Add ftp_epsv control to disable EPSV support.

Some firewalls are known to be severely broken with EPSV requests.
This enables Admin to turn it off if they need to.

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index bbabbc4757f7012fa2116c2d8f5cc72c6b56e36c..5fba020a4c3e16bfb5460e640966c6801d9b57f2 100644 (file)
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -630,6 +630,22 @@ This section gives a thorough account of those changes in three categories:
                follow_x_forwarded_for allow my_other_proxy
        </verb>
 
+       <tag>ftp_epsv</tag>
+       <verb>
+       FTP Protocol extensions permit the use of a special "EPSV" command.
+
+       NATs may be able to put the connection on a "fast path" through the
+       translator using EPSV, as the EPRT command will never be used and therefore,
+       translation of the data portion of the segments will never be needed.
+
+       Turning this OFF will prevent EPSV being attempted.
+
+       WARNING: Doing so will convert Squid back to the old behavior with all
+       the related problems with external NAT devices/layers.
+
+       Requires ftp_passive to be ON (default) for any effect.
+       </verb>
+
        <tag>ftp_epsv_all</tag>
        <verb>
        FTP Protocol extensions permit the use of a special "EPSV ALL" command.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 7620c08e16acb8f96383e5d778822827a2e2e4ee..e4fc7be80a627f330e720fea1ebd0a1ed6f3e653 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2728,7 +2728,25 @@ DOC_START
        If you have any doubts about this option do not use it.
        Squid will nicely attempt all other connection methods.
 
-       Requires ftp_passive to be ON (default)
+       Requires ftp_passive to be ON (default) for any effect.
+DOC_END
+
+NAME: ftp_epsv
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.epsv
+DOC_START
+       FTP Protocol extensions permit the use of a special "EPSV" command.
+
+       NATs may be able to put the connection on a "fast path" through the
+       translator using EPSV, as the EPRT command will never be used and therefore,
+       translation of the data portion of the segments will never be needed.
+
+       Turning this OFF will prevent EPSV being attempted.
+       WARNING: Doing so will convert Squid back to the old behavior with all
+       the related problems with external NAT devices/layers.
+
+       Requires ftp_passive to be ON (default) for any effect.
 DOC_END
 
 NAME: ftp_sanitycheck

diff --git a/src/ftp.cc b/src/ftp.cc
index dc232e50ed66eef11c65d06f27aaa04bbd852e59..9c3a09954b4a2ba1bc95f9911f3e702db605329f 100644 (file)
--- a/src/ftp.cc
+++ b/src/ftp.cc
@@ -2617,7 +2617,10 @@ ftpSendPassive(FtpStateData * ftpState)
         break;
 
     default:
-        if (Config.Ftp.epsv_all) {
+        if (!Config.Ftp.epsv) {
+            snprintf(cbuf, 1024, "PASV\r\n");
+            ftpState->state = SENT_PASV;
+        } else if (Config.Ftp.epsv_all) {
             snprintf(cbuf, 1024, "EPSV ALL\r\n");
             ftpState->state = SENT_EPSV_ALL;
             /* block other non-EPSV connections being attempted */

diff --git a/src/structs.h b/src/structs.h
index 23bf0c36f7f93ee72812aa5b083391d3a8e16f5e..27ffee5c973cd1503e60343596c2344f7219d44d 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -489,6 +489,7 @@ struct SquidConfig {
         char *anon_user;
         int passive;
         int epsv_all;
+        int epsv;
         int sanitycheck;
         int telnet;
     } Ftp;