From: Amos Jeffries Date: Thu, 25 Jun 2009 13:32:03 +0000 (+1200) Subject: Add ftp_epsv control to disable EPSV support. X-Git-Tag: SQUID_3_2_0_1~932 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=51ee534d52fb0f9f4e95f72c0f1e092e098f8423;p=thirdparty%2Fsquid.git Add ftp_epsv control to disable EPSV support. Some firewalls are known to be severely broken with EPSV requests. This enables Admin to turn it off if they need to. --- diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml index bbabbc4757..5fba020a4c 100644 --- a/doc/release-notes/release-3.1.sgml +++ b/doc/release-notes/release-3.1.sgml @@ -630,6 +630,22 @@ This section gives a thorough account of those changes in three categories: follow_x_forwarded_for allow my_other_proxy + ftp_epsv + + FTP Protocol extensions permit the use of a special "EPSV" command. + + NATs may be able to put the connection on a "fast path" through the + translator using EPSV, as the EPRT command will never be used and therefore, + translation of the data portion of the segments will never be needed. + + Turning this OFF will prevent EPSV being attempted. + + WARNING: Doing so will convert Squid back to the old behavior with all + the related problems with external NAT devices/layers. + + Requires ftp_passive to be ON (default) for any effect. + + ftp_epsv_all FTP Protocol extensions permit the use of a special "EPSV ALL" command. diff --git a/src/cf.data.pre b/src/cf.data.pre index 7620c08e16..e4fc7be80a 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2728,7 +2728,25 @@ DOC_START If you have any doubts about this option do not use it. Squid will nicely attempt all other connection methods. - Requires ftp_passive to be ON (default) + Requires ftp_passive to be ON (default) for any effect. +DOC_END + +NAME: ftp_epsv +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.epsv +DOC_START + FTP Protocol extensions permit the use of a special "EPSV" command. + + NATs may be able to put the connection on a "fast path" through the + translator using EPSV, as the EPRT command will never be used and therefore, + translation of the data portion of the segments will never be needed. + + Turning this OFF will prevent EPSV being attempted. + WARNING: Doing so will convert Squid back to the old behavior with all + the related problems with external NAT devices/layers. + + Requires ftp_passive to be ON (default) for any effect. DOC_END NAME: ftp_sanitycheck diff --git a/src/ftp.cc b/src/ftp.cc index dc232e50ed..9c3a09954b 100644 --- a/src/ftp.cc +++ b/src/ftp.cc @@ -2617,7 +2617,10 @@ ftpSendPassive(FtpStateData * ftpState) break; default: - if (Config.Ftp.epsv_all) { + if (!Config.Ftp.epsv) { + snprintf(cbuf, 1024, "PASV\r\n"); + ftpState->state = SENT_PASV; + } else if (Config.Ftp.epsv_all) { snprintf(cbuf, 1024, "EPSV ALL\r\n"); ftpState->state = SENT_EPSV_ALL; /* block other non-EPSV connections being attempted */ diff --git a/src/structs.h b/src/structs.h index 23bf0c36f7..27ffee5c97 100644 --- a/src/structs.h +++ b/src/structs.h @@ -489,6 +489,7 @@ struct SquidConfig { char *anon_user; int passive; int epsv_all; + int epsv; int sanitycheck; int telnet; } Ftp;