ip_rpcb_pxy.c revision 1.1
1 /* $NetBSD: ip_rpcb_pxy.c,v 1.1 2012/03/23 20:37:02 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2002-2003 by Ryan Beasley <ryanb (at) goddamnbastard.org> 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 /* 9 * Overview: 10 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) 11 * protocol as defined in RFC1833. It is far from complete, mostly 12 * lacking in less-likely corner cases, but it's definitely functional. 13 * 14 * Invocation: 15 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu 16 * 17 * If the host running IP Filter is the same as the RPC server, it's 18 * perfectly legal for both the internal and external addresses and ports 19 * to match. 20 * 21 * When triggered by appropriate IP NAT rules, this proxy works by 22 * examining data contained in received packets. Requests and replies are 23 * modified, NAT and state table entries created, etc., as necessary. 24 */ 25 /* 26 * TODO / NOTES 27 * 28 * o Must implement locking to protect proxy session data. 29 * o Fragmentation isn't supported. 30 * o Only supports UDP. 31 * o Doesn't support multiple RPC records in a single request. 32 * o Errors should be more fine-grained. (e.g., malloc failure vs. 33 * illegal RPCB request / reply) 34 * o Even with the limit on the total amount of recorded transactions, 35 * should there be a timeout on transaction removal? 36 * o There is a potential collision between cloning, wildcard NAT and 37 * state entries. There should be an appr_getport routine for 38 * to avoid this. 39 * o The enclosed hack of STREAMS support is pretty sick and most likely 40 * broken. 41 * 42 * Id 43 */ 44 #define IPF_RPCB_PROXY 45 46 /* 47 * Function prototypes 48 */ 49 void ipf_p_rpcb_main_load __P((void)); 50 void ipf_p_rpcb_main_unload __P((void)); 51 int ipf_p_rpcb_new __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 52 void ipf_p_rpcb_del __P((ipf_main_softc_t *, ap_session_t *)); 53 int ipf_p_rpcb_in __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 54 int ipf_p_rpcb_out __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 55 56 static void ipf_p_rpcb_flush __P((rpcb_session_t *)); 57 static int ipf_p_rpcb_decodereq __P((fr_info_t *, nat_t *, 58 rpcb_session_t *, rpc_msg_t *)); 59 static int ipf_p_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **)); 60 static int ipf_p_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *)); 61 static int ipf_p_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *)); 62 static int ipf_p_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *, 63 u_32_t **)); 64 static u_int ipf_p_rpcb_atoi __P((char *)); 65 static int ipf_p_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *, 66 mb_t *, u_int)); 67 static int ipf_p_rpcb_decoderep __P((fr_info_t *, nat_t *, 68 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **)); 69 static rpcb_xact_t * ipf_p_rpcb_lookup __P((rpcb_session_t *, u_32_t)); 70 static void ipf_p_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *)); 71 static int ipf_p_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *, 72 u_32_t **)); 73 static int ipf_p_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int)); 74 static int ipf_p_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *, 75 mb_t *, u_int)); 76 static int ipf_p_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *, 77 mb_t *, u_int)); 78 static void ipf_p_rpcb_fixlen __P((fr_info_t *, int)); 79 80 /* 81 * Global variables 82 */ 83 static frentry_t rpcbfr; /* Skeleton rule for reference by entities 84 this proxy creates. */ 85 static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ 86 /* XXX rpcbcnt still requires locking. */ 87 88 static int rpcb_proxy_init = 0; 89 90 91 /* 92 * Since rpc_msg contains only pointers, one should use this macro as a 93 * handy way to get to the goods. (In case you're wondering about the name, 94 * this started as BYTEREF -> BREF -> B.) 95 */ 96 #define B(r) (u_32_t)ntohl(*(r)) 97 98 /* 99 * Public subroutines 100 */ 101 102 /* -------------------------------------------------------------------- */ 103 /* Function: ipf_p_rpcb_main_load */ 104 /* Returns: void */ 105 /* Parameters: (void) */ 106 /* */ 107 /* Initialize the filter rule entry and session limiter. */ 108 /* -------------------------------------------------------------------- */ 109 void 110 ipf_p_rpcb_main_load() 111 { 112 rpcbcnt = 0; 113 114 bzero((char *)&rpcbfr, sizeof(rpcbfr)); 115 rpcbfr.fr_ref = 1; 116 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; 117 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock"); 118 rpcb_proxy_init = 1; 119 } 120 121 /* -------------------------------------------------------------------- */ 122 /* Function: ipf_p_rpcb_main_unload */ 123 /* Returns: void */ 124 /* Parameters: (void) */ 125 /* */ 126 /* Destroy rpcbfr's mutex to avoid a lock leak. */ 127 /* -------------------------------------------------------------------- */ 128 void 129 ipf_p_rpcb_main_unload() 130 { 131 if (rpcb_proxy_init == 1) { 132 MUTEX_DESTROY(&rpcbfr.fr_lock); 133 rpcb_proxy_init = 0; 134 } 135 } 136 137 /* -------------------------------------------------------------------- */ 138 /* Function: ipf_p_rpcb_new */ 139 /* Returns: int - -1 == failure, 0 == success */ 140 /* Parameters: fin(I) - pointer to packet information */ 141 /* aps(I) - pointer to proxy session structure */ 142 /* nat(I) - pointer to NAT session structure */ 143 /* */ 144 /* Allocate resources for per-session proxy structures. */ 145 /* -------------------------------------------------------------------- */ 146 int 147 ipf_p_rpcb_new(arg, fin, aps, nat) 148 void *arg; 149 fr_info_t *fin; 150 ap_session_t *aps; 151 nat_t *nat; 152 { 153 rpcb_session_t *rs; 154 155 fin = fin; /* LINT */ 156 nat = nat; /* LINT */ 157 158 KMALLOC(rs, rpcb_session_t *); 159 if (rs == NULL) 160 return(-1); 161 162 bzero((char *)rs, sizeof(*rs)); 163 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock"); 164 165 aps->aps_data = rs; 166 167 return(0); 168 } 169 170 /* -------------------------------------------------------------------- */ 171 /* Function: ipf_p_rpcb_del */ 172 /* Returns: void */ 173 /* Parameters: aps(I) - pointer to proxy session structure */ 174 /* */ 175 /* Free up a session's list of RPCB requests. */ 176 /* -------------------------------------------------------------------- */ 177 void 178 ipf_p_rpcb_del(softc, aps) 179 ipf_main_softc_t *softc; 180 ap_session_t *aps; 181 { 182 rpcb_session_t *rs; 183 rs = (rpcb_session_t *)aps->aps_data; 184 185 MUTEX_ENTER(&rs->rs_rxlock); 186 ipf_p_rpcb_flush(rs); 187 MUTEX_EXIT(&rs->rs_rxlock); 188 MUTEX_DESTROY(&rs->rs_rxlock); 189 } 190 191 /* -------------------------------------------------------------------- */ 192 /* Function: ipf_p_rpcb_in */ 193 /* Returns: int - APR_ERR(1) == drop the packet, */ 194 /* APR_ERR(2) == kill the proxy session, */ 195 /* else change in packet length (in bytes) */ 196 /* Parameters: fin(I) - pointer to packet information */ 197 /* ip(I) - pointer to packet header */ 198 /* aps(I) - pointer to proxy session structure */ 199 /* nat(I) - pointer to NAT session structure */ 200 /* */ 201 /* Given a presumed RPCB request, perform some minor tests and pass off */ 202 /* for decoding. Also pass packet off for a rewrite if necessary. */ 203 /* -------------------------------------------------------------------- */ 204 int 205 ipf_p_rpcb_in(arg, fin, aps, nat) 206 void *arg; 207 fr_info_t *fin; 208 ap_session_t *aps; 209 nat_t *nat; 210 { 211 rpc_msg_t rpcmsg, *rm; 212 rpcb_session_t *rs; 213 u_int off, dlen; 214 mb_t *m; 215 int rv; 216 217 /* Disallow fragmented or illegally short packets. */ 218 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 219 return(APR_ERR(1)); 220 221 /* Perform basic variable initialization. */ 222 rs = (rpcb_session_t *)aps->aps_data; 223 224 m = fin->fin_m; 225 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 226 off += sizeof(udphdr_t) + fin->fin_ipoff; 227 dlen = fin->fin_dlen - sizeof(udphdr_t); 228 229 /* Disallow packets outside legal range for supported requests. */ 230 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) 231 return(APR_ERR(1)); 232 233 /* Copy packet over to convenience buffer. */ 234 rm = &rpcmsg; 235 bzero((char *)rm, sizeof(*rm)); 236 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf); 237 rm->rm_buflen = dlen; 238 239 /* Send off to decode request. */ 240 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); 241 242 switch(rv) 243 { 244 case -1: 245 return(APR_ERR(1)); 246 /*NOTREACHED*/ 247 break; 248 case 0: 249 break; 250 case 1: 251 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); 252 break; 253 default: 254 /*CONSTANTCONDITION*/ 255 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv)); 256 } 257 258 return(rv); 259 } 260 261 /* -------------------------------------------------------------------- */ 262 /* Function: ipf_p_rpcb_out */ 263 /* Returns: int - APR_ERR(1) == drop the packet, */ 264 /* APR_ERR(2) == kill the proxy session, */ 265 /* else change in packet length (in bytes) */ 266 /* Parameters: fin(I) - pointer to packet information */ 267 /* ip(I) - pointer to packet header */ 268 /* aps(I) - pointer to proxy session structure */ 269 /* nat(I) - pointer to NAT session structure */ 270 /* */ 271 /* Given a presumed RPCB reply, perform some minor tests and pass off */ 272 /* for decoding. If the message indicates a successful request with */ 273 /* valid addressing information, create NAT and state structures to */ 274 /* allow direct communication between RPC client and server. */ 275 /* -------------------------------------------------------------------- */ 276 int 277 ipf_p_rpcb_out(arg, fin, aps, nat) 278 void *arg; 279 fr_info_t *fin; 280 ap_session_t *aps; 281 nat_t *nat; 282 { 283 rpc_msg_t rpcmsg, *rm; 284 rpcb_session_t *rs; 285 rpcb_xact_t *rx; 286 u_int off, dlen; 287 int rv, diff; 288 mb_t *m; 289 290 /* Disallow fragmented or illegally short packets. */ 291 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 292 return(APR_ERR(1)); 293 294 /* Perform basic variable initialization. */ 295 rs = (rpcb_session_t *)aps->aps_data; 296 rx = NULL; 297 298 m = fin->fin_m; 299 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 300 off += sizeof(udphdr_t) + fin->fin_ipoff; 301 dlen = fin->fin_dlen - sizeof(udphdr_t); 302 diff = 0; 303 304 /* Disallow packets outside legal range for supported requests. */ 305 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) 306 return(APR_ERR(1)); 307 308 /* Copy packet over to convenience buffer. */ 309 rm = &rpcmsg; 310 bzero((char *)rm, sizeof(*rm)); 311 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf); 312 rm->rm_buflen = dlen; 313 314 rx = NULL; /* XXX gcc */ 315 316 /* Send off to decode reply. */ 317 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); 318 319 switch(rv) 320 { 321 case -1: /* Bad packet */ 322 if (rx != NULL) { 323 MUTEX_ENTER(&rs->rs_rxlock); 324 ipf_p_rpcb_deref(rs, rx); 325 MUTEX_EXIT(&rs->rs_rxlock); 326 } 327 return(APR_ERR(1)); 328 /*NOTREACHED*/ 329 break; 330 case 0: /* Negative reply / request rejected */ 331 break; 332 case 1: /* Positive reply */ 333 /* 334 * With the IP address embedded in a GETADDR(LIST) reply, 335 * we'll need to rewrite the packet in the very possible 336 * event that the internal & external addresses aren't the 337 * same. (i.e., this box is either a router or rpcbind 338 * only listens on loopback.) 339 */ 340 if (nat->nat_odstaddr != nat->nat_ndstaddr) { 341 if (rx->rx_type == RPCB_RES_STRING) 342 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); 343 else if (rx->rx_type == RPCB_RES_LIST) 344 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); 345 } 346 break; 347 default: 348 /*CONSTANTCONDITION*/ 349 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv)); 350 } 351 352 if (rx != NULL) { 353 MUTEX_ENTER(&rs->rs_rxlock); 354 /* XXX Gross hack - I'm overloading the reference 355 * counter to deal with both threads and retransmitted 356 * requests. One deref signals that this thread is 357 * finished with rx, and the other signals that we've 358 * processed its reply. 359 */ 360 ipf_p_rpcb_deref(rs, rx); 361 ipf_p_rpcb_deref(rs, rx); 362 MUTEX_EXIT(&rs->rs_rxlock); 363 } 364 365 return(diff); 366 } 367 368 /* 369 * Private support subroutines 370 */ 371 372 /* -------------------------------------------------------------------- */ 373 /* Function: ipf_p_rpcb_flush */ 374 /* Returns: void */ 375 /* Parameters: rs(I) - pointer to RPCB session structure */ 376 /* */ 377 /* Simply flushes the list of outstanding transactions, if any. */ 378 /* -------------------------------------------------------------------- */ 379 static void 380 ipf_p_rpcb_flush(rs) 381 rpcb_session_t *rs; 382 { 383 rpcb_xact_t *r1, *r2; 384 385 r1 = rs->rs_rxlist; 386 if (r1 == NULL) 387 return; 388 389 while (r1 != NULL) { 390 r2 = r1; 391 r1 = r1->rx_next; 392 KFREE(r2); 393 } 394 } 395 396 /* -------------------------------------------------------------------- */ 397 /* Function: ipf_p_rpcb_decodereq */ 398 /* Returns: int - -1 == bad request or critical failure, */ 399 /* 0 == request successfully decoded, */ 400 /* 1 == request successfully decoded; requires */ 401 /* address rewrite/modification */ 402 /* Parameters: fin(I) - pointer to packet information */ 403 /* nat(I) - pointer to NAT session structure */ 404 /* rs(I) - pointer to RPCB session structure */ 405 /* rm(I) - pointer to RPC message structure */ 406 /* */ 407 /* Take a presumed RPCB request, decode it, and store the results in */ 408 /* the transaction list. If the internal target address needs to be */ 409 /* modified, store its location in ptr. */ 410 /* WARNING: It's the responsibility of the caller to make sure there */ 411 /* is enough room in rs_buf for the basic RPC message "preamble". */ 412 /* -------------------------------------------------------------------- */ 413 static int 414 ipf_p_rpcb_decodereq(fin, nat, rs, rm) 415 fr_info_t *fin; 416 nat_t *nat; 417 rpcb_session_t *rs; 418 rpc_msg_t *rm; 419 { 420 rpcb_args_t *ra; 421 u_32_t xdr, *p; 422 rpc_call_t *rc; 423 rpcb_xact_t rx; 424 int mod; 425 426 p = (u_32_t *)rm->rm_msgbuf; 427 mod = 0; 428 429 bzero((char *)&rx, sizeof(rx)); 430 rc = &rm->rm_call; 431 432 rm->rm_xid = p; 433 rx.rx_xid = B(p++); /* Record this message's XID. */ 434 435 /* Parse out and test the RPC header. */ 436 if ((B(p++) != RPCB_CALL) || 437 (B(p++) != RPCB_MSG_VERSION) || 438 (B(p++) != RPCB_PROG)) 439 return(-1); 440 441 /* Record the RPCB version and procedure. */ 442 rc->rc_vers = p++; 443 rc->rc_proc = p++; 444 445 /* Bypass RPC authentication stuff. */ 446 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) 447 return(-1); 448 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) 449 return(-1); 450 451 /* Compare RPCB version and procedure numbers. */ 452 switch(B(rc->rc_vers)) 453 { 454 case 2: 455 /* This proxy only supports PMAP_GETPORT. */ 456 if (B(rc->rc_proc) != RPCB_GETPORT) 457 return(-1); 458 459 /* Portmap requests contain four 4 byte parameters. */ 460 if (RPCB_BUF_EQ(rm, p, 16) == 0) 461 return(-1); 462 463 p += 2; /* Skip requested program and version numbers. */ 464 465 /* Sanity check the requested protocol. */ 466 xdr = B(p); 467 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) 468 return(-1); 469 470 rx.rx_type = RPCB_RES_PMAP; 471 rx.rx_proto = xdr; 472 break; 473 case 3: 474 case 4: 475 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ 476 switch(B(rc->rc_proc)) 477 { 478 case RPCB_GETADDR: 479 rx.rx_type = RPCB_RES_STRING; 480 rx.rx_proto = (u_int)fin->fin_p; 481 break; 482 case RPCB_GETADDRLIST: 483 if (B(rc->rc_vers) != 4) 484 return(-1); 485 rx.rx_type = RPCB_RES_LIST; 486 break; 487 default: 488 return(-1); 489 } 490 491 ra = &rc->rc_rpcbargs; 492 493 /* Decode the 'struct rpcb' request. */ 494 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) 495 return(-1); 496 497 /* Are the target address & port valid? */ 498 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || 499 (ra->ra_maddr.xu_port != nat->nat_ndport)) 500 return(-1); 501 502 /* Do we need to rewrite this packet? */ 503 if ((nat->nat_ndstaddr != nat->nat_odstaddr) || 504 (nat->nat_ndport != nat->nat_odport)) 505 mod = 1; 506 break; 507 default: 508 return(-1); 509 } 510 511 MUTEX_ENTER(&rs->rs_rxlock); 512 if (ipf_p_rpcb_insert(rs, &rx) != 0) { 513 MUTEX_EXIT(&rs->rs_rxlock); 514 return(-1); 515 } 516 MUTEX_EXIT(&rs->rs_rxlock); 517 518 return(mod); 519 } 520 521 /* -------------------------------------------------------------------- */ 522 /* Function: ipf_p_rpcb_skipauth */ 523 /* Returns: int -- -1 == illegal auth parameters (lengths) */ 524 /* 0 == valid parameters, pointer advanced */ 525 /* Parameters: rm(I) - pointer to RPC message structure */ 526 /* auth(I) - pointer to RPC auth structure */ 527 /* buf(IO) - pointer to location within convenience buffer */ 528 /* */ 529 /* Record auth data length & location of auth data, then advance past */ 530 /* it. */ 531 /* -------------------------------------------------------------------- */ 532 static int 533 ipf_p_rpcb_skipauth(rm, auth, buf) 534 rpc_msg_t *rm; 535 xdr_auth_t *auth; 536 u_32_t **buf; 537 { 538 u_32_t *p, xdr; 539 540 p = *buf; 541 542 /* Make sure we have enough space for expected fixed auth parms. */ 543 if (RPCB_BUF_GEQ(rm, p, 8) == 0) 544 return(-1); 545 546 p++; /* We don't care about auth_flavor. */ 547 548 auth->xa_string.xs_len = p; 549 xdr = B(p++); /* Length of auth_data */ 550 551 /* Test for absurdity / illegality of auth_data length. */ 552 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) 553 return(-1); 554 555 auth->xa_string.xs_str = (char *)p; 556 557 p += XDRALIGN(xdr); /* Advance our location. */ 558 559 *buf = (u_32_t *)p; 560 561 return(0); 562 } 563 564 /* -------------------------------------------------------------------- */ 565 /* Function: ipf_p_rpcb_insert */ 566 /* Returns: int -- -1 == list insertion failed, */ 567 /* 0 == item successfully added */ 568 /* Parameters: rs(I) - pointer to RPCB session structure */ 569 /* rx(I) - pointer to RPCB transaction structure */ 570 /* -------------------------------------------------------------------- */ 571 static int 572 ipf_p_rpcb_insert(rs, rx) 573 rpcb_session_t *rs; 574 rpcb_xact_t *rx; 575 { 576 rpcb_xact_t *rxp; 577 578 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); 579 if (rxp != NULL) { 580 ++rxp->rx_ref; 581 return(0); 582 } 583 584 if (rpcbcnt == RPCB_MAXREQS) 585 return(-1); 586 587 KMALLOC(rxp, rpcb_xact_t *); 588 if (rxp == NULL) 589 return(-1); 590 591 bcopy((char *)rx, (char *)rxp, sizeof(*rx)); 592 593 if (rs->rs_rxlist != NULL) 594 rs->rs_rxlist->rx_pnext = &rxp->rx_next; 595 596 rxp->rx_pnext = &rs->rs_rxlist; 597 rxp->rx_next = rs->rs_rxlist; 598 rs->rs_rxlist = rxp; 599 600 rxp->rx_ref = 1; 601 602 ++rpcbcnt; 603 604 return(0); 605 } 606 607 /* -------------------------------------------------------------------- */ 608 /* Function: ipf_p_rpcb_xdrrpcb */ 609 /* Returns: int -- -1 == failure to properly decode the request */ 610 /* 0 == rpcb successfully decoded */ 611 /* Parameters: rs(I) - pointer to RPCB session structure */ 612 /* p(I) - pointer to location within session buffer */ 613 /* rpcb(O) - pointer to rpcb (xdr type) structure */ 614 /* */ 615 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */ 616 /* within only the context of TCP/UDP over IP networks. */ 617 /* -------------------------------------------------------------------- */ 618 static int 619 ipf_p_rpcb_xdrrpcb(rm, p, ra) 620 rpc_msg_t *rm; 621 u_32_t *p; 622 rpcb_args_t *ra; 623 { 624 if (!RPCB_BUF_GEQ(rm, p, 20)) 625 return(-1); 626 627 /* Bypass target program & version. */ 628 p += 2; 629 630 /* Decode r_netid. Must be "tcp" or "udp". */ 631 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) 632 return(-1); 633 634 /* Decode r_maddr. */ 635 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) 636 return(-1); 637 638 /* Advance to r_owner and make sure it's empty. */ 639 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) 640 return(-1); 641 642 return(0); 643 } 644 645 /* -------------------------------------------------------------------- */ 646 /* Function: ipf_p_rpcb_getuaddr */ 647 /* Returns: int -- -1 == illegal string, */ 648 /* 0 == string parsed; contents recorded */ 649 /* Parameters: rm(I) - pointer to RPC message structure */ 650 /* xu(I) - pointer to universal address structure */ 651 /* p(IO) - pointer to location within message buffer */ 652 /* */ 653 /* Decode the IP address / port at p and record them in xu. */ 654 /* -------------------------------------------------------------------- */ 655 static int 656 ipf_p_rpcb_getuaddr(rm, xu, p) 657 rpc_msg_t *rm; 658 xdr_uaddr_t *xu; 659 u_32_t **p; 660 { 661 char *c, *i, *b, *pp; 662 u_int d, dd, l, t; 663 char uastr[24]; 664 665 /* Test for string length. */ 666 if (!RPCB_BUF_GEQ(rm, *p, 4)) 667 return(-1); 668 669 xu->xu_xslen = (*p)++; 670 xu->xu_xsstr = (char *)*p; 671 672 /* Length check */ 673 l = B(xu->xu_xslen); 674 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) 675 return(-1); 676 677 /* Advance p */ 678 *(char **)p += XDRALIGN(l); 679 680 /* Copy string to local buffer & terminate C style */ 681 bcopy(xu->xu_xsstr, uastr, l); 682 uastr[l] = '\0'; 683 684 i = (char *)&xu->xu_ip; 685 pp = (char *)&xu->xu_port; 686 687 /* 688 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of 689 * an IP address and [ef] are the bytes of a L4 port. 690 */ 691 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) 692 return(-1); 693 b = uastr; 694 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { 695 if (ISDIGIT(*c)) { 696 dd = 0; 697 continue; 698 } 699 if (*c == '.') { 700 if (dd != 0) 701 return(-1); 702 703 /* Check for ASCII byte. */ 704 *c = '\0'; 705 t = ipf_p_rpcb_atoi(b); 706 if (t > 255) 707 return(-1); 708 709 /* Aim b at beginning of the next byte. */ 710 b = c + 1; 711 712 /* Switch off IP addr vs port parsing. */ 713 if (d < 4) 714 i[d++] = t & 0xff; 715 else 716 pp[d++ - 4] = t & 0xff; 717 718 dd = 1; 719 continue; 720 } 721 return(-1); 722 } 723 if (d != 5) /* String must contain exactly 5 periods. */ 724 return(-1); 725 726 /* Handle the last byte (port low byte) */ 727 t = ipf_p_rpcb_atoi(b); 728 if (t > 255) 729 return(-1); 730 pp[d - 4] = t & 0xff; 731 732 return(0); 733 } 734 735 /* -------------------------------------------------------------------- */ 736 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ 737 /* Returns: int -- integer representation of supplied string */ 738 /* Parameters: ptr(I) - input string */ 739 /* */ 740 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ 741 /* -------------------------------------------------------------------- */ 742 static u_int 743 ipf_p_rpcb_atoi(ptr) 744 char *ptr; 745 { 746 register char *s = ptr, c; 747 register u_int i = 0; 748 749 while (((c = *s++) != '\0') && ISDIGIT(c)) { 750 i *= 10; 751 i += c - '0'; 752 } 753 return i; 754 } 755 756 /* -------------------------------------------------------------------- */ 757 /* Function: ipf_p_rpcb_modreq */ 758 /* Returns: int -- change in datagram length */ 759 /* APR_ERR(2) - critical failure */ 760 /* Parameters: fin(I) - pointer to packet information */ 761 /* nat(I) - pointer to NAT session */ 762 /* rm(I) - pointer to RPC message structure */ 763 /* m(I) - pointer to mbuf chain */ 764 /* off(I) - current offset within mbuf chain */ 765 /* */ 766 /* When external and internal addresses differ, we rewrite the former */ 767 /* with the latter. (This is exclusive to protocol versions 3 & 4). */ 768 /* -------------------------------------------------------------------- */ 769 static int 770 ipf_p_rpcb_modreq(fin, nat, rm, m, off) 771 fr_info_t *fin; 772 nat_t *nat; 773 rpc_msg_t *rm; 774 mb_t *m; 775 u_int off; 776 { 777 u_int len, xlen, pos, bogo; 778 rpcb_args_t *ra; 779 char uaddr[24]; 780 udphdr_t *udp; 781 char *i, *p; 782 int diff; 783 784 ra = &rm->rm_call.rc_rpcbargs; 785 i = (char *)&nat->nat_odstaddr; 786 p = (char *)&nat->nat_odport; 787 788 /* Form new string. */ 789 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 790 #if defined(SNPRINTF) && defined(_KERNEL) 791 SNPRINTF(uaddr, sizeof(uaddr), 792 #else 793 (void) sprintf(uaddr, 794 #endif 795 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 796 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 797 len = strlen(uaddr); 798 xlen = XDRALIGN(len); 799 800 /* Determine mbuf offset to start writing to. */ 801 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; 802 off += pos; 803 804 /* Write new string length. */ 805 bogo = htonl(len); 806 COPYBACK(m, off, 4, (caddr_t)&bogo); 807 off += 4; 808 809 /* Write new string. */ 810 COPYBACK(m, off, xlen, uaddr); 811 off += xlen; 812 813 /* Write in zero r_owner. */ 814 bogo = 0; 815 COPYBACK(m, off, 4, (caddr_t)&bogo); 816 817 /* Determine difference in data lengths. */ 818 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); 819 820 /* 821 * If our new string has a different length, make necessary 822 * adjustments. 823 */ 824 if (diff != 0) { 825 udp = fin->fin_dp; 826 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); 827 fin->fin_plen += diff; 828 fin->fin_ip->ip_len = htons(fin->fin_plen); 829 fin->fin_dlen += diff; 830 /* XXX Storage lengths. */ 831 } 832 833 return(diff); 834 } 835 836 /* -------------------------------------------------------------------- */ 837 /* Function: ipf_p_rpcb_decoderep */ 838 /* Returns: int - -1 == bad request or critical failure, */ 839 /* 0 == valid, negative reply */ 840 /* 1 == vaddlid, positive reply; needs no changes */ 841 /* Parameters: fin(I) - pointer to packet information */ 842 /* nat(I) - pointer to NAT session structure */ 843 /* rs(I) - pointer to RPCB session structure */ 844 /* rm(I) - pointer to RPC message structure */ 845 /* rxp(O) - pointer to RPCB transaction structure */ 846 /* */ 847 /* Take a presumed RPCB reply, extract the XID, search for the original */ 848 /* request information, and determine whether the request was accepted */ 849 /* or rejected. With a valid accepted reply, go ahead and create NAT */ 850 /* and state entries, and finish up by rewriting the packet as */ 851 /* required. */ 852 /* */ 853 /* WARNING: It's the responsibility of the caller to make sure there */ 854 /* is enough room in rs_buf for the basic RPC message "preamble". */ 855 /* -------------------------------------------------------------------- */ 856 static int 857 ipf_p_rpcb_decoderep(fin, nat, rs, rm, rxp) 858 fr_info_t *fin; 859 nat_t *nat; 860 rpcb_session_t *rs; 861 rpc_msg_t *rm; 862 rpcb_xact_t **rxp; 863 { 864 rpcb_listp_t *rl; 865 rpcb_entry_t *re; 866 rpcb_xact_t *rx; 867 u_32_t xdr, *p; 868 rpc_resp_t *rr; 869 int rv, cnt; 870 871 p = (u_32_t *)rm->rm_msgbuf; 872 873 bzero((char *)&rx, sizeof(rx)); 874 rr = &rm->rm_resp; 875 876 rm->rm_xid = p; 877 xdr = B(p++); /* Record this message's XID. */ 878 879 /* Lookup XID */ 880 MUTEX_ENTER(&rs->rs_rxlock); 881 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { 882 MUTEX_EXIT(&rs->rs_rxlock); 883 return(-1); 884 } 885 ++rx->rx_ref; /* per thread reference */ 886 MUTEX_EXIT(&rs->rs_rxlock); 887 888 *rxp = rx; 889 890 /* Test call vs reply */ 891 if (B(p++) != RPCB_REPLY) 892 return(-1); 893 894 /* Test reply_stat */ 895 switch(B(p++)) 896 { 897 case RPCB_MSG_DENIED: 898 return(0); 899 case RPCB_MSG_ACCEPTED: 900 break; 901 default: 902 return(-1); 903 } 904 905 /* Bypass RPC authentication stuff. */ 906 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) 907 return(-1); 908 909 /* Test accept status */ 910 if (!RPCB_BUF_GEQ(rm, p, 4)) 911 return(-1); 912 if (B(p++) != 0) 913 return(0); 914 915 /* Parse out the expected reply */ 916 switch(rx->rx_type) 917 { 918 case RPCB_RES_PMAP: 919 /* There must be only one 4 byte argument. */ 920 if (!RPCB_BUF_EQ(rm, p, 4)) 921 return(-1); 922 923 rr->rr_v2 = p; 924 xdr = B(rr->rr_v2); 925 926 /* Reply w/ a 0 port indicates service isn't registered */ 927 if (xdr == 0) 928 return(0); 929 930 /* Is the value sane? */ 931 if (xdr > 65535) 932 return(-1); 933 934 /* Create NAT & state table entries. */ 935 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) 936 return(-1); 937 break; 938 case RPCB_RES_STRING: 939 /* Expecting a XDR string; need 4 bytes for length */ 940 if (!RPCB_BUF_GEQ(rm, p, 4)) 941 return(-1); 942 943 rr->rr_v3.xu_str.xs_len = p++; 944 rr->rr_v3.xu_str.xs_str = (char *)p; 945 946 xdr = B(rr->rr_v3.xu_xslen); 947 948 /* A null string indicates an unregistered service */ 949 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) 950 return(0); 951 952 /* Decode the target IP address / port. */ 953 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) 954 return(-1); 955 956 /* Validate the IP address and port contained. */ 957 if (nat->nat_odstaddr != rr->rr_v3.xu_ip) 958 return(-1); 959 960 /* Create NAT & state table entries. */ 961 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, 962 (u_int)rr->rr_v3.xu_port) != 0) 963 return(-1); 964 break; 965 case RPCB_RES_LIST: 966 if (!RPCB_BUF_GEQ(rm, p, 4)) 967 return(-1); 968 /* rpcb_entry_list_ptr */ 969 switch(B(p)) 970 { 971 case 0: 972 return(0); 973 /*NOTREACHED*/ 974 break; 975 case 1: 976 break; 977 default: 978 return(-1); 979 } 980 rl = &rr->rr_v4; 981 rl->rl_list = p++; 982 cnt = 0; 983 984 for(;;) { 985 re = &rl->rl_entries[rl->rl_cnt]; 986 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) 987 return(-1); 988 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) 989 return(-1); 990 /* re_semantics & re_pfamily length */ 991 if (!RPCB_BUF_GEQ(rm, p, 12)) 992 return(-1); 993 p++; /* Skipping re_semantics. */ 994 xdr = B(p++); 995 if ((xdr != 4) || strncmp((char *)p, "inet", 4)) 996 return(-1); 997 p++; 998 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) 999 return(-1); 1000 if (!RPCB_BUF_GEQ(rm, p, 4)) 1001 return(-1); 1002 re->re_more = p; 1003 if (B(re->re_more) > 1) /* 0,1 only legal values */ 1004 return(-1); 1005 ++rl->rl_cnt; 1006 ++cnt; 1007 if (B(re->re_more) == 0) 1008 break; 1009 /* Replies in max out at 2; TCP and/or UDP */ 1010 if (cnt > 2) 1011 return(-1); 1012 p++; 1013 } 1014 1015 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { 1016 re = &rl->rl_entries[rl->rl_cnt]; 1017 rv = ipf_p_rpcb_getnat(fin, nat, 1018 re->re_proto.xp_proto, 1019 (u_int)re->re_maddr.xu_port); 1020 if (rv != 0) 1021 return(-1); 1022 } 1023 break; 1024 default: 1025 /*CONSTANTCONDITION*/ 1026 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type)); 1027 } 1028 1029 return(1); 1030 } 1031 1032 /* -------------------------------------------------------------------- */ 1033 /* Function: ipf_p_rpcb_lookup */ 1034 /* Returns: rpcb_xact_t * - NULL == no matching record, */ 1035 /* else pointer to relevant entry */ 1036 /* Parameters: rs(I) - pointer to RPCB session */ 1037 /* xid(I) - XID to look for */ 1038 /* -------------------------------------------------------------------- */ 1039 static rpcb_xact_t * 1040 ipf_p_rpcb_lookup(rs, xid) 1041 rpcb_session_t *rs; 1042 u_32_t xid; 1043 { 1044 rpcb_xact_t *rx; 1045 1046 if (rs->rs_rxlist == NULL) 1047 return(NULL); 1048 1049 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) 1050 if (rx->rx_xid == xid) 1051 break; 1052 1053 return(rx); 1054 } 1055 1056 /* -------------------------------------------------------------------- */ 1057 /* Function: ipf_p_rpcb_deref */ 1058 /* Returns: (void) */ 1059 /* Parameters: rs(I) - pointer to RPCB session */ 1060 /* rx(I) - pointer to RPC transaction struct to remove */ 1061 /* force(I) - indicates to delete entry regardless of */ 1062 /* reference count */ 1063 /* Locking: rs->rs_rxlock must be held write only */ 1064 /* */ 1065 /* Free the RPCB transaction record rx from the chain of entries. */ 1066 /* -------------------------------------------------------------------- */ 1067 static void 1068 ipf_p_rpcb_deref(rs, rx) 1069 rpcb_session_t *rs; 1070 rpcb_xact_t *rx; 1071 { 1072 rs = rs; /* LINT */ 1073 1074 if (rx == NULL) 1075 return; 1076 1077 if (--rx->rx_ref != 0) 1078 return; 1079 1080 if (rx->rx_next != NULL) 1081 rx->rx_next->rx_pnext = rx->rx_pnext; 1082 1083 *rx->rx_pnext = rx->rx_next; 1084 1085 KFREE(rx); 1086 1087 --rpcbcnt; 1088 } 1089 1090 /* -------------------------------------------------------------------- */ 1091 /* Function: ipf_p_rpcb_getproto */ 1092 /* Returns: int - -1 == illegal protocol/netid, */ 1093 /* 0 == legal protocol/netid */ 1094 /* Parameters: rm(I) - pointer to RPC message structure */ 1095 /* xp(I) - pointer to netid structure */ 1096 /* p(IO) - pointer to location within packet buffer */ 1097 /* */ 1098 /* Decode netid/proto stored at p and record its numeric value. */ 1099 /* -------------------------------------------------------------------- */ 1100 static int 1101 ipf_p_rpcb_getproto(rm, xp, p) 1102 rpc_msg_t *rm; 1103 xdr_proto_t *xp; 1104 u_32_t **p; 1105 { 1106 u_int len; 1107 1108 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ 1109 if (!RPCB_BUF_GEQ(rm, p, 8)) 1110 return(-1); 1111 1112 xp->xp_xslen = (*p)++; 1113 xp->xp_xsstr = (char *)*p; 1114 1115 /* Test the string length. */ 1116 len = B(xp->xp_xslen); 1117 if (len != 3) 1118 return(-1); 1119 1120 /* Test the actual string & record the protocol accordingly. */ 1121 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4)) 1122 xp->xp_proto = IPPROTO_TCP; 1123 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4)) 1124 xp->xp_proto = IPPROTO_UDP; 1125 else { 1126 return(-1); 1127 } 1128 1129 /* Advance past the string. */ 1130 (*p)++; 1131 1132 return(0); 1133 } 1134 1135 /* -------------------------------------------------------------------- */ 1136 /* Function: ipf_p_rpcb_getnat */ 1137 /* Returns: int -- -1 == failed to create table entries, */ 1138 /* 0 == success */ 1139 /* Parameters: fin(I) - pointer to packet information */ 1140 /* nat(I) - pointer to NAT table entry */ 1141 /* proto(I) - transport protocol for new entries */ 1142 /* port(I) - new port to use w/ wildcard table entries */ 1143 /* */ 1144 /* Create state and NAT entries to handle an anticipated connection */ 1145 /* attempt between RPC client and server. */ 1146 /* -------------------------------------------------------------------- */ 1147 static int 1148 ipf_p_rpcb_getnat(fin, nat, proto, port) 1149 fr_info_t *fin; 1150 nat_t *nat; 1151 u_int proto; 1152 u_int port; 1153 { 1154 ipf_main_softc_t *softc = fin->fin_main_soft; 1155 ipnat_t *ipn, ipnat; 1156 tcphdr_t tcp; 1157 ipstate_t *is; 1158 fr_info_t fi; 1159 nat_t *natl; 1160 int nflags; 1161 1162 ipn = nat->nat_ptr; 1163 1164 /* Generate dummy fr_info */ 1165 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 1166 fi.fin_out = 0; 1167 fi.fin_p = proto; 1168 fi.fin_sport = 0; 1169 fi.fin_dport = port & 0xffff; 1170 fi.fin_flx |= FI_IGNORE; 1171 fi.fin_saddr = nat->nat_osrcaddr; 1172 fi.fin_daddr = nat->nat_odstaddr; 1173 1174 bzero((char *)&tcp, sizeof(tcp)); 1175 tcp.th_dport = htons(port); 1176 1177 if (proto == IPPROTO_TCP) { 1178 tcp.th_win = htons(8192); 1179 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); 1180 fi.fin_dlen = sizeof(tcphdr_t); 1181 tcp.th_flags = TH_SYN; 1182 nflags = NAT_TCP; 1183 } else { 1184 fi.fin_dlen = sizeof(udphdr_t); 1185 nflags = NAT_UDP; 1186 } 1187 1188 nflags |= SI_W_SPORT|NAT_SEARCH; 1189 fi.fin_dp = &tcp; 1190 fi.fin_plen = fi.fin_hlen + fi.fin_dlen; 1191 1192 /* 1193 * Search for existing NAT & state entries. Pay close attention to 1194 * mutexes / locks grabbed from lookup routines, as not doing so could 1195 * lead to bad things. 1196 * 1197 * If successful, fr_stlookup returns with ipf_state locked. We have 1198 * no use for this lock, so simply unlock it if necessary. 1199 */ 1200 is = ipf_state_lookup(&fi, &tcp, NULL); 1201 if (is != NULL) { 1202 RWLOCK_EXIT(&softc->ipf_state); 1203 } 1204 1205 RWLOCK_EXIT(&softc->ipf_nat); 1206 1207 WRITE_ENTER(&softc->ipf_nat); 1208 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); 1209 1210 if ((natl != NULL) && (is != NULL)) { 1211 MUTEX_DOWNGRADE(&softc->ipf_nat); 1212 return(0); 1213 } 1214 1215 /* Slightly modify the following structures for actual use in creating 1216 * NAT and/or state entries. We're primarily concerned with stripping 1217 * flags that may be detrimental to the creation process or simply 1218 * shouldn't be associated with a table entry. 1219 */ 1220 fi.fin_fr = &rpcbfr; 1221 fi.fin_flx &= ~FI_IGNORE; 1222 nflags &= ~NAT_SEARCH; 1223 1224 if (natl == NULL) { 1225 #ifdef USE_MUTEXES 1226 ipf_nat_softc_t *softn = softc->ipf_nat_soft; 1227 #endif 1228 1229 /* XXX Since we're just copying the original ipn contents 1230 * back, would we be better off just sending a pointer to 1231 * the 'temp' copy off to nat_new instead? 1232 */ 1233 /* Generate template/bogus NAT rule. */ 1234 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); 1235 ipn->in_flags = nflags & IPN_TCPUDP; 1236 ipn->in_apr = NULL; 1237 ipn->in_pr[0] = proto; 1238 ipn->in_pr[1] = proto; 1239 ipn->in_dpmin = fi.fin_dport; 1240 ipn->in_dpmax = fi.fin_dport; 1241 ipn->in_dpnext = fi.fin_dport; 1242 ipn->in_space = 1; 1243 ipn->in_ippip = 1; 1244 if (ipn->in_flags & IPN_FILTER) { 1245 ipn->in_scmp = 0; 1246 ipn->in_dcmp = 0; 1247 } 1248 ipn->in_plabel = -1; 1249 1250 /* Create NAT entry. return NULL if this fails. */ 1251 MUTEX_ENTER(&softn->ipf_nat_new); 1252 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, 1253 NAT_INBOUND); 1254 MUTEX_EXIT(&softn->ipf_nat_new); 1255 1256 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); 1257 1258 if (natl == NULL) { 1259 MUTEX_DOWNGRADE(&softc->ipf_nat); 1260 return(-1); 1261 } 1262 1263 fi.fin_saddr = natl->nat_nsrcaddr; 1264 fi.fin_daddr = natl->nat_ndstaddr; 1265 ipn->in_use++; 1266 (void) ipf_nat_proto(&fi, natl, nflags); 1267 MUTEX_ENTER(&natl->nat_lock); 1268 ipf_nat_update(&fi, natl); 1269 MUTEX_EXIT(&natl->nat_lock); 1270 } 1271 MUTEX_DOWNGRADE(&softc->ipf_nat); 1272 1273 if (is == NULL) { 1274 /* Create state entry. Return NULL if this fails. */ 1275 fi.fin_flx |= FI_NATED; 1276 fi.fin_flx &= ~FI_STATE; 1277 nflags &= NAT_TCPUDP; 1278 nflags |= SI_W_SPORT|SI_CLONE; 1279 1280 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { 1281 /* 1282 * XXX nat_delete is private to ip_nat.c. Should 1283 * check w/ Darren about this one. 1284 * 1285 * nat_delete(natl, NL_EXPIRE); 1286 */ 1287 return(-1); 1288 } 1289 } 1290 1291 return(0); 1292 } 1293 1294 /* -------------------------------------------------------------------- */ 1295 /* Function: ipf_p_rpcb_modv3 */ 1296 /* Returns: int -- change in packet length */ 1297 /* Parameters: fin(I) - pointer to packet information */ 1298 /* nat(I) - pointer to NAT session */ 1299 /* rm(I) - pointer to RPC message structure */ 1300 /* m(I) - pointer to mbuf chain */ 1301 /* off(I) - offset within mbuf chain */ 1302 /* */ 1303 /* Write a new universal address string to this packet, adjusting */ 1304 /* lengths as necessary. */ 1305 /* -------------------------------------------------------------------- */ 1306 static int 1307 ipf_p_rpcb_modv3(fin, nat, rm, m, off) 1308 fr_info_t *fin; 1309 nat_t *nat; 1310 rpc_msg_t *rm; 1311 mb_t *m; 1312 u_int off; 1313 { 1314 u_int len, xlen, pos, bogo; 1315 rpc_resp_t *rr; 1316 char uaddr[24]; 1317 char *i, *p; 1318 int diff; 1319 1320 rr = &rm->rm_resp; 1321 i = (char *)&nat->nat_ndstaddr; 1322 p = (char *)&rr->rr_v3.xu_port; 1323 1324 /* Form new string. */ 1325 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 1326 #if defined(SNPRINTF) && defined(_KERNEL) 1327 SNPRINTF(uaddr, sizeof(uaddr), 1328 #else 1329 (void) sprintf(uaddr, 1330 #endif 1331 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 1332 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 1333 len = strlen(uaddr); 1334 xlen = XDRALIGN(len); 1335 1336 /* Determine mbuf offset to write to. */ 1337 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; 1338 off += pos; 1339 1340 /* Write new string length. */ 1341 bogo = htonl(len); 1342 COPYBACK(m, off, 4, (caddr_t)&bogo); 1343 off += 4; 1344 1345 /* Write new string. */ 1346 COPYBACK(m, off, xlen, uaddr); 1347 1348 /* Determine difference in data lengths. */ 1349 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); 1350 1351 /* 1352 * If our new string has a different length, make necessary 1353 * adjustments. 1354 */ 1355 if (diff != 0) 1356 ipf_p_rpcb_fixlen(fin, diff); 1357 1358 return(diff); 1359 } 1360 1361 /* -------------------------------------------------------------------- */ 1362 /* Function: ipf_p_rpcb_modv4 */ 1363 /* Returns: int -- change in packet length */ 1364 /* Parameters: fin(I) - pointer to packet information */ 1365 /* nat(I) - pointer to NAT session */ 1366 /* rm(I) - pointer to RPC message structure */ 1367 /* m(I) - pointer to mbuf chain */ 1368 /* off(I) - offset within mbuf chain */ 1369 /* */ 1370 /* Write new rpcb_entry list, adjusting lengths as necessary. */ 1371 /* -------------------------------------------------------------------- */ 1372 static int 1373 ipf_p_rpcb_modv4(fin, nat, rm, m, off) 1374 fr_info_t *fin; 1375 nat_t *nat; 1376 rpc_msg_t *rm; 1377 mb_t *m; 1378 u_int off; 1379 { 1380 u_int len, xlen, pos, bogo; 1381 rpcb_listp_t *rl; 1382 rpcb_entry_t *re; 1383 rpc_resp_t *rr; 1384 char uaddr[24]; 1385 int diff, cnt; 1386 char *i, *p; 1387 1388 diff = 0; 1389 rr = &rm->rm_resp; 1390 rl = &rr->rr_v4; 1391 1392 i = (char *)&nat->nat_ndstaddr; 1393 1394 /* Determine mbuf offset to write to. */ 1395 re = &rl->rl_entries[0]; 1396 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; 1397 off += pos; 1398 1399 for (cnt = 0; cnt < rl->rl_cnt; cnt++) { 1400 re = &rl->rl_entries[cnt]; 1401 p = (char *)&re->re_maddr.xu_port; 1402 1403 /* Form new string. */ 1404 bzero(uaddr, sizeof(uaddr)); /* Just in case we need 1405 padding. */ 1406 #if defined(SNPRINTF) && defined(_KERNEL) 1407 SNPRINTF(uaddr, sizeof(uaddr), 1408 #else 1409 (void) sprintf(uaddr, 1410 #endif 1411 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, 1412 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, 1413 p[0] & 0xff, p[1] & 0xff); 1414 len = strlen(uaddr); 1415 xlen = XDRALIGN(len); 1416 1417 /* Write new string length. */ 1418 bogo = htonl(len); 1419 COPYBACK(m, off, 4, (caddr_t)&bogo); 1420 off += 4; 1421 1422 /* Write new string. */ 1423 COPYBACK(m, off, xlen, uaddr); 1424 off += xlen; 1425 1426 /* Record any change in length. */ 1427 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); 1428 1429 /* If the length changed, copy back the rest of this entry. */ 1430 len = ((char *)re->re_more + 4) - 1431 (char *)re->re_netid.xp_xslen; 1432 if (diff != 0) { 1433 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen); 1434 } 1435 off += len; 1436 } 1437 1438 /* 1439 * If our new string has a different length, make necessary 1440 * adjustments. 1441 */ 1442 if (diff != 0) 1443 ipf_p_rpcb_fixlen(fin, diff); 1444 1445 return(diff); 1446 } 1447 1448 1449 /* -------------------------------------------------------------------- */ 1450 /* Function: ipf_p_rpcb_fixlen */ 1451 /* Returns: (void) */ 1452 /* Parameters: fin(I) - pointer to packet information */ 1453 /* len(I) - change in packet length */ 1454 /* */ 1455 /* Adjust various packet related lengths held in structure and packet */ 1456 /* header fields. */ 1457 /* -------------------------------------------------------------------- */ 1458 static void 1459 ipf_p_rpcb_fixlen(fin, len) 1460 fr_info_t *fin; 1461 int len; 1462 { 1463 udphdr_t *udp; 1464 1465 udp = fin->fin_dp; 1466 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); 1467 fin->fin_plen += len; 1468 fin->fin_ip->ip_len = htons(fin->fin_plen); 1469 fin->fin_dlen += len; 1470 } 1471 1472 #undef B 1473
Indexes created Thu Sep 25 16:09:42 GMT 2025