Merge pull request #286 from Castaglia/proxy-unroutable-passive-addr-issue285

Issue #285: Implement an `IgnoreForeignAddress` ProxyOption, such tha…

Author: Castaglia

lib/proxy/ftp/xfer.c

@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy FTP data transfer routines
- * Copyright (c) 2013-2024 TJ Saunders
+ * Copyright (c) 2013-2025 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -550,25 +550,43 @@ const pr_netaddr_t *proxy_ftp_xfer_prepare_passive(int policy_id, cmd_rec *cmd,
 
  remote_port = ntohs(pr_netaddr_get_port(remote_addr));
 
- if (!(proxy_opts & PROXY_OPT_ALLOW_FOREIGN_ADDRESS)) {
- /* Make sure that the given address matches the address to which we
- * originally connected.
- */
+ /* See if the given address matches the address to which we originally
+ * connected.
+ */
+ if (pr_netaddr_cmp(remote_addr,
+ proxy_sess->backend_ctrl_conn->remote_addr) != 0) {
+
+ pr_trace_msg(trace_channel, 2,
+ "backend passive transfer address %s does not match backend control "
+ "connection address %s", pr_netaddr_get_ipstr(remote_addr),
+ pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
 
- if (pr_netaddr_cmp(remote_addr,
- proxy_sess->backend_ctrl_conn->remote_addr) != 0) {
+ if (proxy_opts & PROXY_OPT_IGNORE_FOREIGN_ADDRESS) {
  (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
- "Refused %s address %s (address mismatch with %s)",
- (char *) pasv_cmd->argv[0], pr_netaddr_get_ipstr(remote_addr),
+ "Ignoring %s address %s per IgnoreForeignAddress ProxyOption, using %s "
+ "instead", (char *) pasv_cmd->argv[0],
+ pr_netaddr_get_ipstr(remote_addr),
  pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
- xerrno = EPERM;
 
- pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
- strerror(xerrno));
- pr_response_flush(&resp_err_list);
+ remote_addr = pr_netaddr_dup(proxy_sess->dataxfer_pool,
+ proxy_sess->backend_ctrl_conn->remote_addr);
+ pr_netaddr_set_port2(remote_addr, remote_port);
+
+ } else {
+ if (!(proxy_opts & PROXY_OPT_ALLOW_FOREIGN_ADDRESS)) {
+ (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
+ "Refused %s address %s (address mismatch with %s)",
+ (char *) pasv_cmd->argv[0], pr_netaddr_get_ipstr(remote_addr),
+ pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
+ xerrno = EPERM;
 
- errno = xerrno;
- return NULL;
+ pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
+ strerror(xerrno));
+ pr_response_flush(&resp_err_list);
+
+ errno = xerrno;
+ return NULL;
+ }
  }
  }
 

mod_proxy.c

@@ -816,6 +816,9 @@ MODRET set_proxyoptions(cmd_rec *cmd) {
  } else if (strcmp(cmd->argv[i], "AllowForeignAddress") == 0) {
  opts |= PROXY_OPT_ALLOW_FOREIGN_ADDRESS;
 
+ } else if (strcmp(cmd->argv[i], "IgnoreForeignAddress") == 0) {
+ opts |= PROXY_OPT_IGNORE_FOREIGN_ADDRESS;
+
  } else {
  CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, ": unknown ProxyOption '",
  (char *) cmd->argv[i], "'", NULL));

mod_proxy.h.in

@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy
- * Copyright (c) 2012-2024 TJ Saunders
+ * Copyright (c) 2012-2025 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -104,6 +104,7 @@
 #define PROXY_OPT_USE_PROXY_PROTOCOL_V20x0020
 #define PROXY_OPT_USE_PROXY_PROTOCOL_V2_TLVS0x0040
 #define PROXY_OPT_ALLOW_FOREIGN_ADDRESS0x0080
+#define PROXY_OPT_IGNORE_FOREIGN_ADDRESS0x0100
 
 /* mod_proxy datastores */
 #define PROXY_DATASTORE_SQLITE1

mod_proxy.html

@@ -504,6 +504,37 @@ <h3><a name="ProxyOptions">ProxyOptions</a></h3>
  # address for data transfers than the IP address to which mod_proxy connected.
  ProxyOptions AllowForeignAddress
  </pre>
+
+ <p>
+ Note that the <code>IgnoreForeignAddress</code> option takes precedence
+ over this option.
+ </li>
+
+ <p>
+ <li><code>IgnoreForeignAddress</code><br>
+ <p>
+ Use this option to tell the <code>mod_proxy</code> module to <i>always</i>
+ use the same IP address for passive data transfers to the backend server as
+ used for the control connection, ignoring any different IP address that
+ the backend server may provide in its <code>PASV</code> response.
+
+ <p>
+ This option may be needed in cases where you see backend data transfers fail with errors logged such as:
+ <pre>
+ unable to connect to 172.16.1.2#8200: Network unreachable
+ unable to connect to 172.16.2.2#8200: Connection refused
+ </pre>
+ Example:
+ <pre>
+ # When the backend server tells us to use a different IP address for data
+ # transfers than the IP address to which mod_proxy connected, ignore that
+ # different IP address and use the original initial IP address.
+ ProxyOptions IgnoreForeignAddress
+ </pre>
+
+ <p>
+ Note that this option takes precedence over the
+ <code>AllowForeignAddress</code> option.
  </li>
 
  <p>
@@ -2561,7 +2592,7 @@ <h2><a name="Installation">Installation</a></h2>
 <hr>
 
 <font size=2><b><i>
-&copy; Copyright 2015-2024 TJ Saunders<br>
+&copy; Copyright 2015-2025 TJ Saunders<br>
  All Rights Reserved<br>
 </i></b></font>