src/patches/squid/squid-3.5-14148.patch

   1 ------------------------------------------------------------
   2 revno: 14148
   3 revision-id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
   4 parent: squid3@treenet.co.nz-20170226085617-89jfjndt62i83qtn
   5 author: Alexander Gozman <a.gozman@securitycode.ru>
   6 committer: Amos Jeffries <squid3@treenet.co.nz>
   7 branch nick: 3.5
   8 timestamp: Mon 2017-02-27 00:09:42 +1300
   9 message:
  10   Native FTP relay: NAT and TPROXY interception fixes
  11 ------------------------------------------------------------
  12 # Bazaar merge directive format 2 (Bazaar 0.90)
  13 # revision_id: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
  14 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  15 # testament_sha1: 63f57f0ddddf0f231c3ef88a12728a707828c6ad
  16 # timestamp: 2017-02-26 11:51:04 +0000
  17 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
  18 # base_revision_id: squid3@treenet.co.nz-20170226085617-\
  19 #   89jfjndt62i83qtn
  20 #
  21 # Begin patch
  22 === modified file 'src/servers/FtpServer.cc'
  23 --- src/servers/FtpServer.cc    2017-01-01 00:16:45 +0000
  24 +++ src/servers/FtpServer.cc    2017-02-26 11:09:42 +0000
  25 @@ -1454,9 +1454,33 @@
  26      Comm::ConnectionPointer conn = new Comm::Connection();
  27      conn->flags |= COMM_DOBIND;
  28
  29 -    // Use local IP address of the control connection as the source address
  30 -    // of the active data connection, or some clients will refuse to accept.
  31 -    conn->setAddrs(clientConnection->local, cltAddr);
  32 +    if (clientConnection->flags & COMM_INTERCEPTION) {
  33 +        // In the case of NAT interception conn->local value is not set
  34 +        // because the TCP stack will automatically pick correct source
  35 +        // address for the data connection. We must only ensure that IP
  36 +        // version matches client's address.
  37 +        conn->local.setAnyAddr();
  38 +
  39 +        if (cltAddr.isIPv4())
  40 +            conn->local.setIPv4();
  41 +
  42 +        conn->remote = cltAddr;
  43 +    } else {
  44 +        // In the case of explicit-proxy the local IP of the control connection
  45 +        // is the Squid IP the client is knowingly talking to.
  46 +        //
  47 +        // In the case of TPROXY the IP address of the control connection is
  48 +        // server IP the client is connecting to, it can be spoofed by Squid.
  49 +        //
  50 +        // In both cases some clients may refuse to accept data connections if
  51 +        // these control connectin local-IP's are not used.
  52 +        conn->setAddrs(clientConnection->local, cltAddr);
  53 +
  54 +        // Using non-local addresses in TPROXY mode requires appropriate socket option.
  55 +        if (clientConnection->flags & COMM_TRANSPARENT)
  56 +            conn->flags |= COMM_TRANSPARENT;
  57 +    }
  58 +
  59      // RFC 959 requires active FTP connections to originate from port 20
  60      // but that would preclude us from supporting concurrent transfers! (XXX?)
  61      conn->local.port(0);
  62