1 /* $OpenBSD: ftp-proxy.c,v 1.13 2006/12/30 13:24:00 camield Exp $ */
4 * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/resource.h>
23 #include <sys/socket.h>
26 #include <net/pf/pfvar.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
47 #define CONNECT_TIMEOUT 30
50 #define MAX_LOGLINE 300
52 #define TCP_BACKLOG 10
54 #define CHROOT_DIR "/var/empty"
55 #define NOPRIV_USER "proxy"
57 /* pfctl standard NAT range. */
58 #define PF_NAT_PROXY_PORT_LOW 50001
59 #define PF_NAT_PROXY_PORT_HIGH 65535
61 #define sstosa(ss) ((struct sockaddr *)(ss))
63 enum { CMD_NONE = 0, CMD_PORT, CMD_EPRT, CMD_PASV, CMD_EPSV };
67 struct sockaddr_storage client_ss;
68 struct sockaddr_storage proxy_ss;
69 struct sockaddr_storage server_ss;
70 struct sockaddr_storage orig_server_ss;
71 struct bufferevent *client_bufev;
72 struct bufferevent *server_bufev;
82 LIST_ENTRY(session) entry;
85 LIST_HEAD(, session) sessions = LIST_HEAD_INITIALIZER(sessions);
87 void client_error(struct bufferevent *, short, void *);
88 int client_parse(struct session *s);
89 int client_parse_anon(struct session *s);
90 int client_parse_cmd(struct session *s);
91 void client_read(struct bufferevent *, void *);
93 void end_session(struct session *);
94 int exit_daemon(void);
95 int getline(char *, size_t *);
96 void handle_connection(const int, short, void *);
97 void handle_signal(int, short, void *);
98 struct session * init_session(void);
99 void logmsg(int, const char *, ...);
100 u_int16_t parse_port(int);
101 u_int16_t pick_proxy_port(void);
102 void proxy_reply(int, struct sockaddr *, u_int16_t);
103 void server_error(struct bufferevent *, short, void *);
104 int server_parse(struct session *s);
105 void server_read(struct bufferevent *, void *);
106 const char *sock_ntop(struct sockaddr *);
109 char linebuf[MAX_LINE + 1];
112 char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
114 struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
115 char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port,
117 int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
118 rfc_mode, session_count, timeout, verbose;
119 extern char *__progname;
122 client_error(struct bufferevent *bufev, short what, void *arg)
124 struct session *s = arg;
126 if (what & EVBUFFER_EOF)
127 logmsg(LOG_INFO, "#%d client close", s->id);
128 else if (what == (EVBUFFER_ERROR | EVBUFFER_READ))
129 logmsg(LOG_ERR, "#%d client reset connection", s->id);
130 else if (what & EVBUFFER_TIMEOUT)
131 logmsg(LOG_ERR, "#%d client timeout", s->id);
132 else if (what & EVBUFFER_WRITE)
133 logmsg(LOG_ERR, "#%d client write error: %d", s->id, what);
135 logmsg(LOG_ERR, "#%d abnormal client error: %d", s->id, what);
141 client_parse(struct session *s)
143 /* Reset any previous command. */
147 /* Commands we are looking for are at least 4 chars long. */
151 if (linebuf[0] == 'P' || linebuf[0] == 'p' ||
152 linebuf[0] == 'E' || linebuf[0] == 'e')
153 return (client_parse_cmd(s));
155 if (anonymous_only && (linebuf[0] == 'U' || linebuf[0] == 'u'))
156 return (client_parse_anon(s));
162 client_parse_anon(struct session *s)
164 if (strcasecmp("USER ftp\r\n", linebuf) != 0 &&
165 strcasecmp("USER anonymous\r\n", linebuf) != 0) {
166 snprintf(linebuf, sizeof linebuf,
167 "500 Only anonymous FTP allowed\r\n");
168 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
170 /* Talk back to the client ourself. */
171 linelen = strlen(linebuf);
172 bufferevent_write(s->client_bufev, linebuf, linelen);
174 /* Clear buffer so it's not sent to the server. */
183 client_parse_cmd(struct session *s)
185 if (strncasecmp("PASV", linebuf, 4) == 0)
187 else if (strncasecmp("PORT ", linebuf, 5) == 0)
189 else if (strncasecmp("EPSV", linebuf, 4) == 0)
191 else if (strncasecmp("EPRT ", linebuf, 5) == 0)
196 if (ipv6_mode && (s->cmd == CMD_PASV || s->cmd == CMD_PORT)) {
197 logmsg(LOG_CRIT, "PASV and PORT not allowed with IPv6");
201 if (s->cmd == CMD_PORT || s->cmd == CMD_EPRT) {
202 s->port = parse_port(s->cmd);
203 if (s->port < MIN_PORT) {
204 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
208 s->proxy_port = pick_proxy_port();
209 proxy_reply(s->cmd, sstosa(&s->proxy_ss), s->proxy_port);
210 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
217 client_read(struct bufferevent *bufev, void *arg)
219 struct session *s = arg;
220 size_t buf_avail, read;
224 buf_avail = sizeof s->cbuf - s->cbuf_valid;
225 read = bufferevent_read(bufev, s->cbuf + s->cbuf_valid,
227 s->cbuf_valid += read;
229 while ((n = getline(s->cbuf, &s->cbuf_valid)) > 0) {
230 logmsg(LOG_DEBUG, "#%d client: %s", s->id, linebuf);
231 if (!client_parse(s)) {
235 bufferevent_write(s->server_bufev, linebuf, linelen);
239 logmsg(LOG_ERR, "#%d client command too long or not"
244 } while (read == buf_avail);
252 pw = getpwnam(NOPRIV_USER);
257 if (chroot(CHROOT_DIR) != 0 || chdir("/") != 0 ||
258 setgroups(1, &pw->pw_gid) != 0 ||
259 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
260 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
267 end_session(struct session *s)
271 logmsg(LOG_INFO, "#%d ending session", s->id);
273 if (s->client_fd != -1)
275 if (s->server_fd != -1)
279 bufferevent_free(s->client_bufev);
281 bufferevent_free(s->server_bufev);
283 /* Remove rulesets by commiting empty ones. */
285 if (prepare_commit(s->id) == -1)
287 else if (do_commit() == -1) {
292 logmsg(LOG_ERR, "#%d pf rule removal failed: %s", s->id,
295 LIST_REMOVE(s, entry);
303 struct session *s, *tmp;
305 LIST_FOREACH_MUTABLE(s, &sessions, entry, tmp) {
319 getline(char *buf, size_t *valid)
323 if (*valid > MAX_LINE)
326 /* Copy to linebuf while searching for a newline. */
327 for (i = 0; i < *valid; i++) {
336 /* No newline found. */
345 linebuf[linelen] = '\0';
348 /* Move leftovers to the start. */
350 bcopy(buf + linelen, buf, *valid);
352 return ((int)linelen);
356 handle_connection(const int listen_fd, short event, void *ev)
358 struct sockaddr_storage tmp_ss;
359 struct sockaddr *client_sa, *server_sa, *fixed_server_sa;
360 struct sockaddr *client_to_proxy_sa, *proxy_to_server_sa;
363 int client_fd, fc, on;
366 * We _must_ accept the connection, otherwise libevent will keep
367 * coming back, and we will chew up all CPU.
369 client_sa = sstosa(&tmp_ss);
370 len = sizeof(struct sockaddr_storage);
371 if ((client_fd = accept(listen_fd, client_sa, &len)) < 0) {
372 logmsg(LOG_CRIT, "accept failed: %s", strerror(errno));
376 /* Refuse connection if the maximum is reached. */
377 if (session_count >= max_sessions) {
378 logmsg(LOG_ERR, "client limit (%d) reached, refusing "
379 "connection from %s", max_sessions, sock_ntop(client_sa));
384 /* Allocate session and copy back the info from the accept(). */
387 logmsg(LOG_CRIT, "init_session failed");
391 s->client_fd = client_fd;
392 memcpy(sstosa(&s->client_ss), client_sa, client_sa->sa_len);
394 /* Cast it once, and be done with it. */
395 client_sa = sstosa(&s->client_ss);
396 server_sa = sstosa(&s->server_ss);
397 client_to_proxy_sa = sstosa(&tmp_ss);
398 proxy_to_server_sa = sstosa(&s->proxy_ss);
399 fixed_server_sa = sstosa(&fixed_server_ss);
401 /* Log id/client early to ease debugging. */
402 logmsg(LOG_DEBUG, "#%d accepted connection from %s", s->id,
403 sock_ntop(client_sa));
406 * Find out the real server and port that the client wanted.
408 len = sizeof(struct sockaddr_storage);
409 if ((getsockname(s->client_fd, client_to_proxy_sa, &len)) < 0) {
410 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
414 if (server_lookup(client_sa, client_to_proxy_sa, server_sa) != 0) {
415 logmsg(LOG_CRIT, "#%d server lookup failed (no rdr?)", s->id);
419 memcpy(sstosa(&s->orig_server_ss), server_sa,
421 memcpy(server_sa, fixed_server_sa, fixed_server_sa->sa_len);
424 /* XXX: check we are not connecting to ourself. */
427 * Setup socket and connect to server.
429 if ((s->server_fd = socket(server_sa->sa_family, SOCK_STREAM,
431 logmsg(LOG_CRIT, "#%d server socket failed: %s", s->id,
435 if (fixed_proxy && bind(s->server_fd, sstosa(&fixed_proxy_ss),
436 fixed_proxy_ss.ss_len) != 0) {
437 logmsg(LOG_CRIT, "#%d cannot bind fixed proxy address: %s",
438 s->id, strerror(errno));
442 /* Use non-blocking connect(), see CONNECT_TIMEOUT below. */
443 if ((fc = fcntl(s->server_fd, F_GETFL)) == -1 ||
444 fcntl(s->server_fd, F_SETFL, fc | O_NONBLOCK) == -1) {
445 logmsg(LOG_CRIT, "#%d cannot mark socket non-blocking: %s",
446 s->id, strerror(errno));
449 if (connect(s->server_fd, server_sa, server_sa->sa_len) < 0 &&
450 errno != EINPROGRESS) {
451 logmsg(LOG_CRIT, "#%d proxy cannot connect to server %s: %s",
452 s->id, sock_ntop(server_sa), strerror(errno));
456 len = sizeof(struct sockaddr_storage);
457 if ((getsockname(s->server_fd, proxy_to_server_sa, &len)) < 0) {
458 logmsg(LOG_CRIT, "#%d getsockname failed: %s", s->id,
463 logmsg(LOG_INFO, "#%d FTP session %d/%d started: client %s to server "
464 "%s via proxy %s ", s->id, session_count, max_sessions,
465 sock_ntop(client_sa), sock_ntop(server_sa),
466 sock_ntop(proxy_to_server_sa));
468 /* Keepalive is nice, but don't care if it fails. */
470 setsockopt(s->client_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
472 setsockopt(s->server_fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
476 * Setup buffered events.
478 s->client_bufev = bufferevent_new(s->client_fd, &client_read, NULL,
480 if (s->client_bufev == NULL) {
481 logmsg(LOG_CRIT, "#%d bufferevent_new client failed", s->id);
484 bufferevent_settimeout(s->client_bufev, timeout, 0);
485 bufferevent_enable(s->client_bufev, EV_READ | EV_TIMEOUT);
487 s->server_bufev = bufferevent_new(s->server_fd, &server_read, NULL,
489 if (s->server_bufev == NULL) {
490 logmsg(LOG_CRIT, "#%d bufferevent_new server failed", s->id);
493 bufferevent_settimeout(s->server_bufev, CONNECT_TIMEOUT, 0);
494 bufferevent_enable(s->server_bufev, EV_READ | EV_TIMEOUT);
503 handle_signal(int sig, short event, void *arg)
506 * Signal handler rules don't apply, libevent decouples for us.
509 logmsg(LOG_ERR, "%s exiting on signal %d", __progname, sig);
520 s = calloc(1, sizeof(struct session));
531 s->client_bufev = NULL;
532 s->server_bufev = NULL;
536 LIST_INSERT_HEAD(&sessions, s, entry);
543 logmsg(int pri, const char *message, ...)
550 va_start(ap, message);
553 /* syslog does its own vissing. */
554 vsyslog(pri, message, ap);
556 char buf[MAX_LOGLINE];
557 char visbuf[2 * MAX_LOGLINE];
559 /* We don't care about truncation. */
560 vsnprintf(buf, sizeof buf, message, ap);
561 strnvis(visbuf, buf, sizeof visbuf, VIS_CSTYLE | VIS_NL);
562 fprintf(stderr, "%s\n", visbuf);
569 main(int argc, char *argv[])
572 struct addrinfo hints, *res;
573 struct event ev, ev_sighup, ev_sigint, ev_sigterm;
574 int ch, error, listenfd, on;
582 fixed_server_port = "21";
585 listen_port = "8021";
586 loglevel = LOG_NOTICE;
593 /* Other initialization. */
597 while ((ch = getopt(argc, argv, "6Aa:b:D:dm:P:p:q:R:rt:v")) != -1) {
606 fixed_proxy = optarg;
612 loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG,
615 errx(1, "loglevel %s", errstr);
621 max_sessions = strtonum(optarg, 1, 500, &errstr);
623 errx(1, "max sessions %s", errstr);
626 fixed_server_port = optarg;
629 listen_port = optarg;
632 if (strlen(optarg) >= PF_QNAME_SIZE)
633 errx(1, "queuename too long");
637 fixed_server = optarg;
643 timeout = strtonum(optarg, 0, 86400, &errstr);
645 errx(1, "timeout %s", errstr);
657 if (listen_ip == NULL)
658 listen_ip = ipv6_mode ? "::1" : "127.0.0.1";
660 /* Check for root to save the user from cryptic failure messages. */
662 errx(1, "needs to start as root");
664 /* Raise max. open files limit to satisfy max. sessions. */
665 rlp.rlim_cur = rlp.rlim_max = (2 * max_sessions) + 10;
666 if (setrlimit(RLIMIT_NOFILE, &rlp) == -1)
670 memset(&hints, 0, sizeof hints);
671 hints.ai_flags = AI_NUMERICHOST;
672 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
673 hints.ai_socktype = SOCK_STREAM;
674 error = getaddrinfo(fixed_proxy, NULL, &hints, &res);
676 errx(1, "getaddrinfo fixed proxy address failed: %s",
677 gai_strerror(error));
678 memcpy(&fixed_proxy_ss, res->ai_addr, res->ai_addrlen);
679 logmsg(LOG_INFO, "using %s to connect to servers",
680 sock_ntop(sstosa(&fixed_proxy_ss)));
685 memset(&hints, 0, sizeof hints);
686 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
687 hints.ai_socktype = SOCK_STREAM;
688 error = getaddrinfo(fixed_server, fixed_server_port, &hints,
691 errx(1, "getaddrinfo fixed server address failed: %s",
692 gai_strerror(error));
693 memcpy(&fixed_server_ss, res->ai_addr, res->ai_addrlen);
694 logmsg(LOG_INFO, "using fixed server %s",
695 sock_ntop(sstosa(&fixed_server_ss)));
699 /* Setup listener. */
700 memset(&hints, 0, sizeof hints);
701 hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
702 hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET;
703 hints.ai_socktype = SOCK_STREAM;
704 error = getaddrinfo(listen_ip, listen_port, &hints, &res);
706 errx(1, "getaddrinfo listen address failed: %s",
707 gai_strerror(error));
708 if ((listenfd = socket(res->ai_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
709 errx(1, "socket failed");
711 if (setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
713 err(1, "setsockopt failed");
714 if (bind(listenfd, (struct sockaddr *)res->ai_addr,
715 (socklen_t)res->ai_addrlen) != 0)
716 err(1, "bind failed");
717 if (listen(listenfd, TCP_BACKLOG) != 0)
718 err(1, "listen failed");
722 init_filter(qname, verbose);
725 if (daemon(0, 0) == -1)
726 err(1, "cannot daemonize");
727 openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON);
730 /* Use logmsg for output from here on. */
733 logmsg(LOG_ERR, "cannot drop privileges: %s", strerror(errno));
739 /* Setup signal handler. */
740 signal(SIGPIPE, SIG_IGN);
741 signal_set(&ev_sighup, SIGHUP, handle_signal, NULL);
742 signal_set(&ev_sigint, SIGINT, handle_signal, NULL);
743 signal_set(&ev_sigterm, SIGTERM, handle_signal, NULL);
744 signal_add(&ev_sighup, NULL);
745 signal_add(&ev_sigint, NULL);
746 signal_add(&ev_sigterm, NULL);
748 event_set(&ev, listenfd, EV_READ | EV_PERSIST, handle_connection, &ev);
749 event_add(&ev, NULL);
751 logmsg(LOG_NOTICE, "listening on %s port %s", listen_ip, listen_port);
756 logmsg(LOG_ERR, "event_dispatch error: %s", strerror(errno));
766 unsigned int port, v[6];
770 /* Find the last space or left-parenthesis. */
771 for (p = linebuf + linelen; p > linebuf; p--)
772 if (*p == ' ' || *p == '(')
779 n = sscanf(p, " %u,%u,%u,%u,%u,%u", &v[0], &v[1], &v[2],
780 &v[3], &v[4], &v[5]);
781 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
782 v[3] < 256 && v[4] < 256 && v[5] < 256)
783 return ((v[4] << 8) | v[5]);
786 n = sscanf(p, "(%u,%u,%u,%u,%u,%u)", &v[0], &v[1], &v[2],
787 &v[3], &v[4], &v[5]);
788 if (n == 6 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
789 v[3] < 256 && v[4] < 256 && v[5] < 256)
790 return ((v[4] << 8) | v[5]);
793 n = sscanf(p, "(|||%u|)", &port);
794 if (n == 1 && port < 65536)
798 n = sscanf(p, " |1|%u.%u.%u.%u|%u|", &v[0], &v[1], &v[2],
800 if (n == 5 && v[0] < 256 && v[1] < 256 && v[2] < 256 &&
801 v[3] < 256 && port < 65536)
803 n = sscanf(p, " |2|%*[a-fA-F0-9:]|%u|", &port);
804 if (n == 1 && port < 65536)
815 pick_proxy_port(void)
817 /* Random should be good enough for avoiding port collisions. */
818 return (IPPORT_HIFIRSTAUTO + (arc4random() %
819 (IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO)));
823 proxy_reply(int cmd, struct sockaddr *sa, u_int16_t port)
829 r = snprintf(linebuf, sizeof linebuf,
830 "PORT %s,%u,%u\r\n", sock_ntop(sa), port / 256,
834 r = snprintf(linebuf, sizeof linebuf,
835 "227 Entering Passive Mode (%s,%u,%u)\r\n", sock_ntop(sa),
836 port / 256, port % 256);
839 if (sa->sa_family == AF_INET)
840 r = snprintf(linebuf, sizeof linebuf,
841 "EPRT |1|%s|%u|\r\n", sock_ntop(sa), port);
842 else if (sa->sa_family == AF_INET6)
843 r = snprintf(linebuf, sizeof linebuf,
844 "EPRT |2|%s|%u|\r\n", sock_ntop(sa), port);
847 r = snprintf(linebuf, sizeof linebuf,
848 "229 Entering Extended Passive Mode (|||%u|)\r\n", port);
852 if (r < 0 || r >= sizeof linebuf) {
853 logmsg(LOG_ERR, "proxy_reply failed: %d", r);
860 if (cmd == CMD_PORT || cmd == CMD_PASV) {
861 /* Replace dots in IP address with commas. */
862 for (i = 0; i < linelen; i++)
863 if (linebuf[i] == '.')
869 server_error(struct bufferevent *bufev, short what, void *arg)
871 struct session *s = arg;
873 if (what & EVBUFFER_EOF)
874 logmsg(LOG_INFO, "#%d server close", s->id);
875 else if (what == (EVBUFFER_ERROR | EVBUFFER_READ))
876 logmsg(LOG_ERR, "#%d server refused connection", s->id);
877 else if (what & EVBUFFER_WRITE)
878 logmsg(LOG_ERR, "#%d server write error: %d", s->id, what);
879 else if (what & EVBUFFER_TIMEOUT)
880 logmsg(LOG_NOTICE, "#%d server timeout", s->id);
882 logmsg(LOG_ERR, "#%d abnormal server error: %d", s->id, what);
888 server_parse(struct session *s)
890 struct sockaddr *client_sa, *orig_sa, *proxy_sa, *server_sa;
893 if (s->cmd == CMD_NONE || linelen < 4 || linebuf[0] != '2')
897 * The pf rules below do quite some NAT rewriting, to keep up
898 * appearances. Points to keep in mind:
899 * 1) The client must think it's talking to the real server,
900 * for both control and data connections. Transparently.
901 * 2) The server must think that the proxy is the client.
902 * 3) Source and destination ports are rewritten to minimize
903 * port collisions, to aid security (some systems pick weak
904 * ports) or to satisfy RFC requirements (source port 20).
907 /* Cast this once, to make code below it more readable. */
908 client_sa = sstosa(&s->client_ss);
909 server_sa = sstosa(&s->server_ss);
910 proxy_sa = sstosa(&s->proxy_ss);
912 /* Fixed server: data connections must appear to come
913 from / go to the original server, not the fixed one. */
914 orig_sa = sstosa(&s->orig_server_ss);
916 /* Server not fixed: orig_server == server. */
917 orig_sa = sstosa(&s->server_ss);
920 if ((s->cmd == CMD_PASV && strncmp("227 ", linebuf, 4) == 0) ||
921 (s->cmd == CMD_EPSV && strncmp("229 ", linebuf, 4) == 0)) {
922 s->port = parse_port(s->cmd);
923 if (s->port < MIN_PORT) {
924 logmsg(LOG_CRIT, "#%d bad port in '%s'", s->id,
928 s->proxy_port = pick_proxy_port();
929 logmsg(LOG_INFO, "#%d passive: client to server port %d"
930 " via port %d", s->id, s->port, s->proxy_port);
932 if (prepare_commit(s->id) == -1)
936 proxy_reply(s->cmd, orig_sa, s->proxy_port);
937 logmsg(LOG_DEBUG, "#%d proxy: %s", s->id, linebuf);
939 /* rdr from $client to $orig_server port $proxy_port -> $server
941 if (add_rdr(s->id, client_sa, orig_sa, s->proxy_port,
942 server_sa, s->port) == -1)
945 /* nat from $client to $server port $port -> $proxy */
946 if (add_nat(s->id, client_sa, server_sa, s->port, proxy_sa,
947 PF_NAT_PROXY_PORT_LOW, PF_NAT_PROXY_PORT_HIGH) == -1)
950 /* pass in from $client to $server port $port */
951 if (add_filter(s->id, PF_IN, client_sa, server_sa,
955 /* pass out from $proxy to $server port $port */
956 if (add_filter(s->id, PF_OUT, proxy_sa, server_sa,
962 if ((s->cmd == CMD_PORT || s->cmd == CMD_EPRT) &&
963 strncmp("200 ", linebuf, 4) == 0) {
964 logmsg(LOG_INFO, "#%d active: server to client port %d"
965 " via port %d", s->id, s->port, s->proxy_port);
967 if (prepare_commit(s->id) == -1)
971 /* rdr from $server to $proxy port $proxy_port -> $client port
973 if (add_rdr(s->id, server_sa, proxy_sa, s->proxy_port,
974 client_sa, s->port) == -1)
977 /* nat from $server to $client port $port -> $orig_server port
979 if (rfc_mode && s->cmd == CMD_PORT) {
980 /* Rewrite sourceport to RFC mandated 20. */
981 if (add_nat(s->id, server_sa, client_sa, s->port,
982 orig_sa, 20, 20) == -1)
985 /* Let pf pick a source port from the standard range. */
986 if (add_nat(s->id, server_sa, client_sa, s->port,
987 orig_sa, PF_NAT_PROXY_PORT_LOW,
988 PF_NAT_PROXY_PORT_HIGH) == -1)
992 /* pass in from $server to $client port $port */
993 if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) ==
997 /* pass out from $orig_server to $client port $port */
998 if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) ==
1003 /* Commit rules if they were prepared. */
1004 if (prepared && (do_commit() == -1)) {
1007 /* One more try if busy. */
1009 if (do_commit() == -1)
1020 logmsg(LOG_CRIT, "#%d pf operation failed: %s", s->id, strerror(errno));
1027 server_read(struct bufferevent *bufev, void *arg)
1029 struct session *s = arg;
1030 size_t buf_avail, read;
1033 bufferevent_settimeout(bufev, timeout, 0);
1036 buf_avail = sizeof s->sbuf - s->sbuf_valid;
1037 read = bufferevent_read(bufev, s->sbuf + s->sbuf_valid,
1039 s->sbuf_valid += read;
1041 while ((n = getline(s->sbuf, &s->sbuf_valid)) > 0) {
1042 logmsg(LOG_DEBUG, "#%d server: %s", s->id, linebuf);
1043 if (!server_parse(s)) {
1047 bufferevent_write(s->client_bufev, linebuf, linelen);
1051 logmsg(LOG_ERR, "#%d server reply too long or not"
1056 } while (read == buf_avail);
1060 sock_ntop(struct sockaddr *sa)
1064 /* Cycle to next buffer. */
1065 n = (n + 1) % NTOP_BUFS;
1066 ntop_buf[n][0] = '\0';
1068 if (sa->sa_family == AF_INET) {
1069 struct sockaddr_in *sin = (struct sockaddr_in *)sa;
1071 return (inet_ntop(AF_INET, &sin->sin_addr, ntop_buf[n],
1072 sizeof ntop_buf[0]));
1075 if (sa->sa_family == AF_INET6) {
1076 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
1078 return (inet_ntop(AF_INET6, &sin6->sin6_addr, ntop_buf[n],
1079 sizeof ntop_buf[0]));
1088 fprintf(stderr, "usage: %s [-6Adrv] [-a address] [-b address]"
1089 " [-D level] [-m maxsessions]\n [-P port]"
1090 " [-p port] [-q queue] [-R address] [-t timeout]\n", __progname);