From 87f2fc9711a1dfe6f1f355cb9c06c719451fa673 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Apr 2015 11:23:00 +0200
Subject: [PATCH] system: do a little thing called ftp-proxy(8) for clients
 #155

While there, clean up a little and remove the dysfunct tftp-proxy.
Server part is a little harder, but can be done, too.
---
 src/etc/inc/filter.inc               | 62 ++++++++++++----------------
 src/etc/inc/interfaces.inc           |  2 +-
 src/www/system_advanced_firewall.php | 32 +++++---------
 3 files changed, 39 insertions(+), 57 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index bcb0f448c..ee93d2391 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1738,20 +1738,15 @@ function filter_nat_rules_generate() {
 		unset($tonathosts, $tonathosts_array, $numberofnathosts);
 	}
 
-	/* load balancer anchor */
-	$natrules .= "\n# Load balancing anchor\n";
+	$natrules .= "\n# Load balancing\n";
 	$natrules .= "rdr-anchor \"relayd/*\"\n";
 
-	update_filter_reload_status(gettext("Setting up TFTP helper"));
-	$natrules .= "# TFTP proxy\n";
-	$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
-
-	if (!empty($config['system']['tftpinterface'])) {
-		$tftpifs = explode(",", $config['system']['tftpinterface']);
-		foreach($tftpifs as $tftpif) {
-			if ($FilterIflist[$tftpif])
-				$natrules .= "rdr pass on {$FilterIflist[$tftpif]['if']} proto udp from any to any port tftp -> 127.0.0.1 port 6969\n";
-		}
+	if (isset($config['system']['ftp-proxy']['client'])) {
+		$natrules .= "\n# FTP proxy\n";
+		$natrules .= "nat-anchor \"ftp-proxy/*\"\n";
+		$natrules .= "rdr-anchor \"ftp-proxy/*\"\n";
+		$natrules .= "rdr pass proto tcp to port ftp -> 127.0.0.1 port 8021\n";
+		mwexec('service ftp-proxy onerestart');
 	}
 
 	/* DIAG: add ipv6 NAT, if requested */
@@ -1762,13 +1757,7 @@ function filter_nat_rules_generate() {
 		$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto ipv6 from any to any -> {$config['diag']['ipv6nat']['ipaddr']}\n";
 	}
 
-	if(file_exists("/var/etc/inetd.conf"))
-		@unlink("/var/etc/inetd.conf");
-	// Open inetd.conf write handle
-	$inetd_fd = fopen("/var/etc/inetd.conf","w");
-	/* add tftp protocol helper */
-	// TODO triggers "inetd[28893]: tftp-proxy/udp: unknown service"
-	//fwrite($inetd_fd, "tftp-proxy\tdgram\tudp\twait\t\troot\t/usr/libexec/tftp-proxy\ttftp-proxy -v\n");
+	$inetd_fd = fopen('/var/etc/inetd.conf', 'w');
 
 	if(isset($config['nat']['rule'])) {
 		/* start reflection redirects on port 19000 of localhost */
@@ -1928,8 +1917,9 @@ function filter_nat_rules_generate() {
 					if($reflection_type == "proxy" && !isset($rule['nordr'])) {
 						$natrules .= filter_generate_reflection_proxy($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $starting_localhost_port, $reflection_rules);
 						$nat_if_list = array($natif);
-						foreach ($reflection_rules as $txtline)
+						foreach ($reflection_rules as $txtline) {
 							fwrite($inetd_fd, $txtline);
+						}
 					} else if($reflection_type == "purenat" || isset($rule['nordr'])) {
 						$rdr_if_list = implode(" ", $nat_if_list);
 						if(count($nat_if_list) > 1)
@@ -1949,7 +1939,8 @@ function filter_nat_rules_generate() {
 			}
 		}
 	}
-	fclose($inetd_fd);		// Close file handle
+
+	fclose($inetd_fd);
 
 	if (isset($config['pptpd']['mode']) && ($config['pptpd']['mode'] != "off")) {
 		if ($config['pptpd']['mode'] == "redir") {
@@ -1961,20 +1952,17 @@ function filter_nat_rules_generate() {
 	}
 
 
-	$natrules .= "# UPnPd rdr anchor\n";
+	$natrules .= "\n# UPnP\n";
 	$natrules .= "rdr-anchor \"miniupnpd\"\n";
 
-	if(!empty($reflection_txt))
+	if (!empty($reflection_txt)) {
 		$natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt;
+	}
 
-	// Check if inetd is running, if not start it.	If so, restart it gracefully.
-	$helpers = is_process_running('inetd');
-	if (file_exists('/var/etc/inetd.conf')) {
-		if (!$helpers) {
-			mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
-		} else {
-			killbypid('/var/run/inetd.pid', 'HUP');
-		}
+	if (!isvalidpid('/var/run/inetd.pid')) {
+		mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
+	} else {
+		killbypid('/var/run/inetd.pid', 'HUP');
 	}
 
 	return $natrules;
@@ -2585,6 +2573,12 @@ function filter_rules_generate()
 	$ipfrules .= "anchor \"openvpn/*\"\n";
 	/* IPsec user rules from radius */
 	$ipfrules .= "anchor \"ipsec/*\"\n";
+
+	if (isset($config['system']['ftp-proxy']['client'])) {
+		$ipfrules .= "\nanchor \"ftp-proxy/*\"\n";
+		$ipfrules .= "pass out quick proto tcp from 127.0.0.1 to port ftp\n";
+	}
+
 	# BEGIN OF firewall rules
 	/* default block logging? */
 	$log = array();
@@ -2595,13 +2589,13 @@ function filter_rules_generate()
 
 
 	if(!isset($config['system']['ipv6allow'])) {
-		$ipfrules .= "# Block all IPv6\n";
+		$ipfrules .= "\n# Block all IPv6\n";
 		$ipfrules .= "block in {$log['block']} quick inet6 all  label \"Block all IPv6\"\n";
 		$ipfrules .= "block out {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
 	}
 
-
 	$ipfrules .= <<<EOD
+
 #---------------------------------------------------------------------------
 # default deny rules
 #---------------------------------------------------------------------------
@@ -3139,8 +3133,6 @@ EOD;
 	update_filter_reload_status(gettext("Creating IPsec rules..."));
 	$ipfrules .= filter_generate_ipsec_rules($log);
 
-	$ipfrules .= "\nanchor \"tftp-proxy/*\"\n";
-
 	update_filter_reload_status("Creating uPNP rules...");
 	if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) {
 		if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable']))
diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index dace6a525..d30742fa5 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -1581,7 +1581,7 @@ function interface_ppps_configure($interface)
 		$descr = isset($ifcfg['descr']) ? $ifcfg['descr'] : strtoupper($interface);
 		echo "starting {$pppif} link...";
 		// Do not re-configure the interface if we are booting and it's already been started
-		if (isvalidproc("/var/run/{$ppp['type']}_{$interface}.pid")) {
+		if (isvalidpid("/var/run/{$ppp['type']}_{$interface}.pid")) {
 			return 0;
 		}
 	}
diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php
index 9656c3763..4e4fb1abe 100644
--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@@ -55,11 +55,10 @@ $pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection'];
 $pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
 $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
 $pconfig['disablescrub'] = isset($config['system']['disablescrub']);
-$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
+$pconfig['ftp-proxy-client'] = isset($config['system']['ftp-proxy']['client']);
 $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
 
 if ($_POST) {
-
 	unset($input_errors);
 	$pconfig = $_POST;
 
@@ -179,10 +178,11 @@ if ($_POST) {
 		else
 			unset($config['system']['disablescrub']);
 
-		if ($_POST['tftpinterface'])
-			$config['system']['tftpinterface'] = implode(",", $_POST['tftpinterface']);
-		else
-			unset($config['system']['tftpinterface']);
+		if ($_POST['ftp-proxy-client'] == 'yes') {
+			$config['system']['ftp-proxy']['client'] = true;
+		} else {
+			unset($config['system']['ftp-proxy']['client']);
+		}
 
 		if ($_POST['bogonsinterval'] != $config['system']['bogons']['interval']) {
 			switch ($_POST['bogonsinterval']) {
@@ -502,22 +502,12 @@ include("head.inc");
 										</td>
 									</tr>
 									<tr>
-										<td width="22%" valign="top" class="vncell"><?=gettext("TFTP Proxy");?></td>
+										<td width="22%" valign="top" class="vncell"><?=gettext("FTP Proxy");?></td>
 										<td width="78%" class="vtable">
-											<select name="tftpinterface[]" multiple="multiple" class="formselect selectpicker" data-style="btn-default" data-width="auto">
-			                                        <?php
-												$ifdescs = get_configured_interface_with_descr();
-												$rowIndex = 0;
-												foreach ($ifdescs as $ifent => $ifdesc):
-													$rowIndex++;
-												?>
-													<option value="<?=$ifent;?>" <?php if (in_array($ifent, $pconfig['tftpinterface'])) echo "selected=\"selected\""; ?>><?=gettext($ifdesc);?></option>
-			                                            <?php endforeach;
-												if ($rowIndex == 0)
-													echo "<option></option>";
-												?>
-											</select>
-											<strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong>
+											<input name="ftp-proxy-client" type="checkbox" id="ftp-proxy-client" value="yes" <?php if (isset($config['system']['ftp-proxy']['client'])) echo "checked=\"checked\""; ?> />
+											<strong><?=gettext("Enable FTP proxy for clients");?></strong>
+											<br />
+											<?=gettext("Configures the FTP proxy to allow for client connections behind the firewall using active file transfer mode.");?>
 										</td>
 									</tr>