From 5e4671e5863a73c958842cabf6cadbef794c9cf7 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 31 Jan 2011 18:37:14 -0700
Subject: [PATCH] ftp_eprt directive to disable EPRT extensions in FTP

This allows admin to resolve compatibility problems with old devices which
encounter a range of problems when FTP extensions are used by selectively
disabling any of the extensions individually.

The other EPSV extensions already have enable/disable directives.
---
 doc/release-notes/release-3.1.sgml | 38 +++++++-----------------------
 src/cf.data.pre                    | 23 ++++++++++++++++++
 src/ftp.cc                         | 17 +++++++++----
 src/structs.h                      |  1 +
 4 files changed, 44 insertions(+), 35 deletions(-)

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index 91d0b9165d..1e8ec8a87d 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -685,39 +685,17 @@ This section gives a thorough account of those changes in three categories:
 		follow_x_forwarded_for allow my_other_proxy
 	</verb>
 
-	<tag>ftp_epsv</tag>
-	<verb>
-	FTP Protocol extensions permit the use of a special "EPSV" command.
-
-	NATs may be able to put the connection on a "fast path" through the
-	translator using EPSV, as the EPRT command will never be used and therefore,
-	translation of the data portion of the segments will never be needed.
-
-	Turning this OFF will prevent EPSV being attempted.
+	<tag>ftp_eprt</tag>
+	<p>New directive to control whether Squid uses EPRT extension for
+	   efficient NAT handling and IPv6 protocol support in FTP.
 
-	WARNING: Doing so will convert Squid back to the old behavior with all
-	the related problems with external NAT devices/layers.
-
-	Requires ftp_passive to be ON (default) for any effect.
-	</verb>
+	<tag>ftp_epsv</tag>
+	<p>New directive to control whether Squid uses EPSV extension for
+	   efficient NAT handling and IPv6 protocol support in FTP.
 
 	<tag>ftp_epsv_all</tag>
-	<verb>
-	FTP Protocol extensions permit the use of a special "EPSV ALL" command.
-
-	NATs may be able to put the connection on a "fast path" through the
-	translator, as the EPRT command will never be used and therefore,
-	translation of the data portion of the segments will never be needed.
-
-	When a client only expects to do two-way FTP transfers this may be useful.
-	If Squid finds that it must do a three-way FTP transfer after issuing
-	an EPSV ALL command, the FTP session will fail.
-
-	If you have any doubts about this option do not use it.
-	Squid will nicely attempt all other connection methods.
-
-	Requires ftp_passive to be ON (default)
-	</verb>
+	<p>New directive to control whether Squid uses "EPSV ALL" extension for
+	   efficient NAT handling and IPv6 protocol support in FTP.
 
 	<tag>forward_max_tries</tag>
 	<p>Controls how many different forward paths Squid will try
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 7ebd859bc7..aea13905a8 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -3067,6 +3067,29 @@ DOC_START
 	Requires ftp_passive to be ON (default) for any effect.
 DOC_END
 
+NAME: ftp_eprt
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.eprt
+DOC_START
+	FTP Protocol extensions permit the use of a special "EPRT" command.
+
+	This extension provides a protocol neutral alternative to the
+	IPv4-only PORT command. When supported it enables active FTP data
+	channels over IPv6 and efficient NAT handling.
+
+	Turning this OFF will prevent EPRT being attempted and will skip
+	straight to using PORT for IPv4 servers.
+
+	Some devices are known to not handle this extension correctly and
+	may result in crashes. Devices which suport EPRT enough to fail
+	cleanly will result in Squid attempting PORT anyway. This directive
+	should only be disabled when EPRT results in device failures.
+
+	WARNING: Doing so will convert Squid back to the old behavior with all
+	the related problems with external NAT devices/layers and IPv4-only FTP.
+DOC_END
+
 NAME: ftp_sanitycheck
 TYPE: onoff
 DEFAULT: on
diff --git a/src/ftp.cc b/src/ftp.cc
index edddc796aa..64f883a080 100644
--- a/src/ftp.cc
+++ b/src/ftp.cc
@@ -3000,16 +3000,23 @@ ftpReadPORT(FtpStateData * ftpState)
 static void
 ftpSendEPRT(FtpStateData * ftpState)
 {
-    int fd;
-    IpAddress addr;
-    struct addrinfo *AI = NULL;
-    char buf[MAX_IPSTRLEN];
-
     if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) {
         debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPSV ALL' has been sent.");
         return;
     }
 
+    if (!Config.Ftp.eprt) {
+        /* Disabled. Switch immediately to attempting old PORT command. */
+        debugs(9, 3, "EPRT disabled by local administrator");
+        ftpSendPORT(ftpState);
+        return;
+    }
+
+    int fd;
+    IpAddress addr;
+    struct addrinfo *AI = NULL;
+    char buf[MAX_IPSTRLEN];
+
     debugs(9, 3, HERE);
     ftpState->flags.pasv_supported = 0;
     fd = ftpOpenListenSocket(ftpState, 0);
diff --git a/src/structs.h b/src/structs.h
index 593c753782..b979712932 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -503,6 +503,7 @@ struct SquidConfig {
         int passive;
         int epsv_all;
         int epsv;
+        int eprt;
         int sanitycheck;
         int telnet;
     } Ftp;
-- 
2.47.2