1 /*
2 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org>
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6 /*
7 * Overview:
8 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
9 * protocol as defined in RFC1833. It is far from complete, mostly
10 * lacking in less-likely corner cases, but it's definitely functional.
11 *
12 * Invocation:
13 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
14 *
15 * If the host running IP Filter is the same as the RPC server, it's
16 * perfectly legal for both the internal and external addresses and ports
17 * to match.
18 *
19 * When triggered by appropriate IP NAT rules, this proxy works by
20 * examining data contained in received packets. Requests and replies are
21 * modified, NAT and state table entries created, etc., as necessary.
22 */
23 /*
24 * TODO / NOTES
25 *
26 * o Must implement locking to protect proxy session data.
27 * o Fragmentation isn't supported.
28 * o Only supports UDP.
29 * o Doesn't support multiple RPC records in a single request.
30 * o Errors should be more fine-grained. (e.g., malloc failure vs.
31 * illegal RPCB request / reply)
32 * o Even with the limit on the total amount of recorded transactions,
33 * should there be a timeout on transaction removal?
34 * o There is a potential collision between cloning, wildcard NAT and
35 * state entries. There should be an appr_getport routine for
36 * to avoid this.
37 * o The enclosed hack of STREAMS support is pretty sick and most likely
38 * broken.
39 *
40 * $Id$
41 */
42 #define IPF_RPCB_PROXY
43
44 /*
45 * Function prototypes
46 */
47 void ipf_p_rpcb_main_load(void);
48 void ipf_p_rpcb_main_unload(void);
49 int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *);
50 void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *);
51 int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *);
52 int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *);
53
54 static void ipf_p_rpcb_flush(rpcb_session_t *);
55 static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *,
56 rpcb_session_t *, rpc_msg_t *);
57 static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **);
58 static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *);
59 static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *);
60 static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *,
61 u_32_t **);
62 static u_int ipf_p_rpcb_atoi(char *);
63 static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *,
64 mb_t *, u_int);
65 static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *,
66 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **);
67 static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t);
68 static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *);
69 static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *,
70 u_32_t **);
71 static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int);
72 static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *,
73 mb_t *, u_int);
74 static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *,
75 mb_t *, u_int);
76 static void ipf_p_rpcb_fixlen(fr_info_t *, int);
77
78 /*
79 * Global variables
80 */
81 static frentry_t rpcbfr; /* Skeleton rule for reference by entities
82 this proxy creates. */
83 VNET_DEFINE_STATIC(int, rpcbcnt);
84 #define V_rpcbcnt VNET(rpcbcnt)
85 /* Upper bound of allocated RPCB sessions. */
86 /* XXX rpcbcnt still requires locking. */
87
88 static int rpcb_proxy_init = 0;
89
90
91 /*
92 * Since rpc_msg contains only pointers, one should use this macro as a
93 * handy way to get to the goods. (In case you're wondering about the name,
94 * this started as BYTEREF -> BREF -> B.)
95 */
96 #define B(r) (u_32_t)ntohl(*(r))
97
98 /*
99 * Public subroutines
100 */
101
102 /* -------------------------------------------------------------------- */
103 /* Function: ipf_p_rpcb_main_load */
104 /* Returns: void */
105 /* Parameters: (void) */
106 /* */
107 /* Initialize the filter rule entry and session limiter. */
108 /* -------------------------------------------------------------------- */
109 void
ipf_p_rpcb_main_load(void)110 ipf_p_rpcb_main_load(void)
111 {
112 V_rpcbcnt = 0;
113
114 bzero((char *)&rpcbfr, sizeof(rpcbfr));
115 rpcbfr.fr_ref = 1;
116 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
117 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
118 rpcb_proxy_init = 1;
119 }
120
121 /* -------------------------------------------------------------------- */
122 /* Function: ipf_p_rpcb_main_unload */
123 /* Returns: void */
124 /* Parameters: (void) */
125 /* */
126 /* Destroy rpcbfr's mutex to avoid a lock leak. */
127 /* -------------------------------------------------------------------- */
128 void
ipf_p_rpcb_main_unload(void)129 ipf_p_rpcb_main_unload(void)
130 {
131 if (rpcb_proxy_init == 1) {
132 MUTEX_DESTROY(&rpcbfr.fr_lock);
133 rpcb_proxy_init = 0;
134 }
135 }
136
137 /* -------------------------------------------------------------------- */
138 /* Function: ipf_p_rpcb_new */
139 /* Returns: int - -1 == failure, 0 == success */
140 /* Parameters: fin(I) - pointer to packet information */
141 /* aps(I) - pointer to proxy session structure */
142 /* nat(I) - pointer to NAT session structure */
143 /* */
144 /* Allocate resources for per-session proxy structures. */
145 /* -------------------------------------------------------------------- */
146 int
ipf_p_rpcb_new(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)147 ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
148 {
149 rpcb_session_t *rs;
150
151 nat = nat; /* LINT */
152
153 if (fin->fin_v != 4)
154 return (-1);
155
156 KMALLOC(rs, rpcb_session_t *);
157 if (rs == NULL)
158 return (-1);
159
160 bzero((char *)rs, sizeof(*rs));
161 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
162
163 aps->aps_data = rs;
164
165 return (0);
166 }
167
168 /* -------------------------------------------------------------------- */
169 /* Function: ipf_p_rpcb_del */
170 /* Returns: void */
171 /* Parameters: aps(I) - pointer to proxy session structure */
172 /* */
173 /* Free up a session's list of RPCB requests. */
174 /* -------------------------------------------------------------------- */
175 void
ipf_p_rpcb_del(ipf_main_softc_t * softc,ap_session_t * aps)176 ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps)
177 {
178 rpcb_session_t *rs;
179 rs = (rpcb_session_t *)aps->aps_data;
180
181 MUTEX_ENTER(&rs->rs_rxlock);
182 ipf_p_rpcb_flush(rs);
183 MUTEX_EXIT(&rs->rs_rxlock);
184 MUTEX_DESTROY(&rs->rs_rxlock);
185 }
186
187 /* -------------------------------------------------------------------- */
188 /* Function: ipf_p_rpcb_in */
189 /* Returns: int - APR_ERR(1) == drop the packet, */
190 /* APR_ERR(2) == kill the proxy session, */
191 /* else change in packet length (in bytes) */
192 /* Parameters: fin(I) - pointer to packet information */
193 /* ip(I) - pointer to packet header */
194 /* aps(I) - pointer to proxy session structure */
195 /* nat(I) - pointer to NAT session structure */
196 /* */
197 /* Given a presumed RPCB request, perform some minor tests and pass off */
198 /* for decoding. Also pass packet off for a rewrite if necessary. */
199 /* -------------------------------------------------------------------- */
200 int
ipf_p_rpcb_in(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)201 ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
202 {
203 rpc_msg_t rpcmsg, *rm;
204 rpcb_session_t *rs;
205 u_int off, dlen;
206 mb_t *m;
207 int rv;
208
209 /* Disallow fragmented or illegally short packets. */
210 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
211 return (APR_ERR(1));
212
213 /* Perform basic variable initialization. */
214 rs = (rpcb_session_t *)aps->aps_data;
215
216 m = fin->fin_m;
217 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
218 off += sizeof(udphdr_t) + fin->fin_ipoff;
219 dlen = fin->fin_dlen - sizeof(udphdr_t);
220
221 /* Disallow packets outside legal range for supported requests. */
222 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
223 return (APR_ERR(1));
224
225 /* Copy packet over to convenience buffer. */
226 rm = &rpcmsg;
227 bzero((char *)rm, sizeof(*rm));
228 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
229 rm->rm_buflen = dlen;
230
231 /* Send off to decode request. */
232 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm);
233
234 switch(rv)
235 {
236 case -1:
237 return (APR_ERR(1));
238 /*NOTREACHED*/
239 break;
240 case 0:
241 break;
242 case 1:
243 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off);
244 break;
245 default:
246 /*CONSTANTCONDITION*/
247 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv));
248 }
249
250 return (rv);
251 }
252
253 /* -------------------------------------------------------------------- */
254 /* Function: ipf_p_rpcb_out */
255 /* Returns: int - APR_ERR(1) == drop the packet, */
256 /* APR_ERR(2) == kill the proxy session, */
257 /* else change in packet length (in bytes) */
258 /* Parameters: fin(I) - pointer to packet information */
259 /* ip(I) - pointer to packet header */
260 /* aps(I) - pointer to proxy session structure */
261 /* nat(I) - pointer to NAT session structure */
262 /* */
263 /* Given a presumed RPCB reply, perform some minor tests and pass off */
264 /* for decoding. If the message indicates a successful request with */
265 /* valid addressing information, create NAT and state structures to */
266 /* allow direct communication between RPC client and server. */
267 /* -------------------------------------------------------------------- */
268 int
ipf_p_rpcb_out(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)269 ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
270 {
271 rpc_msg_t rpcmsg, *rm;
272 rpcb_session_t *rs;
273 rpcb_xact_t *rx;
274 u_int off, dlen;
275 int rv, diff;
276 mb_t *m;
277
278 /* Disallow fragmented or illegally short packets. */
279 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
280 return (APR_ERR(1));
281
282 /* Perform basic variable initialization. */
283 rs = (rpcb_session_t *)aps->aps_data;
284 rx = NULL;
285
286 m = fin->fin_m;
287 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
288 off += sizeof(udphdr_t) + fin->fin_ipoff;
289 dlen = fin->fin_dlen - sizeof(udphdr_t);
290 diff = 0;
291
292 /* Disallow packets outside legal range for supported requests. */
293 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
294 return (APR_ERR(1));
295
296 /* Copy packet over to convenience buffer. */
297 rm = &rpcmsg;
298 bzero((char *)rm, sizeof(*rm));
299 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
300 rm->rm_buflen = dlen;
301
302 rx = NULL; /* XXX gcc */
303
304 /* Send off to decode reply. */
305 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx);
306
307 switch(rv)
308 {
309 case -1: /* Bad packet */
310 if (rx != NULL) {
311 MUTEX_ENTER(&rs->rs_rxlock);
312 ipf_p_rpcb_deref(rs, rx);
313 MUTEX_EXIT(&rs->rs_rxlock);
314 }
315 return (APR_ERR(1));
316 /*NOTREACHED*/
317 break;
318 case 0: /* Negative reply / request rejected */
319 break;
320 case 1: /* Positive reply */
321 /*
322 * With the IP address embedded in a GETADDR(LIST) reply,
323 * we'll need to rewrite the packet in the very possible
324 * event that the internal & external addresses aren't the
325 * same. (i.e., this box is either a router or rpcbind
326 * only listens on loopback.)
327 */
328 if (nat->nat_odstaddr != nat->nat_ndstaddr) {
329 if (rx->rx_type == RPCB_RES_STRING)
330 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off);
331 else if (rx->rx_type == RPCB_RES_LIST)
332 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off);
333 }
334 break;
335 default:
336 /*CONSTANTCONDITION*/
337 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv));
338 }
339
340 if (rx != NULL) {
341 MUTEX_ENTER(&rs->rs_rxlock);
342 /* XXX Gross hack - I'm overloading the reference
343 * counter to deal with both threads and retransmitted
344 * requests. One deref signals that this thread is
345 * finished with rx, and the other signals that we've
346 * processed its reply.
347 */
348 ipf_p_rpcb_deref(rs, rx);
349 ipf_p_rpcb_deref(rs, rx);
350 MUTEX_EXIT(&rs->rs_rxlock);
351 }
352
353 return (diff);
354 }
355
356 /*
357 * Private support subroutines
358 */
359
360 /* -------------------------------------------------------------------- */
361 /* Function: ipf_p_rpcb_flush */
362 /* Returns: void */
363 /* Parameters: rs(I) - pointer to RPCB session structure */
364 /* */
365 /* Simply flushes the list of outstanding transactions, if any. */
366 /* -------------------------------------------------------------------- */
367 static void
ipf_p_rpcb_flush(rpcb_session_t * rs)368 ipf_p_rpcb_flush(rpcb_session_t *rs)
369 {
370 rpcb_xact_t *r1, *r2;
371
372 r1 = rs->rs_rxlist;
373 if (r1 == NULL)
374 return;
375
376 while (r1 != NULL) {
377 r2 = r1;
378 r1 = r1->rx_next;
379 KFREE(r2);
380 }
381 }
382
383 /* -------------------------------------------------------------------- */
384 /* Function: ipf_p_rpcb_decodereq */
385 /* Returns: int - -1 == bad request or critical failure, */
386 /* 0 == request successfully decoded, */
387 /* 1 == request successfully decoded; requires */
388 /* address rewrite/modification */
389 /* Parameters: fin(I) - pointer to packet information */
390 /* nat(I) - pointer to NAT session structure */
391 /* rs(I) - pointer to RPCB session structure */
392 /* rm(I) - pointer to RPC message structure */
393 /* */
394 /* Take a presumed RPCB request, decode it, and store the results in */
395 /* the transaction list. If the internal target address needs to be */
396 /* modified, store its location in ptr. */
397 /* WARNING: It's the responsibility of the caller to make sure there */
398 /* is enough room in rs_buf for the basic RPC message "preamble". */
399 /* -------------------------------------------------------------------- */
400 static int
ipf_p_rpcb_decodereq(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm)401 ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
402 rpc_msg_t *rm)
403 {
404 rpcb_args_t *ra;
405 u_32_t xdr, *p;
406 rpc_call_t *rc;
407 rpcb_xact_t rx;
408 int mod;
409
410 p = (u_32_t *)rm->rm_msgbuf;
411 mod = 0;
412
413 bzero((char *)&rx, sizeof(rx));
414 rc = &rm->rm_call;
415
416 rm->rm_xid = p;
417 rx.rx_xid = B(p++); /* Record this message's XID. */
418
419 /* Parse out and test the RPC header. */
420 if ((B(p++) != RPCB_CALL) ||
421 (B(p++) != RPCB_MSG_VERSION) ||
422 (B(p++) != RPCB_PROG))
423 return (-1);
424
425 /* Record the RPCB version and procedure. */
426 rc->rc_vers = p++;
427 rc->rc_proc = p++;
428
429 /* Bypass RPC authentication stuff. */
430 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
431 return (-1);
432 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
433 return (-1);
434
435 /* Compare RPCB version and procedure numbers. */
436 switch(B(rc->rc_vers))
437 {
438 case 2:
439 /* This proxy only supports PMAP_GETPORT. */
440 if (B(rc->rc_proc) != RPCB_GETPORT)
441 return (-1);
442
443 /* Portmap requests contain four 4 byte parameters. */
444 if (RPCB_BUF_EQ(rm, p, 16) == 0)
445 return (-1);
446
447 p += 2; /* Skip requested program and version numbers. */
448
449 /* Sanity check the requested protocol. */
450 xdr = B(p);
451 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
452 return (-1);
453
454 rx.rx_type = RPCB_RES_PMAP;
455 rx.rx_proto = xdr;
456 break;
457 case 3:
458 case 4:
459 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
460 switch(B(rc->rc_proc))
461 {
462 case RPCB_GETADDR:
463 rx.rx_type = RPCB_RES_STRING;
464 rx.rx_proto = (u_int)fin->fin_p;
465 break;
466 case RPCB_GETADDRLIST:
467 if (B(rc->rc_vers) != 4)
468 return (-1);
469 rx.rx_type = RPCB_RES_LIST;
470 break;
471 default:
472 return (-1);
473 }
474
475 ra = &rc->rc_rpcbargs;
476
477 /* Decode the 'struct rpcb' request. */
478 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0)
479 return (-1);
480
481 /* Are the target address & port valid? */
482 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) ||
483 (ra->ra_maddr.xu_port != nat->nat_ndport))
484 return (-1);
485
486 /* Do we need to rewrite this packet? */
487 if ((nat->nat_ndstaddr != nat->nat_odstaddr) ||
488 (nat->nat_ndport != nat->nat_odport))
489 mod = 1;
490 break;
491 default:
492 return (-1);
493 }
494
495 MUTEX_ENTER(&rs->rs_rxlock);
496 if (ipf_p_rpcb_insert(rs, &rx) != 0) {
497 MUTEX_EXIT(&rs->rs_rxlock);
498 return (-1);
499 }
500 MUTEX_EXIT(&rs->rs_rxlock);
501
502 return (mod);
503 }
504
505 /* -------------------------------------------------------------------- */
506 /* Function: ipf_p_rpcb_skipauth */
507 /* Returns: int -- -1 == illegal auth parameters (lengths) */
508 /* 0 == valid parameters, pointer advanced */
509 /* Parameters: rm(I) - pointer to RPC message structure */
510 /* auth(I) - pointer to RPC auth structure */
511 /* buf(IO) - pointer to location within convenience buffer */
512 /* */
513 /* Record auth data length & location of auth data, then advance past */
514 /* it. */
515 /* -------------------------------------------------------------------- */
516 static int
ipf_p_rpcb_skipauth(rpc_msg_t * rm,xdr_auth_t * auth,u_32_t ** buf)517 ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf)
518 {
519 u_32_t *p, xdr;
520
521 p = *buf;
522
523 /* Make sure we have enough space for expected fixed auth parms. */
524 if (RPCB_BUF_GEQ(rm, p, 8) == 0)
525 return (-1);
526
527 p++; /* We don't care about auth_flavor. */
528
529 auth->xa_string.xs_len = p;
530 xdr = B(p++); /* Length of auth_data */
531
532 /* Test for absurdity / illegality of auth_data length. */
533 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
534 return (-1);
535
536 auth->xa_string.xs_str = (char *)p;
537
538 p += XDRALIGN(xdr); /* Advance our location. */
539
540 *buf = (u_32_t *)p;
541
542 return (0);
543 }
544
545 /* -------------------------------------------------------------------- */
546 /* Function: ipf_p_rpcb_insert */
547 /* Returns: int -- -1 == list insertion failed, */
548 /* 0 == item successfully added */
549 /* Parameters: rs(I) - pointer to RPCB session structure */
550 /* rx(I) - pointer to RPCB transaction structure */
551 /* -------------------------------------------------------------------- */
552 static int
ipf_p_rpcb_insert(rpcb_session_t * rs,rpcb_xact_t * rx)553 ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx)
554 {
555 rpcb_xact_t *rxp;
556
557 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid);
558 if (rxp != NULL) {
559 ++rxp->rx_ref;
560 return (0);
561 }
562
563 if (V_rpcbcnt == RPCB_MAXREQS)
564 return (-1);
565
566 KMALLOC(rxp, rpcb_xact_t *);
567 if (rxp == NULL)
568 return (-1);
569
570 bcopy((char *)rx, (char *)rxp, sizeof(*rx));
571
572 if (rs->rs_rxlist != NULL)
573 rs->rs_rxlist->rx_pnext = &rxp->rx_next;
574
575 rxp->rx_pnext = &rs->rs_rxlist;
576 rxp->rx_next = rs->rs_rxlist;
577 rs->rs_rxlist = rxp;
578
579 rxp->rx_ref = 1;
580
581 ++V_rpcbcnt;
582
583 return (0);
584 }
585
586 /* -------------------------------------------------------------------- */
587 /* Function: ipf_p_rpcb_xdrrpcb */
588 /* Returns: int -- -1 == failure to properly decode the request */
589 /* 0 == rpcb successfully decoded */
590 /* Parameters: rs(I) - pointer to RPCB session structure */
591 /* p(I) - pointer to location within session buffer */
592 /* rpcb(O) - pointer to rpcb (xdr type) structure */
593 /* */
594 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */
595 /* within only the context of TCP/UDP over IP networks. */
596 /* -------------------------------------------------------------------- */
597 static int
ipf_p_rpcb_xdrrpcb(rpc_msg_t * rm,u_32_t * p,rpcb_args_t * ra)598 ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra)
599 {
600 if (!RPCB_BUF_GEQ(rm, p, 20))
601 return (-1);
602
603 /* Bypass target program & version. */
604 p += 2;
605
606 /* Decode r_netid. Must be "tcp" or "udp". */
607 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
608 return (-1);
609
610 /* Decode r_maddr. */
611 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
612 return (-1);
613
614 /* Advance to r_owner and make sure it's empty. */
615 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
616 return (-1);
617
618 return (0);
619 }
620
621 /* -------------------------------------------------------------------- */
622 /* Function: ipf_p_rpcb_getuaddr */
623 /* Returns: int -- -1 == illegal string, */
624 /* 0 == string parsed; contents recorded */
625 /* Parameters: rm(I) - pointer to RPC message structure */
626 /* xu(I) - pointer to universal address structure */
627 /* p(IO) - pointer to location within message buffer */
628 /* */
629 /* Decode the IP address / port at p and record them in xu. */
630 /* -------------------------------------------------------------------- */
631 static int
ipf_p_rpcb_getuaddr(rpc_msg_t * rm,xdr_uaddr_t * xu,u_32_t ** p)632 ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p)
633 {
634 char *c, *i, *b, *pp;
635 u_int d, dd, l, t;
636 char uastr[24];
637
638 /* Test for string length. */
639 if (!RPCB_BUF_GEQ(rm, *p, 4))
640 return (-1);
641
642 xu->xu_xslen = (*p)++;
643 xu->xu_xsstr = (char *)*p;
644
645 /* Length check */
646 l = B(xu->xu_xslen);
647 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
648 return (-1);
649
650 /* Advance p */
651 *(char **)p += XDRALIGN(l);
652
653 /* Copy string to local buffer & terminate C style */
654 bcopy(xu->xu_xsstr, uastr, l);
655 uastr[l] = '\0';
656
657 i = (char *)&xu->xu_ip;
658 pp = (char *)&xu->xu_port;
659
660 /*
661 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
662 * an IP address and [ef] are the bytes of a L4 port.
663 */
664 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
665 return (-1);
666 b = uastr;
667 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
668 if (ISDIGIT(*c)) {
669 dd = 0;
670 continue;
671 }
672 if (*c == '.') {
673 if (dd != 0)
674 return (-1);
675
676 /* Check for ASCII byte. */
677 *c = '\0';
678 t = ipf_p_rpcb_atoi(b);
679 if (t > 255)
680 return (-1);
681
682 /* Aim b at beginning of the next byte. */
683 b = c + 1;
684
685 /* Switch off IP addr vs port parsing. */
686 if (d < 4)
687 i[d++] = t & 0xff;
688 else
689 pp[d++ - 4] = t & 0xff;
690
691 dd = 1;
692 continue;
693 }
694 return (-1);
695 }
696 if (d != 5) /* String must contain exactly 5 periods. */
697 return (-1);
698
699 /* Handle the last byte (port low byte) */
700 t = ipf_p_rpcb_atoi(b);
701 if (t > 255)
702 return (-1);
703 pp[d - 4] = t & 0xff;
704
705 return (0);
706 }
707
708 /* -------------------------------------------------------------------- */
709 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */
710 /* Returns: int -- integer representation of supplied string */
711 /* Parameters: ptr(I) - input string */
712 /* */
713 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */
714 /* -------------------------------------------------------------------- */
715 static u_int
ipf_p_rpcb_atoi(char * ptr)716 ipf_p_rpcb_atoi(char *ptr)
717 {
718 register char *s = ptr, c;
719 register u_int i = 0;
720
721 while (((c = *s++) != '\0') && ISDIGIT(c)) {
722 i *= 10;
723 i += c - '0';
724 }
725 return (i);
726 }
727
728 /* -------------------------------------------------------------------- */
729 /* Function: ipf_p_rpcb_modreq */
730 /* Returns: int -- change in datagram length */
731 /* APR_ERR(2) - critical failure */
732 /* Parameters: fin(I) - pointer to packet information */
733 /* nat(I) - pointer to NAT session */
734 /* rm(I) - pointer to RPC message structure */
735 /* m(I) - pointer to mbuf chain */
736 /* off(I) - current offset within mbuf chain */
737 /* */
738 /* When external and internal addresses differ, we rewrite the former */
739 /* with the latter. (This is exclusive to protocol versions 3 & 4). */
740 /* -------------------------------------------------------------------- */
741 static int
ipf_p_rpcb_modreq(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)742 ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
743 u_int off)
744 {
745 u_int len, xlen, pos, bogo;
746 rpcb_args_t *ra;
747 char uaddr[24];
748 udphdr_t *udp;
749 char *i, *p;
750 int diff;
751
752 ra = &rm->rm_call.rc_rpcbargs;
753 i = (char *)&nat->nat_odstaddr;
754 p = (char *)&nat->nat_odport;
755
756 /* Form new string. */
757 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
758 (void) snprintf(uaddr, sizeof(uaddr),
759 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
760 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
761 len = strlen(uaddr);
762 xlen = XDRALIGN(len);
763
764 /* Determine mbuf offset to start writing to. */
765 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
766 off += pos;
767
768 /* Write new string length. */
769 bogo = htonl(len);
770 COPYBACK(m, off, 4, (caddr_t)&bogo);
771 off += 4;
772
773 /* Write new string. */
774 COPYBACK(m, off, xlen, uaddr);
775 off += xlen;
776
777 /* Write in zero r_owner. */
778 bogo = 0;
779 COPYBACK(m, off, 4, (caddr_t)&bogo);
780
781 /* Determine difference in data lengths. */
782 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
783
784 /*
785 * If our new string has a different length, make necessary
786 * adjustments.
787 */
788 if (diff != 0) {
789 udp = fin->fin_dp;
790 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
791 fin->fin_plen += diff;
792 fin->fin_ip->ip_len = htons(fin->fin_plen);
793 fin->fin_dlen += diff;
794 /* XXX Storage lengths. */
795 }
796
797 return (diff);
798 }
799
800 /* -------------------------------------------------------------------- */
801 /* Function: ipf_p_rpcb_decoderep */
802 /* Returns: int - -1 == bad request or critical failure, */
803 /* 0 == valid, negative reply */
804 /* 1 == vaddlid, positive reply; needs no changes */
805 /* Parameters: fin(I) - pointer to packet information */
806 /* nat(I) - pointer to NAT session structure */
807 /* rs(I) - pointer to RPCB session structure */
808 /* rm(I) - pointer to RPC message structure */
809 /* rxp(O) - pointer to RPCB transaction structure */
810 /* */
811 /* Take a presumed RPCB reply, extract the XID, search for the original */
812 /* request information, and determine whether the request was accepted */
813 /* or rejected. With a valid accepted reply, go ahead and create NAT */
814 /* and state entries, and finish up by rewriting the packet as */
815 /* required. */
816 /* */
817 /* WARNING: It's the responsibility of the caller to make sure there */
818 /* is enough room in rs_buf for the basic RPC message "preamble". */
819 /* -------------------------------------------------------------------- */
820 static int
ipf_p_rpcb_decoderep(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm,rpcb_xact_t ** rxp)821 ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
822 rpc_msg_t *rm, rpcb_xact_t **rxp)
823 {
824 rpcb_listp_t *rl;
825 rpcb_entry_t *re;
826 rpcb_xact_t *rx;
827 u_32_t xdr, *p;
828 rpc_resp_t *rr;
829 int rv, cnt;
830
831 p = (u_32_t *)rm->rm_msgbuf;
832
833 bzero((char *)&rx, sizeof(rx));
834 rr = &rm->rm_resp;
835
836 rm->rm_xid = p;
837 xdr = B(p++); /* Record this message's XID. */
838
839 /* Lookup XID */
840 MUTEX_ENTER(&rs->rs_rxlock);
841 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) {
842 MUTEX_EXIT(&rs->rs_rxlock);
843 return (-1);
844 }
845 ++rx->rx_ref; /* per thread reference */
846 MUTEX_EXIT(&rs->rs_rxlock);
847
848 *rxp = rx;
849
850 /* Test call vs reply */
851 if (B(p++) != RPCB_REPLY)
852 return (-1);
853
854 /* Test reply_stat */
855 switch(B(p++))
856 {
857 case RPCB_MSG_DENIED:
858 return (0);
859 case RPCB_MSG_ACCEPTED:
860 break;
861 default:
862 return (-1);
863 }
864
865 /* Bypass RPC authentication stuff. */
866 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
867 return (-1);
868
869 /* Test accept status */
870 if (!RPCB_BUF_GEQ(rm, p, 4))
871 return (-1);
872 if (B(p++) != 0)
873 return (0);
874
875 /* Parse out the expected reply */
876 switch(rx->rx_type)
877 {
878 case RPCB_RES_PMAP:
879 /* There must be only one 4 byte argument. */
880 if (!RPCB_BUF_EQ(rm, p, 4))
881 return (-1);
882
883 rr->rr_v2 = p;
884 xdr = B(rr->rr_v2);
885
886 /* Reply w/ a 0 port indicates service isn't registered */
887 if (xdr == 0)
888 return (0);
889
890 /* Is the value sane? */
891 if (xdr > 65535)
892 return (-1);
893
894 /* Create NAT & state table entries. */
895 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
896 return (-1);
897 break;
898 case RPCB_RES_STRING:
899 /* Expecting a XDR string; need 4 bytes for length */
900 if (!RPCB_BUF_GEQ(rm, p, 4))
901 return (-1);
902
903 rr->rr_v3.xu_str.xs_len = p++;
904 rr->rr_v3.xu_str.xs_str = (char *)p;
905
906 xdr = B(rr->rr_v3.xu_xslen);
907
908 /* A null string indicates an unregistered service */
909 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
910 return (0);
911
912 /* Decode the target IP address / port. */
913 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
914 return (-1);
915
916 /* Validate the IP address and port contained. */
917 if (nat->nat_odstaddr != rr->rr_v3.xu_ip)
918 return (-1);
919
920 /* Create NAT & state table entries. */
921 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto,
922 (u_int)rr->rr_v3.xu_port) != 0)
923 return (-1);
924 break;
925 case RPCB_RES_LIST:
926 if (!RPCB_BUF_GEQ(rm, p, 4))
927 return (-1);
928 /* rpcb_entry_list_ptr */
929 switch(B(p))
930 {
931 case 0:
932 return (0);
933 /*NOTREACHED*/
934 break;
935 case 1:
936 break;
937 default:
938 return (-1);
939 }
940 rl = &rr->rr_v4;
941 rl->rl_list = p++;
942 cnt = 0;
943
944 for(;;) {
945 re = &rl->rl_entries[rl->rl_cnt];
946 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
947 return (-1);
948 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0)
949 return (-1);
950 /* re_semantics & re_pfamily length */
951 if (!RPCB_BUF_GEQ(rm, p, 12))
952 return (-1);
953 p++; /* Skipping re_semantics. */
954 xdr = B(p++);
955 if ((xdr != 4) || strncmp((char *)p, "inet", 4))
956 return (-1);
957 p++;
958 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0)
959 return (-1);
960 if (!RPCB_BUF_GEQ(rm, p, 4))
961 return (-1);
962 re->re_more = p;
963 if (B(re->re_more) > 1) /* 0,1 only legal values */
964 return (-1);
965 ++rl->rl_cnt;
966 ++cnt;
967 if (B(re->re_more) == 0)
968 break;
969 /* Replies in max out at 2; TCP and/or UDP */
970 if (cnt > 2)
971 return (-1);
972 p++;
973 }
974
975 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
976 re = &rl->rl_entries[rl->rl_cnt];
977 rv = ipf_p_rpcb_getnat(fin, nat,
978 re->re_proto.xp_proto,
979 (u_int)re->re_maddr.xu_port);
980 if (rv != 0)
981 return (-1);
982 }
983 break;
984 default:
985 /*CONSTANTCONDITION*/
986 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
987 }
988
989 return (1);
990 }
991
992 /* -------------------------------------------------------------------- */
993 /* Function: ipf_p_rpcb_lookup */
994 /* Returns: rpcb_xact_t * - NULL == no matching record, */
995 /* else pointer to relevant entry */
996 /* Parameters: rs(I) - pointer to RPCB session */
997 /* xid(I) - XID to look for */
998 /* -------------------------------------------------------------------- */
999 static rpcb_xact_t *
ipf_p_rpcb_lookup(rpcb_session_t * rs,u_32_t xid)1000 ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid)
1001 {
1002 rpcb_xact_t *rx;
1003
1004 if (rs->rs_rxlist == NULL)
1005 return (NULL);
1006
1007 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1008 if (rx->rx_xid == xid)
1009 break;
1010
1011 return (rx);
1012 }
1013
1014 /* -------------------------------------------------------------------- */
1015 /* Function: ipf_p_rpcb_deref */
1016 /* Returns: (void) */
1017 /* Parameters: rs(I) - pointer to RPCB session */
1018 /* rx(I) - pointer to RPC transaction struct to remove */
1019 /* force(I) - indicates to delete entry regardless of */
1020 /* reference count */
1021 /* Locking: rs->rs_rxlock must be held write only */
1022 /* */
1023 /* Free the RPCB transaction record rx from the chain of entries. */
1024 /* -------------------------------------------------------------------- */
1025 static void
ipf_p_rpcb_deref(rpcb_session_t * rs,rpcb_xact_t * rx)1026 ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx)
1027 {
1028 rs = rs; /* LINT */
1029
1030 if (rx == NULL)
1031 return;
1032
1033 if (--rx->rx_ref != 0)
1034 return;
1035
1036 if (rx->rx_next != NULL)
1037 rx->rx_next->rx_pnext = rx->rx_pnext;
1038
1039 *rx->rx_pnext = rx->rx_next;
1040
1041 KFREE(rx);
1042
1043 --V_rpcbcnt;
1044 }
1045
1046 /* -------------------------------------------------------------------- */
1047 /* Function: ipf_p_rpcb_getproto */
1048 /* Returns: int - -1 == illegal protocol/netid, */
1049 /* 0 == legal protocol/netid */
1050 /* Parameters: rm(I) - pointer to RPC message structure */
1051 /* xp(I) - pointer to netid structure */
1052 /* p(IO) - pointer to location within packet buffer */
1053 /* */
1054 /* Decode netid/proto stored at p and record its numeric value. */
1055 /* -------------------------------------------------------------------- */
1056 static int
ipf_p_rpcb_getproto(rpc_msg_t * rm,xdr_proto_t * xp,u_32_t ** p)1057 ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p)
1058 {
1059 u_int len;
1060
1061 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1062 if (!RPCB_BUF_GEQ(rm, p, 8))
1063 return (-1);
1064
1065 xp->xp_xslen = (*p)++;
1066 xp->xp_xsstr = (char *)*p;
1067
1068 /* Test the string length. */
1069 len = B(xp->xp_xslen);
1070 if (len != 3)
1071 return (-1);
1072
1073 /* Test the actual string & record the protocol accordingly. */
1074 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1075 xp->xp_proto = IPPROTO_TCP;
1076 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1077 xp->xp_proto = IPPROTO_UDP;
1078 else {
1079 return (-1);
1080 }
1081
1082 /* Advance past the string. */
1083 (*p)++;
1084
1085 return (0);
1086 }
1087
1088 /* -------------------------------------------------------------------- */
1089 /* Function: ipf_p_rpcb_getnat */
1090 /* Returns: int -- -1 == failed to create table entries, */
1091 /* 0 == success */
1092 /* Parameters: fin(I) - pointer to packet information */
1093 /* nat(I) - pointer to NAT table entry */
1094 /* proto(I) - transport protocol for new entries */
1095 /* port(I) - new port to use w/ wildcard table entries */
1096 /* */
1097 /* Create state and NAT entries to handle an anticipated connection */
1098 /* attempt between RPC client and server. */
1099 /* -------------------------------------------------------------------- */
1100 static int
ipf_p_rpcb_getnat(fr_info_t * fin,nat_t * nat,u_int proto,u_int port)1101 ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port)
1102 {
1103 ipf_main_softc_t *softc = fin->fin_main_soft;
1104 ipnat_t *ipn, ipnat;
1105 tcphdr_t tcp;
1106 ipstate_t *is;
1107 fr_info_t fi;
1108 nat_t *natl;
1109 int nflags;
1110
1111 ipn = nat->nat_ptr;
1112
1113 /* Generate dummy fr_info */
1114 bcopy((char *)fin, (char *)&fi, sizeof(fi));
1115 fi.fin_out = 0;
1116 fi.fin_p = proto;
1117 fi.fin_sport = 0;
1118 fi.fin_dport = port & 0xffff;
1119 fi.fin_flx |= FI_IGNORE;
1120 fi.fin_saddr = nat->nat_osrcaddr;
1121 fi.fin_daddr = nat->nat_odstaddr;
1122
1123 bzero((char *)&tcp, sizeof(tcp));
1124 tcp.th_dport = htons(port);
1125
1126 if (proto == IPPROTO_TCP) {
1127 tcp.th_win = htons(8192);
1128 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1129 fi.fin_dlen = sizeof(tcphdr_t);
1130 tcp_set_flags(&tcp, TH_SYN);
1131 nflags = NAT_TCP;
1132 } else {
1133 fi.fin_dlen = sizeof(udphdr_t);
1134 nflags = NAT_UDP;
1135 }
1136
1137 nflags |= SI_W_SPORT|NAT_SEARCH;
1138 fi.fin_dp = &tcp;
1139 fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1140
1141 /*
1142 * Search for existing NAT & state entries. Pay close attention to
1143 * mutexes / locks grabbed from lookup routines, as not doing so could
1144 * lead to bad things.
1145 *
1146 * If successful, fr_stlookup returns with ipf_state locked. We have
1147 * no use for this lock, so simply unlock it if necessary.
1148 */
1149 is = ipf_state_lookup(&fi, &tcp, NULL);
1150 if (is != NULL) {
1151 RWLOCK_EXIT(&softc->ipf_state);
1152 }
1153
1154 RWLOCK_EXIT(&softc->ipf_nat);
1155
1156 WRITE_ENTER(&softc->ipf_nat);
1157 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1158
1159 if ((natl != NULL) && (is != NULL)) {
1160 MUTEX_DOWNGRADE(&softc->ipf_nat);
1161 return (0);
1162 }
1163
1164 /* Slightly modify the following structures for actual use in creating
1165 * NAT and/or state entries. We're primarily concerned with stripping
1166 * flags that may be detrimental to the creation process or simply
1167 * shouldn't be associated with a table entry.
1168 */
1169 fi.fin_fr = &rpcbfr;
1170 fi.fin_flx &= ~FI_IGNORE;
1171 nflags &= ~NAT_SEARCH;
1172
1173 if (natl == NULL) {
1174 #ifdef USE_MUTEXES
1175 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1176 #endif
1177
1178 /* XXX Since we're just copying the original ipn contents
1179 * back, would we be better off just sending a pointer to
1180 * the 'temp' copy off to nat_new instead?
1181 */
1182 /* Generate template/bogus NAT rule. */
1183 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1184 ipn->in_flags = nflags & IPN_TCPUDP;
1185 ipn->in_apr = NULL;
1186 ipn->in_pr[0] = proto;
1187 ipn->in_pr[1] = proto;
1188 ipn->in_dpmin = fi.fin_dport;
1189 ipn->in_dpmax = fi.fin_dport;
1190 ipn->in_dpnext = fi.fin_dport;
1191 ipn->in_space = 1;
1192 ipn->in_ippip = 1;
1193 if (ipn->in_flags & IPN_FILTER) {
1194 ipn->in_scmp = 0;
1195 ipn->in_dcmp = 0;
1196 }
1197 ipn->in_plabel = -1;
1198
1199 /* Create NAT entry. return NULL if this fails. */
1200 MUTEX_ENTER(&softn->ipf_nat_new);
1201 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1202 NAT_INBOUND);
1203 MUTEX_EXIT(&softn->ipf_nat_new);
1204
1205 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1206
1207 if (natl == NULL) {
1208 MUTEX_DOWNGRADE(&softc->ipf_nat);
1209 return (-1);
1210 }
1211
1212 natl->nat_ptr = ipn;
1213 fi.fin_saddr = natl->nat_nsrcaddr;
1214 fi.fin_daddr = natl->nat_ndstaddr;
1215 ipn->in_use++;
1216 (void) ipf_nat_proto(&fi, natl, nflags);
1217 MUTEX_ENTER(&natl->nat_lock);
1218 ipf_nat_update(&fi, natl);
1219 MUTEX_EXIT(&natl->nat_lock);
1220 }
1221 MUTEX_DOWNGRADE(&softc->ipf_nat);
1222
1223 if (is == NULL) {
1224 /* Create state entry. Return NULL if this fails. */
1225 fi.fin_flx |= FI_NATED;
1226 fi.fin_flx &= ~FI_STATE;
1227 nflags &= NAT_TCPUDP;
1228 nflags |= SI_W_SPORT|SI_CLONE;
1229
1230 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) {
1231 /*
1232 * XXX nat_delete is private to ip_nat.c. Should
1233 * check w/ Darren about this one.
1234 *
1235 * nat_delete(natl, NL_EXPIRE);
1236 */
1237 return (-1);
1238 }
1239 }
1240
1241 return (0);
1242 }
1243
1244 /* -------------------------------------------------------------------- */
1245 /* Function: ipf_p_rpcb_modv3 */
1246 /* Returns: int -- change in packet length */
1247 /* Parameters: fin(I) - pointer to packet information */
1248 /* nat(I) - pointer to NAT session */
1249 /* rm(I) - pointer to RPC message structure */
1250 /* m(I) - pointer to mbuf chain */
1251 /* off(I) - offset within mbuf chain */
1252 /* */
1253 /* Write a new universal address string to this packet, adjusting */
1254 /* lengths as necessary. */
1255 /* -------------------------------------------------------------------- */
1256 static int
ipf_p_rpcb_modv3(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1257 ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
1258 u_int off)
1259 {
1260 u_int len, xlen, pos, bogo;
1261 rpc_resp_t *rr;
1262 char uaddr[24];
1263 char *i, *p;
1264 int diff;
1265
1266 rr = &rm->rm_resp;
1267 i = (char *)&nat->nat_ndstaddr;
1268 p = (char *)&rr->rr_v3.xu_port;
1269
1270 /* Form new string. */
1271 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1272 (void) snprintf(uaddr, sizeof(uaddr),
1273 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1274 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1275 len = strlen(uaddr);
1276 xlen = XDRALIGN(len);
1277
1278 /* Determine mbuf offset to write to. */
1279 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1280 off += pos;
1281
1282 /* Write new string length. */
1283 bogo = htonl(len);
1284 COPYBACK(m, off, 4, (caddr_t)&bogo);
1285 off += 4;
1286
1287 /* Write new string. */
1288 COPYBACK(m, off, xlen, uaddr);
1289
1290 /* Determine difference in data lengths. */
1291 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1292
1293 /*
1294 * If our new string has a different length, make necessary
1295 * adjustments.
1296 */
1297 if (diff != 0)
1298 ipf_p_rpcb_fixlen(fin, diff);
1299
1300 return (diff);
1301 }
1302
1303 /* -------------------------------------------------------------------- */
1304 /* Function: ipf_p_rpcb_modv4 */
1305 /* Returns: int -- change in packet length */
1306 /* Parameters: fin(I) - pointer to packet information */
1307 /* nat(I) - pointer to NAT session */
1308 /* rm(I) - pointer to RPC message structure */
1309 /* m(I) - pointer to mbuf chain */
1310 /* off(I) - offset within mbuf chain */
1311 /* */
1312 /* Write new rpcb_entry list, adjusting lengths as necessary. */
1313 /* -------------------------------------------------------------------- */
1314 static int
ipf_p_rpcb_modv4(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1315 ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
1316 u_int off)
1317 {
1318 u_int len, xlen, pos, bogo;
1319 rpcb_listp_t *rl;
1320 rpcb_entry_t *re;
1321 rpc_resp_t *rr;
1322 char uaddr[24];
1323 int diff, cnt;
1324 char *i, *p;
1325
1326 diff = 0;
1327 rr = &rm->rm_resp;
1328 rl = &rr->rr_v4;
1329
1330 i = (char *)&nat->nat_ndstaddr;
1331
1332 /* Determine mbuf offset to write to. */
1333 re = &rl->rl_entries[0];
1334 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1335 off += pos;
1336
1337 for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1338 re = &rl->rl_entries[cnt];
1339 p = (char *)&re->re_maddr.xu_port;
1340
1341 /* Form new string. */
1342 bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1343 padding. */
1344 (void) snprintf(uaddr, sizeof(uaddr),
1345 "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1346 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1347 p[0] & 0xff, p[1] & 0xff);
1348 len = strlen(uaddr);
1349 xlen = XDRALIGN(len);
1350
1351 /* Write new string length. */
1352 bogo = htonl(len);
1353 COPYBACK(m, off, 4, (caddr_t)&bogo);
1354 off += 4;
1355
1356 /* Write new string. */
1357 COPYBACK(m, off, xlen, uaddr);
1358 off += xlen;
1359
1360 /* Record any change in length. */
1361 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1362
1363 /* If the length changed, copy back the rest of this entry. */
1364 len = ((char *)re->re_more + 4) -
1365 (char *)re->re_netid.xp_xslen;
1366 if (diff != 0) {
1367 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
1368 }
1369 off += len;
1370 }
1371
1372 /*
1373 * If our new string has a different length, make necessary
1374 * adjustments.
1375 */
1376 if (diff != 0)
1377 ipf_p_rpcb_fixlen(fin, diff);
1378
1379 return (diff);
1380 }
1381
1382
1383 /* -------------------------------------------------------------------- */
1384 /* Function: ipf_p_rpcb_fixlen */
1385 /* Returns: (void) */
1386 /* Parameters: fin(I) - pointer to packet information */
1387 /* len(I) - change in packet length */
1388 /* */
1389 /* Adjust various packet related lengths held in structure and packet */
1390 /* header fields. */
1391 /* -------------------------------------------------------------------- */
1392 static void
ipf_p_rpcb_fixlen(fr_info_t * fin,int len)1393 ipf_p_rpcb_fixlen(fr_info_t *fin, int len)
1394 {
1395 udphdr_t *udp;
1396
1397 udp = fin->fin_dp;
1398 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1399 fin->fin_plen += len;
1400 fin->fin_ip->ip_len = htons(fin->fin_plen);
1401 fin->fin_dlen += len;
1402 }
1403
1404 #undef B
1405