FT_FTP
FTP (File Transfer Protocol) protocol filter. Used RFCs: 959, 2428, 2228.
- Allows filtering FTP commands, responses and transmitted data.
- Filters active and passive mode data channels.
- Decodes SSL protected command and data channels.
- Supports packet level filtering of data channel.
- Supports IPv6 extensions.
Category: Protocol filter
Supported flags:
FF_READ_ONLY_IN
FF_READ_ONLY_OUT
FF_SSL_TLS
FF_SSL_SELF_SIGNED_CERTIFICATE
Object types:
OT_FTP_COMMAND - FTP command from client to server
OT_FTP_RESPONSE - server response to FTP command
OT_FTP_DATA_OUTGOING - read-only outgoing data (full stream)
OT_FTP_DATA_INCOMING - read-only incoming data (full stream)
OT_FTP_DATA_PART_OUTGOING - outgoing data packet
OT_FTP_DATA_PART_INCOMING - incoming data packet
Indicates object parts: no
The filters starts indicating FTP commands and responses after initial client-server
handshake classified according to FTP specification. The objects of types OT_FTP_COMMAND and OT_FTP_RESPONSE contain one stream with raw FTP command and response.
For transmitting large data buffers FTP uses secondary data connections. In active
mode it is incoming connection from server to client, established after PORT or
EPRT command with specified local address as a parameter. In passive mode FTP client
sends PASV or EPSV command to server, and establishes outgoing connection to the
address specified in server response. After transmitting full data object, the data
connection closes, and the server sends to client a response explaining results.
Note: The filtering of all incoming connections must be
enabled for filtering FTP data connections in active mode!
ProtocolFilters automatically associates data connections with FTP control connection
and adds FT_FTP_DATA filter for a data connection:
- FTP client sends PORT, EPRT, PASV or EPSV command to server to negotiate data
connection direction and addresses.
- ProtocolFilters indicates tcpConnected event for incoming or outgoing data connection.
It is possible to add preprocessors FT_PROXY and FT_SSL in event handler.
- ProtocolFilters searches for a control FTP connection by real local or remote
address (the real address can be different when FTP client uses SOCKS or HTTPS proxy).
- If an appropriate FTP control connection is found, ProtocolFilters deletes all
protocol filters from chain (preprocessors are not deleted), and adds FT_FTP_DATA
filter instead. Also FT_SSL filter is added if necessary when FF_SSL_TLS flag is
specified for the control connection. FT_FTP_DATA is added with the same FF_* flags
as for control connection. I.e. if a control connection is filtered in read only
mode, the appropriate data connection is filtered in read only mode too.
FT_FTP_DATA filter indicates the transmitted data using OT_FTP_DATA_* objects. Each
OT_FTP_DATA_* object contains two streams:
- Content stream (index 0) contains a data buffer.
- Control channel metadata stream (index 1) contains a string, formatted as list
of <name>: <value> strings, delimited with \r\n sequences.
The metadata stream is informational, i.e. ProtocolFilters ignores it when client
application posts OT_FTP_DATA_* object to destination. It contains FTP command with
parameters that describes the content stream, control connection identifier and
transmission parameters.
The field names of metadata header:
SESSIONID - ENDPOINT_ID of FTP control connection. This field is added always.
COMMAND - FTP command sent via control channel immediately after opening data connection,
e.g. STOR or RETR with a file name. This field is added always.
REST - optional field, contains a parameter of REST command specified by FTP client
(see RFC 959 for details).
TYPE - optional field, contains a parameter of TYPE command specified by FTP client
(see RFC 959 for details).
The optional fields are added when FTP client sends appropriate commands via control
connection.
The current version blocks STRU command and MODE (B|Z), i.e. allows only default
stream transfer mode for FTP data. FTP client receives error response when it tries
to select an unsupported mode.
By default FT_FTP_DATA filter indicates the packets transmitted via data connection
as OT_FTP_DATA_PART_* objects, containing a single packet in content stream. The
filtering application can change the packet contents and post it back to destination.
When FF_READ_ONLY_(IN|OUT) flag is specified for control connection, FT_FTP_DATA
filter buffers the packets and indicates full transmitted content as OT_FTP_DATA_(INCOMING|OUTGOING)
object.
The data connection closes after transmitting the full content. Also FTP client
can abort the data transfer and close data connection before the transmission completes.
It is possible to monitor the control connection for ABORT command and bad response
codes to make sure that the content is transmitted in full.
References:
RFCs related to FTP protocol specification:
http://www.faqs.org/rfcs/rfc959.html
http://www.faqs.org/rfcs/rfc2428.html
http://www.faqs.org/rfcs/rfc2228.html
http://www.faqs.org/rfcs/rfc2640.html