diff options
Diffstat (limited to 'libexec/tftp-proxy')
-rw-r--r-- | libexec/tftp-proxy/Makefile | 7 | ||||
-rw-r--r-- | libexec/tftp-proxy/filter.c | 397 | ||||
-rw-r--r-- | libexec/tftp-proxy/filter.h | 32 | ||||
-rw-r--r-- | libexec/tftp-proxy/tftp-proxy.8 | 140 | ||||
-rw-r--r-- | libexec/tftp-proxy/tftp-proxy.c | 386 |
5 files changed, 962 insertions, 0 deletions
diff --git a/libexec/tftp-proxy/Makefile b/libexec/tftp-proxy/Makefile new file mode 100644 index 00000000000..b5f4eefc089 --- /dev/null +++ b/libexec/tftp-proxy/Makefile @@ -0,0 +1,7 @@ +# $OpenBSD: Makefile,v 1.1 2005/12/28 19:07:07 jcs Exp $ + +PROG= tftp-proxy +SRCS= tftp-proxy.c filter.c +MAN= tftp-proxy.8 + +.include <bsd.prog.mk> diff --git a/libexec/tftp-proxy/filter.c b/libexec/tftp-proxy/filter.c new file mode 100644 index 00000000000..cd6ce3cd1e7 --- /dev/null +++ b/libexec/tftp-proxy/filter.c @@ -0,0 +1,397 @@ +/* $OpenBSD: filter.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ */ + +/* + * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <syslog.h> + +#include <sys/ioctl.h> +#include <sys/types.h> +#include <sys/socket.h> + +#include <net/if.h> +#include <net/pfvar.h> +#include <netinet/in.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> + +#include <err.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include "filter.h" + +/* From netinet/in.h, but only _KERNEL_ gets them. */ +#define satosin(sa) ((struct sockaddr_in *)(sa)) +#define satosin6(sa) ((struct sockaddr_in6 *)(sa)) + +enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE }; + +int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *, + u_int16_t, u_int8_t); +int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, + struct sockaddr_in *, u_int8_t); +int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, + struct sockaddr_in6 *, u_int8_t); + +static struct pfioc_pooladdr pfp; +static struct pfioc_rule pfr; +static struct pfioc_trans pft; +static struct pfioc_trans_e pfte[TRANS_SIZE]; +static int dev, rule_log; +static char *qname; + +int +add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, + struct sockaddr *dst, u_int16_t d_port, u_int8_t proto) +{ + if (!src || !dst || !d_port || !proto) { + errno = EINVAL; + return (-1); + } + + if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1) + return (-1); + + pfr.rule.direction = dir; + if (ioctl(dev, DIOCADDRULE, &pfr) == -1) + return (-1); + + return (0); +} + +int +add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, + u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low, + u_int16_t nat_range_high, u_int8_t proto) +{ + if (!src || !dst || !d_port || !nat || !nat_range_low || !proto || + (src->sa_family != nat->sa_family)) { + errno = EINVAL; + return (-1); + } + + if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port, proto) == -1) + return (-1); + + if (nat->sa_family == AF_INET) { + memcpy(&pfp.addr.addr.v.a.addr.v4, + &satosin(nat)->sin_addr.s_addr, 4); + memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); + } else { + memcpy(&pfp.addr.addr.v.a.addr.v6, + &satosin6(nat)->sin6_addr.s6_addr, 16); + memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); + } + if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + return (-1); + + pfr.rule.rpool.proxy_port[0] = nat_range_low; + pfr.rule.rpool.proxy_port[1] = nat_range_high; + if (ioctl(dev, DIOCADDRULE, &pfr) == -1) + return (-1); + + return (0); +} + +int +add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, + u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port, u_int8_t proto) +{ + if (!src || !dst || !d_port || !rdr || !rdr_port || !proto || + (src->sa_family != rdr->sa_family)) { + errno = EINVAL; + return (-1); + } + + if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port, proto) == -1) + return (-1); + + if (rdr->sa_family == AF_INET) { + memcpy(&pfp.addr.addr.v.a.addr.v4, + &satosin(rdr)->sin_addr.s_addr, 4); + memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); + } else { + memcpy(&pfp.addr.addr.v.a.addr.v6, + &satosin6(rdr)->sin6_addr.s6_addr, 16); + memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); + } + if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + return (-1); + + pfr.rule.rpool.proxy_port[0] = rdr_port; + if (ioctl(dev, DIOCADDRULE, &pfr) == -1) + return (-1); + + return (0); +} + +int +do_commit(void) +{ + if (ioctl(dev, DIOCXCOMMIT, &pft) == -1) + return (-1); + + return (0); +} + +int +do_rollback(void) +{ + if (ioctl(dev, DIOCXROLLBACK, &pft) == -1) + return (-1); + + return (0); +} + +void +init_filter(char *opt_qname, int opt_verbose) +{ + struct pf_status status; + + qname = opt_qname; + + if (opt_verbose == 1) + rule_log = PF_LOG; + else if (opt_verbose == 2) + rule_log = PF_LOG_ALL; + + dev = open("/dev/pf", O_RDWR); + if (dev == -1) { + syslog(LOG_ERR, "can't open /dev/pf"); + exit(1); + } + if (ioctl(dev, DIOCGETSTATUS, &status) == -1) { + syslog(LOG_ERR, "DIOCGETSTATUS"); + exit(1); + } + if (!status.running) { + syslog(LOG_ERR, "pf is disabled"); + exit(1); + } +} + +int +prepare_commit(u_int32_t id) +{ + char an[PF_ANCHOR_NAME_SIZE]; + int i; + + memset(&pft, 0, sizeof pft); + pft.size = TRANS_SIZE; + pft.esize = sizeof pfte[0]; + pft.array = pfte; + + snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, + getpid(), id); + for (i = 0; i < TRANS_SIZE; i++) { + memset(&pfte[i], 0, sizeof pfte[0]); + strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE); + switch (i) { + case TRANS_FILTER: + pfte[i].rs_num = PF_RULESET_FILTER; + break; + case TRANS_NAT: + pfte[i].rs_num = PF_RULESET_NAT; + break; + case TRANS_RDR: + pfte[i].rs_num = PF_RULESET_RDR; + break; + default: + errno = EINVAL; + return (-1); + } + } + + if (ioctl(dev, DIOCXBEGIN, &pft) == -1) + return (-1); + + return (0); +} + +int +prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, + struct sockaddr *dst, u_int16_t d_port, u_int8_t proto) +{ + char an[PF_ANCHOR_NAME_SIZE]; + + if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) || + (src->sa_family != dst->sa_family)) { + errno = EPROTONOSUPPORT; + return (-1); + } + + memset(&pfp, 0, sizeof pfp); + memset(&pfr, 0, sizeof pfr); + snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, + getpid(), id); + strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); + strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); + + switch (rs_num) { + case PF_RULESET_FILTER: + pfr.ticket = pfte[TRANS_FILTER].ticket; + break; + case PF_RULESET_NAT: + pfr.ticket = pfte[TRANS_NAT].ticket; + break; + case PF_RULESET_RDR: + pfr.ticket = pfte[TRANS_RDR].ticket; + break; + default: + errno = EINVAL; + return (-1); + } + if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) + return (-1); + pfr.pool_ticket = pfp.ticket; + + /* Generic for all rule types. */ + pfr.rule.af = src->sa_family; + pfr.rule.proto = proto; + pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; + pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; + if (src->sa_family == AF_INET) { + memcpy(&pfr.rule.src.addr.v.a.addr.v4, + &satosin(src)->sin_addr.s_addr, 4); + memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); + memcpy(&pfr.rule.dst.addr.v.a.addr.v4, + &satosin(dst)->sin_addr.s_addr, 4); + memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); + } else { + memcpy(&pfr.rule.src.addr.v.a.addr.v6, + &satosin6(src)->sin6_addr.s6_addr, 16); + memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); + memcpy(&pfr.rule.dst.addr.v.a.addr.v6, + &satosin6(dst)->sin6_addr.s6_addr, 16); + memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); + } + pfr.rule.dst.port_op = PF_OP_EQ; + pfr.rule.dst.port[0] = htons(d_port); + + switch (rs_num) { + case PF_RULESET_FILTER: + /* + * pass quick [log] inet[6] proto tcp \ + * from $src to $dst port = $d_port flags S/SAFR keep state + * (max 1) [queue qname] + */ + pfr.rule.action = PF_PASS; + pfr.rule.quick = 1; + pfr.rule.log = rule_log; + pfr.rule.keep_state = 1; + pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); + pfr.rule.flagset = (proto == IPPROTO_TCP ? + (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL); + pfr.rule.max_states = 1; + if (qname != NULL) + strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); + break; + case PF_RULESET_NAT: + /* + * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat + */ + pfr.rule.action = PF_NAT; + break; + case PF_RULESET_RDR: + /* + * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr + */ + pfr.rule.action = PF_RDR; + break; + default: + errno = EINVAL; + return (-1); + } + + return (0); +} + +int +server_lookup(struct sockaddr *client, struct sockaddr *proxy, + struct sockaddr *server, u_int8_t proto) +{ + if (client->sa_family == AF_INET) + return (server_lookup4(satosin(client), satosin(proxy), + satosin(server), proto)); + + if (client->sa_family == AF_INET6) + return (server_lookup6(satosin6(client), satosin6(proxy), + satosin6(server), proto)); + + errno = EPROTONOSUPPORT; + return (-1); +} + +int +server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, + struct sockaddr_in *server, u_int8_t proto) +{ + struct pfioc_natlook pnl; + + memset(&pnl, 0, sizeof pnl); + pnl.direction = PF_OUT; + pnl.af = AF_INET; + pnl.proto = proto; + memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4); + memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4); + pnl.sport = client->sin_port; + pnl.dport = proxy->sin_port; + + if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + return (-1); + + memset(server, 0, sizeof(struct sockaddr_in)); + server->sin_len = sizeof(struct sockaddr_in); + server->sin_family = AF_INET; + memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4, + sizeof server->sin_addr.s_addr); + server->sin_port = pnl.rdport; + + return (0); +} + +int +server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, + struct sockaddr_in6 *server, u_int8_t proto) +{ + struct pfioc_natlook pnl; + + memset(&pnl, 0, sizeof pnl); + pnl.direction = PF_OUT; + pnl.af = AF_INET6; + pnl.proto = proto; + memcpy(&pnl.saddr.v6, &client->sin6_addr.s6_addr, sizeof pnl.saddr.v6); + memcpy(&pnl.daddr.v6, &proxy->sin6_addr.s6_addr, sizeof pnl.daddr.v6); + pnl.sport = client->sin6_port; + pnl.dport = proxy->sin6_port; + + if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + return (-1); + + memset(server, 0, sizeof(struct sockaddr_in6)); + server->sin6_len = sizeof(struct sockaddr_in6); + server->sin6_family = AF_INET6; + memcpy(&server->sin6_addr.s6_addr, &pnl.rdaddr.v6, + sizeof server->sin6_addr); + server->sin6_port = pnl.rdport; + + return (0); +} diff --git a/libexec/tftp-proxy/filter.h b/libexec/tftp-proxy/filter.h new file mode 100644 index 00000000000..04d43f737cb --- /dev/null +++ b/libexec/tftp-proxy/filter.h @@ -0,0 +1,32 @@ +/* $OpenBSD: filter.h,v 1.1 2005/12/28 19:07:07 jcs Exp $ */ + +/* + * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#define FTP_PROXY_ANCHOR "tftp-proxy" + +int add_filter(u_int32_t, u_int8_t, struct sockaddr *, struct sockaddr *, + u_int16_t, u_int8_t); +int add_nat(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t, + struct sockaddr *, u_int16_t, u_int16_t, u_int8_t); +int add_rdr(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t, + struct sockaddr *, u_int16_t, u_int8_t); +int do_commit(void); +int do_rollback(void); +void init_filter(char *, int); +int prepare_commit(u_int32_t); +int server_lookup(struct sockaddr *, struct sockaddr *, struct sockaddr *, + u_int8_t); diff --git a/libexec/tftp-proxy/tftp-proxy.8 b/libexec/tftp-proxy/tftp-proxy.8 new file mode 100644 index 00000000000..b9098ef4d17 --- /dev/null +++ b/libexec/tftp-proxy/tftp-proxy.8 @@ -0,0 +1,140 @@ +.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $ +.\" +.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org> +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd November 28, 2005 +.Dt TFTP-PROXY 8 +.Os +.Sh NAME +.Nm tftp-proxy +.Nd Internet Trivial File Transfer Protocol proxy +.Sh SYNOPSIS +.Nm tftp-proxy +.Op Fl v +.Op Fl w Ar transwait +.Sh DESCRIPTION +.Nm +is a proxy for the Internet Trivial File Transfer Protocol invoked by +the +.Xr inetd 8 +internet server. +TFTP connections should be redirected to the proxy using the +.Xr pf 4 +.Ar rdr +command, after which the proxy connects to the server on behalf of +the client. +.Pp +The proxy establishes a +.Xr pf 4 +.Ar rdr +rule using the +.Ar anchor +facility to rewrite packets between the client and the server. +Once the rule is established, +.Nm +forwards the initial request from the client to the server to begin the +transfer. +After +.Ar transwait +seconds, the +.Xr pf 4 +NAT state is assumed to have been established and the +.Ar rdr +rule is deleted and the program exits. +Once the transfer between the client and the server is completed, the +NAT state will naturally expire. +.Pp +Assuming the TFTP command request is from $client to $server, the +proxy connected to the server using the $proxy source address, and +$port is negotiated, +.Nm +adds the following rule to the anchor: +.Bd -literal -offset indent +rdr proto udp from $server to $proxy port $port -\*(Gt $client +.Ed +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl v +Log the connection and request information to +.Xr syslogd 8 . +.It Fl w Ar transwait +Number of seconds to wait for the data transmission to begin before +removing the +.Xr pf 4 +.Ar rdr +rule. +The default is 2 seconds. +.El +.Sh CONFIGURATION +To make use of the proxy, +.Xr pf.conf 5 +needs the following rules. +The anchors are mandatory. +Adjust the rules as needed for your configuration. +.Pp +In the NAT section: +.Bd -literal -offset indent +nat on $ext_if from $int_if -\*(Gt ($ext_if:0) + +no nat on $ext_if to port tftp + +rdr-anchor "tftp-proxy/*" +rdr on $int_if proto udp from $lan to any port tftp -\*(Gt \e + 127.0.0.1 port 6969 +.Ed +.Pp +In the filter section, an anchor must be added to hold the pass rules: +.Bd -literal -offset indent +anchor "tftp-proxy/*" +.Ed +.Pp +.Xr inetd 8 +must be configured to spawn the proxy on the port that packets are +being forwarded to by +.Xr pf 4 . +An example +.Xr inetd.conf 5 +entry follows: +.Bd -literal -offset indent +127.0.0.1:6969 dgram udp wait root \e + /usr/libexec/tftp-proxy tftp-proxy +.Ed +.Sh SEE ALSO +.Xr tftp 1 , +.Xr pf 4 , +.Xr pf.conf 5 , +.Xr ftp-proxy 8 , +.Xr inetd 8 , +.Xr syslogd 8 , +.Xr tftpd 8 +.Sh CAVEATS +.Nm +chroots to +.Pa /var/empty +and changes to user +.Dq proxy +to drop privileges. diff --git a/libexec/tftp-proxy/tftp-proxy.c b/libexec/tftp-proxy/tftp-proxy.c new file mode 100644 index 00000000000..4bded2a8c2b --- /dev/null +++ b/libexec/tftp-proxy/tftp-proxy.c @@ -0,0 +1,386 @@ +/* $OpenBSD: tftp-proxy.c,v 1.1 2005/12/28 19:07:07 jcs Exp $ + * + * Copyright (c) 2005 DLS Internet Services + * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <sys/uio.h> +#include <unistd.h> + +#include <netinet/in.h> +#include <arpa/inet.h> +#include <arpa/tftp.h> +#include <sys/socket.h> +#include <net/if.h> +#include <net/pfvar.h> + +#include <errno.h> +#include <pwd.h> +#include <stdio.h> +#include <syslog.h> +#include <string.h> +#include <stdlib.h> + +#include "filter.h" + +#define CHROOT_DIR "/var/empty" +#define NOPRIV_USER "proxy" + +#define PF_NAT_PROXY_PORT_LOW 50001 +#define PF_NAT_PROXY_PORT_HIGH 65535 + +#define DEFTRANSWAIT 2 +#define NTOP_BUFS 4 +#define PKTSIZE SEGSIZE+4 + +const char *opcode(int); +const char *sock_ntop(struct sockaddr *); +u_int16_t pick_proxy_port(void); +static void usage(void); + +extern char *__progname; +char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN]; +int verbose = 0; + +int +main(int argc, char *argv[]) +{ + int c, fd = 0, on = 1, out_fd = 0, peer, reqsize = 0; + int transwait = DEFTRANSWAIT; + char *p; + struct tftphdr *tp; + struct passwd *pw; + + char cbuf[CMSG_SPACE(sizeof(struct sockaddr_storage))]; + char req[PKTSIZE]; + struct cmsghdr *cmsg; + struct msghdr msg; + struct iovec iov; + + struct sockaddr_storage from, proxy, server, proxy_to_server, s_in; + struct sockaddr_in sock_out; + socklen_t j; + in_port_t bindport; + + openlog(__progname, LOG_PID | LOG_NDELAY, LOG_DAEMON); + + while ((c = getopt(argc, argv, "vw:")) != -1) + switch (c) { + case 'v': + verbose++; + break; + case 'w': + transwait = strtoll(optarg, &p, 10); + if (transwait < 1) { + syslog(LOG_ERR, "invalid -w value"); + exit(1); + } + break; + default: + usage(); + break; + } + + /* open /dev/pf */ + init_filter(NULL, verbose); + + tzset(); + + pw = getpwnam(NOPRIV_USER); + if (!pw) { + syslog(LOG_ERR, "no such user %s: %m", NOPRIV_USER); + exit(1); + } + if (chroot(CHROOT_DIR) || chdir("/")) { + syslog(LOG_ERR, "chroot %s: %m", CHROOT_DIR); + exit(1); + } + if (setgroups(1, &pw->pw_gid) || + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) { + syslog(LOG_ERR, "can't revoke privs: %m"); + exit(1); + } + + /* non-blocking io */ + if (ioctl(fd, FIONBIO, &on) < 0) { + syslog(LOG_ERR, "ioctl(FIONBIO): %m"); + exit(1); + } + + if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &on, sizeof(on)) == -1) { + syslog(LOG_ERR, "setsockopt(IP_RECVDSTADDR): %m"); + exit(1); + } + + j = sizeof(s_in); + if (getsockname(fd, (struct sockaddr *)&s_in, &j) == -1) { + syslog(LOG_ERR, "getsockname: %m"); + exit(1); + } + + bindport = ((struct sockaddr_in *)&s_in)->sin_port; + + /* req will be pushed back out at the end, unchanged */ + j = sizeof(from); + if ((reqsize = recvfrom(fd, req, sizeof(req), MSG_PEEK, + (struct sockaddr *)&from, &j)) < 0) { + syslog(LOG_ERR, "recvfrom: %m"); + exit(1); + } + + bzero(&msg, sizeof(msg)); + iov.iov_base = req; + iov.iov_len = sizeof(req); + msg.msg_name = &from; + msg.msg_namelen = sizeof(from); + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cbuf; + msg.msg_controllen = CMSG_LEN(sizeof(struct sockaddr_storage)); + + if (recvmsg(fd, &msg, 0) < 0) { + syslog(LOG_ERR, "recvmsg: %m"); + exit(1); + } + + close(fd); + close(1); + + peer = socket(from.ss_family, SOCK_DGRAM, 0); + if (peer < 0) { + syslog(LOG_ERR, "socket: %m"); + exit(1); + } + memset(&s_in, 0, sizeof(s_in)); + s_in.ss_family = from.ss_family; + s_in.ss_len = from.ss_len; + + /* get local address if possible */ + for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; + cmsg = CMSG_NXTHDR(&msg, cmsg)) { + if (cmsg->cmsg_level == IPPROTO_IP && + cmsg->cmsg_type == IP_RECVDSTADDR) { + memcpy(&((struct sockaddr_in *)&s_in)->sin_addr, + CMSG_DATA(cmsg), sizeof(struct in_addr)); + break; + } + } + + if (bind(peer, (struct sockaddr *)&s_in, s_in.ss_len) < 0) { + syslog(LOG_ERR, "bind: %m"); + exit(1); + } + if (connect(peer, (struct sockaddr *)&from, from.ss_len) < 0) { + syslog(LOG_ERR, "connect: %m"); + exit(1); + } + + tp = (struct tftphdr *)req; + if (!(ntohs(tp->th_opcode) == RRQ || ntohs(tp->th_opcode) == WRQ)) { + /* not a tftp request, bail */ + if (verbose) { + syslog(LOG_WARNING, "not a valid tftp request"); + exit(1); + } else + /* exit 0 so inetd doesn't log anything */ + exit(0); + } + + j = sizeof(struct sockaddr_storage); + if (getsockname(fd, (struct sockaddr *)&proxy, &j) == -1) { + syslog(LOG_ERR, "getsockname: %m"); + exit(1); + } + + ((struct sockaddr_in *)&proxy)->sin_port = bindport; + + /* find the un-rdr'd server and port the client wanted */ + if (server_lookup((struct sockaddr *)&from, + (struct sockaddr *)&proxy, (struct sockaddr *)&server, + IPPROTO_UDP) != 0) { + syslog(LOG_ERR, "pf connection lookup failed (no rdr?)"); + exit(1); + } + + /* establish a new outbound connection to the remote server */ + if ((out_fd = socket(((struct sockaddr *)&from)->sa_family, + SOCK_DGRAM, IPPROTO_UDP)) < 0) { + syslog(LOG_ERR, "couldn't create new socket"); + exit(1); + } + + bzero((char *)&sock_out, sizeof(sock_out)); + sock_out.sin_family = from.ss_family; + sock_out.sin_port = htons(pick_proxy_port()); + if (bind(out_fd, (struct sockaddr *)&sock_out, sizeof(sock_out)) < 0) { + syslog(LOG_ERR, "couldn't bind to new socket: %m"); + exit(1); + } + + if (connect(out_fd, (struct sockaddr *)&server, + ((struct sockaddr *)&server)->sa_len) < 0 && errno != EINPROGRESS) { + syslog(LOG_ERR, "couldn't connect to remote server: %m"); + exit(1); + } + + j = sizeof(struct sockaddr_storage); + if ((getsockname(out_fd, (struct sockaddr *)&proxy_to_server, + &j)) < 0) { + syslog(LOG_ERR, "getsockname: %m"); + exit(1); + } + + if (verbose) + syslog(LOG_INFO, "%s:%d -> %s:%d/%s:%d -> %s:%d \"%s %s\"", + sock_ntop((struct sockaddr *)&from), + ntohs(((struct sockaddr_in *)&from)->sin_port), + sock_ntop((struct sockaddr *)&proxy), + ntohs(((struct sockaddr_in *)&proxy)->sin_port), + sock_ntop((struct sockaddr *)&proxy_to_server), + ntohs(((struct sockaddr_in *)&proxy_to_server)->sin_port), + sock_ntop((struct sockaddr *)&server), + ntohs(((struct sockaddr_in *)&server)->sin_port), + opcode(ntohs(tp->th_opcode)), + tp->th_stuff); + + /* get ready to add rdr and pass rules */ + if (prepare_commit(1) == -1) { + syslog(LOG_ERR, "couldn't prepare pf commit"); + exit(1); + } + + /* rdr from server to us on our random port -> client on its port */ + if (add_rdr(1, (struct sockaddr *)&server, + (struct sockaddr *)&proxy_to_server, ntohs(sock_out.sin_port), + (struct sockaddr *)&from, + ntohs(((struct sockaddr_in *)&from)->sin_port), + IPPROTO_UDP) == -1) { + syslog(LOG_ERR, "couldn't add rdr"); + exit(1); + } + + /* explicitly allow the packets to return back to the client (which pf + * will see post-rdr) */ + if (add_filter(1, PF_IN, (struct sockaddr *)&server, + (struct sockaddr *)&from, + ntohs(((struct sockaddr_in *)&from)->sin_port), + IPPROTO_UDP) == -1) { + syslog(LOG_ERR, "couldn't add pass in"); + exit(1); + } + + /* and just in case, to pass out from us to the server */ + if (add_filter(1, PF_OUT, (struct sockaddr *)&proxy_to_server, + (struct sockaddr *)&server, + ntohs(((struct sockaddr_in *)&server)->sin_port), + IPPROTO_UDP) == -1) { + syslog(LOG_ERR, "couldn't add pass out"); + exit(1); + } + + if (do_commit() == -1) { + syslog(LOG_ERR, "couldn't commit pf rules"); + exit(1); + } + + /* forward the initial tftp request and start the insanity */ + if (send(out_fd, tp, reqsize, 0) < 0) { + syslog(LOG_ERR, "couldn't forward tftp packet: %m"); + exit(1); + } + + /* allow the transfer to start to establish a state */ + sleep(transwait); + + /* delete our rdr rule and clean up */ + prepare_commit(1); + do_commit(); + + return(0); +} + +const char * +opcode(int code) +{ + static char str[6]; + + switch (code) { + case 1: + (void)snprintf(str, sizeof(str), "RRQ"); + break; + case 2: + (void)snprintf(str, sizeof(str), "WRQ"); + break; + default: + (void)snprintf(str, sizeof(str), "(%d)", code); + break; + } + + return (str); +} + +const char * +sock_ntop(struct sockaddr *sa) +{ + static int n = 0; + + /* Cycle to next buffer. */ + n = (n + 1) % NTOP_BUFS; + ntop_buf[n][0] = '\0'; + + if (sa->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + + return (inet_ntop(AF_INET, &sin->sin_addr, ntop_buf[n], + sizeof ntop_buf[0])); + } + + if (sa->sa_family == AF_INET6) { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa; + + return (inet_ntop(AF_INET6, &sin6->sin6_addr, ntop_buf[n], + sizeof ntop_buf[0])); + } + + return (NULL); +} + +u_int16_t +pick_proxy_port(void) +{ + return (IPPORT_HIFIRSTAUTO + (arc4random() % + (IPPORT_HILASTAUTO - IPPORT_HIFIRSTAUTO))); +} + +static void +usage(void) +{ + syslog(LOG_ERR, "usage: %s [-v] [-w transwait]", __progname); + exit(1); +} |