Issue #285: Implement an IgnoreForeignAddress ProxyOption, such that backend passive data transfers always use the same IP address as used for the control connection, regardless of the address provided in the backend server's PASV response.

Author: Castaglia

lib/proxy/ftp/xfer.c

@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy FTP data transfer routines
- * Copyright (c) 2013-2024 TJ Saunders
+ * Copyright (c) 2013-2025 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -550,25 +550,43 @@ const pr_netaddr_t *proxy_ftp_xfer_prepare_passive(int policy_id, cmd_rec *cmd,
 
  remote_port = ntohs(pr_netaddr_get_port(remote_addr));
 
- if (!(proxy_opts & PROXY_OPT_ALLOW_FOREIGN_ADDRESS)) {
- /* Make sure that the given address matches the address to which we
- * originally connected.
- */
+ /* See if the given address matches the address to which we originally
+ * connected.
+ */
+ if (pr_netaddr_cmp(remote_addr,
+ proxy_sess->backend_ctrl_conn->remote_addr) != 0) {
+
+ pr_trace_msg(trace_channel, 2,
+ "backend passive transfer address %s does not match backend control "
+ "connection address %s", pr_netaddr_get_ipstr(remote_addr),
+ pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
 
- if (pr_netaddr_cmp(remote_addr,
- proxy_sess->backend_ctrl_conn->remote_addr) != 0) {
+ if (proxy_opts & PROXY_OPT_IGNORE_FOREIGN_ADDRESS) {
  (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
- "Refused %s address %s (address mismatch with %s)",
- (char *) pasv_cmd->argv[0], pr_netaddr_get_ipstr(remote_addr),
+ "Ignoring %s address %s per IgnoreForeignAddress ProxyOption, using %s "
+ "instead", (char *) pasv_cmd->argv[0],
+ pr_netaddr_get_ipstr(remote_addr),
  pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
- xerrno = EPERM;
 
- pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
- strerror(xerrno));
- pr_response_flush(&resp_err_list);
+ remote_addr = pr_netaddr_dup(proxy_sess->dataxfer_pool,
+ proxy_sess->backend_ctrl_conn->remote_addr);
+ pr_netaddr_set_port2(remote_addr, remote_port);
+
+ } else {
+ if (!(proxy_opts & PROXY_OPT_ALLOW_FOREIGN_ADDRESS)) {
+ (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
+ "Refused %s address %s (address mismatch with %s)",
+ (char *) pasv_cmd->argv[0], pr_netaddr_get_ipstr(remote_addr),
+ pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
+ xerrno = EPERM;
 
- errno = xerrno;
- return NULL;
+ pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
+ strerror(xerrno));
+ pr_response_flush(&resp_err_list);
+
+ errno = xerrno;
+ return NULL;
+ }
  }
  }
 

mod_proxy.c

@@ -816,6 +816,9 @@ MODRET set_proxyoptions(cmd_rec *cmd) {
  } else if (strcmp(cmd->argv[i], "AllowForeignAddress") == 0) {
  opts |= PROXY_OPT_ALLOW_FOREIGN_ADDRESS;
 
+ } else if (strcmp(cmd->argv[i], "IgnoreForeignAddress") == 0) {
+ opts |= PROXY_OPT_IGNORE_FOREIGN_ADDRESS;
+
  } else {
  CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, ": unknown ProxyOption '",
  (char *) cmd->argv[i], "'", NULL));

mod_proxy.h.in

@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy
- * Copyright (c) 2012-2024 TJ Saunders
+ * Copyright (c) 2012-2025 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -104,6 +104,7 @@
 #define PROXY_OPT_USE_PROXY_PROTOCOL_V20x0020
 #define PROXY_OPT_USE_PROXY_PROTOCOL_V2_TLVS0x0040
 #define PROXY_OPT_ALLOW_FOREIGN_ADDRESS0x0080
+#define PROXY_OPT_IGNORE_FOREIGN_ADDRESS0x0100
 
 /* mod_proxy datastores */
 #define PROXY_DATASTORE_SQLITE1

mod_proxy.html

@@ -504,6 +504,37 @@ <h3><a name="ProxyOptions">ProxyOptions</a></h3>
  # address for data transfers than the IP address to which mod_proxy connected.
  ProxyOptions AllowForeignAddress
  </pre>
+
+ <p>
+ Note that the <code>IgnoreForeignAddress</code> option takes precedence
+ over this option.
+ </li>
+
+ <p>
+ <li><code>IgnoreForeignAddress</code><br>
+ <p>
+ Use this option to tell the <code>mod_proxy</code> module to <i>always</i>
+ use the same IP address for passive data transfers to the backend server as
+ used for the control connection, ignoring any different IP address that
+ the backend server may provide in its <code>PASV</code> response.
+
+ <p>
+ This option may be needed in cases where you see backend data transfers fail with errors logged such as:
+ <pre>
+ unable to connect to 172.16.1.2#8200: Network unreachable
+ unable to connect to 172.16.2.2#8200: Connection refused
+ </pre>
+ Example:
+ <pre>
+ # When the backend server tells us to use a different IP address for data
+ # transfers than the IP address to which mod_proxy connected, ignore that
+ # different IP address and use the original initial IP address.
+ ProxyOptions IgnoreForeignAddress
+ </pre>
+
+ <p>
+ Note that this option takes precedence over the
+ <code>AllowForeignAddress</code> option.
  </li>
 
  <p>
@@ -2561,7 +2592,7 @@ <h2><a name="Installation">Installation</a></h2>
 <hr>
 
 <font size=2><b><i>
-&copy; Copyright 2015-2024 TJ Saunders<br>
+&copy; Copyright 2015-2025 TJ Saunders<br>
  All Rights Reserved<br>
 </i></b></font>