Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 55a73324 authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by David S. Miller
Browse files

[NETFILTER]: nf_nat: add FTP NAT helper port 



Add FTP NAT helper.

Split out from Jozsef's big nf_nat patch with a few small fixes by myself.

Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5b1158e9

include/linux/netfilter/nf_conntrack_ftp.h

+10 −10
Original line number Diff line number Diff line
@@ -3,16 +3,16 @@ 
/* FTP tracking. */



/* This enum is exposed to userspace */

enum ip_ct_ftp_type

enum nf_ct_ftp_type

{

	/* PORT command from client */

	IP_CT_FTP_PORT,

	NF_CT_FTP_PORT,

	/* PASV response from server */

	IP_CT_FTP_PASV,

	NF_CT_FTP_PASV,

	/* EPRT command from client */

	IP_CT_FTP_EPRT,

	NF_CT_FTP_EPRT,

	/* EPSV response from server */

	IP_CT_FTP_EPSV,

	NF_CT_FTP_EPSV,

};



#ifdef __KERNEL__
@@ -21,23 +21,23 @@ enum ip_ct_ftp_type 


#define NUM_SEQ_TO_REMEMBER 2

/* This structure exists only once per master */

struct ip_ct_ftp_master {

struct nf_ct_ftp_master {

	/* Valid seq positions for cmd matching after newline */

	u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];

	/* 0 means seq_match_aft_nl not set */

	int seq_aft_nl_num[IP_CT_DIR_MAX];

};



struct ip_conntrack_expect;

struct nf_conntrack_expect;



/* For NAT to hook in when we find a packet which describes what other

 * connection we should expect. */

extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,

extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff **pskb,

				       enum ip_conntrack_info ctinfo,

				       enum ip_ct_ftp_type type,

				       enum nf_ct_ftp_type type,

				       unsigned int matchoff,

				       unsigned int matchlen,

				       struct ip_conntrack_expect *exp,

				       struct nf_conntrack_expect *exp,

				       u32 *seq);

#endif /* __KERNEL__ */

include/linux/netfilter_ipv4/ip_conntrack_ftp.h

+39 −1
Original line number Diff line number Diff line 
#ifndef _IP_CONNTRACK_FTP_H

#define _IP_CONNTRACK_FTP_H

/* FTP tracking. */



#include <linux/netfilter/nf_conntrack_ftp.h>

/* This enum is exposed to userspace */

enum ip_ct_ftp_type

{

	/* PORT command from client */

	IP_CT_FTP_PORT,

	/* PASV response from server */

	IP_CT_FTP_PASV,

	/* EPRT command from client */

	IP_CT_FTP_EPRT,

	/* EPSV response from server */

	IP_CT_FTP_EPSV,

};



#ifdef __KERNEL__



#define FTP_PORT	21



#define NUM_SEQ_TO_REMEMBER 2

/* This structure exists only once per master */

struct ip_ct_ftp_master {

	/* Valid seq positions for cmd matching after newline */

	u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];

	/* 0 means seq_match_aft_nl not set */

	int seq_aft_nl_num[IP_CT_DIR_MAX];

};



struct ip_conntrack_expect;



/* For NAT to hook in when we find a packet which describes what other

 * connection we should expect. */

extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,

				       enum ip_conntrack_info ctinfo,

				       enum ip_ct_ftp_type type,

				       unsigned int matchoff,

				       unsigned int matchlen,

				       struct ip_conntrack_expect *exp,

				       u32 *seq);

#endif /* __KERNEL__ */



#endif /* _IP_CONNTRACK_FTP_H */

include/net/netfilter/nf_conntrack.h

+1 −1
Original line number Diff line number Diff line
@@ -45,7 +45,7 @@ union nf_conntrack_expect_proto { 
/* per conntrack: application helper private data */

union nf_conntrack_help {

	/* insert conntrack helper private data (master) here */

	struct ip_ct_ftp_master ct_ftp_info;

	struct nf_ct_ftp_master ct_ftp_info;

};



#include <linux/types.h>

net/ipv4/netfilter/Kconfig

+17 −8
Original line number Diff line number Diff line
@@ -477,20 +477,29 @@ config IP_NF_NAT_SNMP_BASIC 


	  To compile it as a module, choose M here.  If unsure, say N.



# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),

# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.

# From kconfig-language.txt:

#

#           <expr> '&&' <expr>                   (6)

#

# (6) Returns the result of min(/expr/, /expr/).

config IP_NF_NAT_FTP

	tristate

	depends on IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT

	default IP_NF_NAT && IP_NF_FTP



config NF_NAT_FTP

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_FTP



config IP_NF_NAT_IRC

	tristate

	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n

	default IP_NF_NAT if IP_NF_IRC=y

	default m if IP_NF_IRC=m



# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 

# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.  Argh.

config IP_NF_NAT_FTP

	tristate

	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n

	default IP_NF_NAT if IP_NF_FTP=y

	default m if IP_NF_FTP=m



config IP_NF_NAT_TFTP

	tristate

	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n

net/ipv4/netfilter/Makefile

+4 −1
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o 
obj-$(CONFIG_IP_NF_SIP) += ip_conntrack_sip.o

obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o



# NAT helpers 

# NAT helpers (ip_conntrack)

obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o

obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o

obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
@@ -49,6 +49,9 @@ obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o 
obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o

obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o



# NAT helpers (nf_conntrack)

obj-$(CONFIG_NF_NAT_FTP) += nf_nat_ftp.o



# generic IP tables 

obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o