nat;
60857Sdarrenr{
60857Sdarrenr	ftpinfo_t *ftp;
145522Sdarrenr	int rev;
60857Sdarrenr
60857Sdarrenr	ftp = aps->aps_data;
60857Sdarrenr	if (ftp == NULL)
60857Sdarrenr		return 0;
145522Sdarrenr
145522Sdarrenr	rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
145522Sdarrenr	if (ftp->ftp_side[1 - rev].ftps_ifp == NULL)
145522Sdarrenr		ftp->ftp_side[1 - rev].ftps_ifp = fin->fin_ifp;
145522Sdarrenr
145522Sdarrenr	return ippr_ftp_process(fin, nat, ftp, rev);
60857Sdarrenr}
60857Sdarrenr
60857Sdarrenr
145522Sdarrenrint ippr_ftp_in(fin, aps, nat)
53642Sguidofr_info_t *fin;
53642Sguidoap_session_t *aps;
53642Sguidonat_t *nat;
53642Sguido{
60857Sdarrenr	ftpinfo_t *ftp;
145522Sdarrenr	int rev;
53642Sguido
60857Sdarrenr	ftp = aps->aps_data;
60857Sdarrenr	if (ftp == NULL)
60857Sdarrenr		return 0;
145522Sdarrenr
145522Sdarrenr	rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
145522Sdarrenr	if (ftp->ftp_side[rev].ftps_ifp == NULL)
145522Sdarrenr		ftp->ftp_side[rev].ftps_ifp = fin->fin_ifp;
145522Sdarrenr
145522Sdarrenr	return ippr_ftp_process(fin, nat, ftp, 1 - rev);
53642Sguido}
60857Sdarrenr
60857Sdarrenr
60857Sdarrenr/*
60857Sdarrenr * ippr_ftp_atoi - implement a version of atoi which processes numbers in
60857Sdarrenr * pairs separated by commas (which are expected to be in the range 0 - 255),
60857Sdarrenr * returning a 16 bit number combining either side of the , as the MSB and
60857Sdarrenr * LSB.
60857Sdarrenr */
60857Sdarrenru_short ippr_ftp_atoi(ptr)
60857Sdarrenrchar **ptr;
60857Sdarrenr{
60857Sdarrenr	register char *s = *ptr, c;
60857Sdarrenr	register u_char i = 0, j = 0;
60857Sdarrenr
145522Sdarrenr	while (((c = *s++) != '\0') && ISDIGIT(c)) {
60857Sdarrenr		i *= 10;
60857Sdarrenr		i += c - '0';
60857Sdarrenr	}
60857Sdarrenr	if (c != ',') {
60857Sdarrenr		*ptr = NULL;
60857Sdarrenr		return 0;
60857Sdarrenr	}
145522Sdarrenr	while (((c = *s++) != '\0') && ISDIGIT(c)) {
60857Sdarrenr		j *= 10;
60857Sdarrenr		j += c - '0';
60857Sdarrenr	}
60857Sdarrenr	*ptr = s;
67614Sdarrenr	i &= 0xff;
67614Sdarrenr	j &= 0xff;
60857Sdarrenr	return (i << 8) | j;
60857Sdarrenr}
145522Sdarrenr
145522Sdarrenr
145522Sdarrenrint ippr_ftp_epsv(fin, ip, nat, f, dlen)
145522Sdarrenrfr_info_t *fin;
145522Sdarrenrip_t *ip;
145522Sdarrenrnat_t *nat;
145522Sdarrenrftpside_t *f;
145522Sdarrenrint dlen;
145522Sdarrenr{
145522Sdarrenr	char newbuf[IPF_FTPBUFSZ];
145522Sdarrenr	char *s;
145522Sdarrenr	u_short ap = 0;
145522Sdarrenr
145522Sdarrenr#define EPSV_REPLEN	33
145522Sdarrenr	/*
145522Sdarrenr	 * Check for EPSV reply message.
145522Sdarrenr	 */
145522Sdarrenr	if (dlen < IPF_MIN229LEN)
145522Sdarrenr		return (0);
145522Sdarrenr	else if (strncmp(f->ftps_rptr,
145522Sdarrenr			 "229 Entering Extended Passive Mode", EPSV_REPLEN))
145522Sdarrenr		return (0);
145522Sdarrenr
145522Sdarrenr	/*
145522Sdarrenr	 * Skip the EPSV command + space
145522Sdarrenr	 */
145522Sdarrenr	s = f->ftps_rptr + 33;
145522Sdarrenr	while (*s && !ISDIGIT(*s))
145522Sdarrenr		s++;
145522Sdarrenr
145522Sdarrenr	/*
145522Sdarrenr	 * As per RFC 2428, there are no addres components in the EPSV
145522Sdarrenr	 * response.  So we'll go straight to getting the port.
145522Sdarrenr	 */
145522Sdarrenr	while (*s && ISDIGIT(*s)) {
145522Sdarrenr		ap *= 10;
145522Sdarrenr		ap += *s++ - '0';
145522Sdarrenr	}
145522Sdarrenr
145522Sdarrenr	if (!s)
145522Sdarrenr		return 0;
145522Sdarrenr
145522Sdarrenr	if (*s == '|')
145522Sdarrenr		s++;
145522Sdarrenr	if (*s == ')')
145522Sdarrenr		s++;
145522Sdarrenr	if (*s == '\n')
145522Sdarrenr		s--;
145522Sdarrenr	/*
145522Sdarrenr	 * check for CR-LF at the end.
145522Sdarrenr	 */
145522Sdarrenr	if ((*s == '\r') && (*(s + 1) == '\n')) {
145522Sdarrenr		s += 2;
145522Sdarrenr	} else
145522Sdarrenr		return 0;
145522Sdarrenr
145522Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145522Sdarrenr	SNPRINTF(newbuf, sizeof(newbuf), "%s (|||%u|)\r\n",
145522Sdarrenr		 "229 Entering Extended Passive Mode", ap);
145522Sdarrenr#else
145522Sdarrenr	(void) sprintf(newbuf, "%s (|||%u|)\r\n",
145522Sdarrenr		       "229 Entering Extended Passive Mode", ap);
145522Sdarrenr#endif
145522Sdarrenr
145522Sdarrenr	return ippr_ftp_pasvreply(fin, ip, nat, f, (u_int)ap, newbuf, s,
145522Sdarrenr				  ip->ip_src.s_addr);
145522Sdarrenr}