1 /*
2 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org>
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6 /*
7 * Overview:
8 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
9 * protocol as defined in RFC1833. It is far from complete, mostly
10 * lacking in less-likely corner cases, but it's definitely functional.
11 *
12 * Invocation:
13 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
14 *
15 * If the host running IP Filter is the same as the RPC server, it's
16 * perfectly legal for both the internal and external addresses and ports
17 * to match.
18 *
19 * When triggered by appropriate IP NAT rules, this proxy works by
20 * examining data contained in received packets. Requests and replies are
21 * modified, NAT and state table entries created, etc., as necessary.
22 */
23 /*
24 * TODO / NOTES
25 *
26 * o Must implement locking to protect proxy session data.
27 * o Fragmentation isn't supported.
28 * o Only supports UDP.
29 * o Doesn't support multiple RPC records in a single request.
30 * o Errors should be more fine-grained. (e.g., malloc failure vs.
31 * illegal RPCB request / reply)
32 * o Even with the limit on the total amount of recorded transactions,
33 * should there be a timeout on transaction removal?
34 * o There is a potential collision between cloning, wildcard NAT and
35 * state entries. There should be an appr_getport routine for
36 * to avoid this.
37 * o The enclosed hack of STREAMS support is pretty sick and most likely
38 * broken.
39 *
40 * $Id$
41 */
42 #define IPF_RPCB_PROXY
43
44 /*
45 * Function prototypes
46 */
47 void ipf_p_rpcb_main_load(void);
48 void ipf_p_rpcb_main_unload(void);
49 int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *);
50 void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *);
51 int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *);
52 int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *);
53
54 static void ipf_p_rpcb_flush(rpcb_session_t *);
55 static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *,
56 rpcb_session_t *, rpc_msg_t *);
57 static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **);
58 static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *);
59 static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *);
60 static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *,
61 u_32_t **);
62 static u_int ipf_p_rpcb_atoi(char *);
63 static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *,
64 mb_t *, u_int);
65 static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *,
66 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **);
67 static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t);
68 static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *);
69 static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *,
70 u_32_t **);
71 static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int);
72 static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *,
73 mb_t *, u_int);
74 static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *,
75 mb_t *, u_int);
76 static void ipf_p_rpcb_fixlen(fr_info_t *, int);
77
78 /*
79 * Global variables
80 */
81 static frentry_t rpcbfr; /* Skeleton rule for reference by entities
82 this proxy creates. */
83 VNET_DEFINE_STATIC(int, rpcbcnt);
84 #define V_rpcbcnt VNET(rpcbcnt)
85 /* Upper bound of allocated RPCB sessions. */
86 /* XXX rpcbcnt still requires locking. */
87
88 static int rpcb_proxy_init = 0;
89
90
91 /*
92 * Since rpc_msg contains only pointers, one should use this macro as a
93 * handy way to get to the goods. (In case you're wondering about the name,
94 * this started as BYTEREF -> BREF -> B.)
95 */
96 #define B(r) (u_32_t)ntohl(*(r))
97
98 /*
99 * Public subroutines
100 */
101
102 /* -------------------------------------------------------------------- */
103 /* Function: ipf_p_rpcb_main_load */
104 /* Returns: void */
105 /* Parameters: (void) */
106 /* */
107 /* Initialize the filter rule entry and session limiter. */
108 /* -------------------------------------------------------------------- */
109 void
ipf_p_rpcb_main_load(void)110 ipf_p_rpcb_main_load(void)
111 {
112 V_rpcbcnt = 0;
113
114 bzero((char *)&rpcbfr, sizeof(rpcbfr));
115 rpcbfr.fr_ref = 1;
116 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
117 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
118 rpcb_proxy_init = 1;
119 }
120
121 /* -------------------------------------------------------------------- */
122 /* Function: ipf_p_rpcb_main_unload */
123 /* Returns: void */
124 /* Parameters: (void) */
125 /* */
126 /* Destroy rpcbfr's mutex to avoid a lock leak. */
127 /* -------------------------------------------------------------------- */
128 void
ipf_p_rpcb_main_unload(void)129 ipf_p_rpcb_main_unload(void)
130 {
131 if (rpcb_proxy_init == 1) {
132 MUTEX_DESTROY(&rpcbfr.fr_lock);
133 rpcb_proxy_init = 0;
134 }
135 }
136
137 /* -------------------------------------------------------------------- */
138 /* Function: ipf_p_rpcb_new */
139 /* Returns: int - -1 == failure, 0 == success */
140 /* Parameters: fin(I) - pointer to packet information */
141 /* aps(I) - pointer to proxy session structure */
142 /* nat(I) - pointer to NAT session structure */
143 /* */
144 /* Allocate resources for per-session proxy structures. */
145 /* -------------------------------------------------------------------- */
146 int
ipf_p_rpcb_new(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat __unused)147 ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat __unused)
148 {
149 rpcb_session_t *rs;
150
151 if (fin->fin_v != 4)
152 return (-1);
153
154 KMALLOC(rs, rpcb_session_t *);
155 if (rs == NULL)
156 return (-1);
157
158 bzero((char *)rs, sizeof(*rs));
159 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
160
161 aps->aps_data = rs;
162
163 return (0);
164 }
165
166 /* -------------------------------------------------------------------- */
167 /* Function: ipf_p_rpcb_del */
168 /* Returns: void */
169 /* Parameters: aps(I) - pointer to proxy session structure */
170 /* */
171 /* Free up a session's list of RPCB requests. */
172 /* -------------------------------------------------------------------- */
173 void
ipf_p_rpcb_del(ipf_main_softc_t * softc,ap_session_t * aps)174 ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps)
175 {
176 rpcb_session_t *rs;
177 rs = (rpcb_session_t *)aps->aps_data;
178
179 MUTEX_ENTER(&rs->rs_rxlock);
180 ipf_p_rpcb_flush(rs);
181 MUTEX_EXIT(&rs->rs_rxlock);
182 MUTEX_DESTROY(&rs->rs_rxlock);
183 }
184
185 /* -------------------------------------------------------------------- */
186 /* Function: ipf_p_rpcb_in */
187 /* Returns: int - APR_ERR(1) == drop the packet, */
188 /* APR_ERR(2) == kill the proxy session, */
189 /* else change in packet length (in bytes) */
190 /* Parameters: fin(I) - pointer to packet information */
191 /* ip(I) - pointer to packet header */
192 /* aps(I) - pointer to proxy session structure */
193 /* nat(I) - pointer to NAT session structure */
194 /* */
195 /* Given a presumed RPCB request, perform some minor tests and pass off */
196 /* for decoding. Also pass packet off for a rewrite if necessary. */
197 /* -------------------------------------------------------------------- */
198 int
ipf_p_rpcb_in(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)199 ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
200 {
201 rpc_msg_t rpcmsg, *rm;
202 rpcb_session_t *rs;
203 u_int off, dlen;
204 mb_t *m;
205 int rv;
206
207 /* Disallow fragmented or illegally short packets. */
208 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
209 return (APR_ERR(1));
210
211 /* Perform basic variable initialization. */
212 rs = (rpcb_session_t *)aps->aps_data;
213
214 m = fin->fin_m;
215 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
216 off += sizeof(udphdr_t) + fin->fin_ipoff;
217 dlen = fin->fin_dlen - sizeof(udphdr_t);
218
219 /* Disallow packets outside legal range for supported requests. */
220 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
221 return (APR_ERR(1));
222
223 /* Copy packet over to convenience buffer. */
224 rm = &rpcmsg;
225 bzero((char *)rm, sizeof(*rm));
226 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
227 rm->rm_buflen = dlen;
228
229 /* Send off to decode request. */
230 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm);
231
232 switch(rv)
233 {
234 case -1:
235 return (APR_ERR(1));
236 /*NOTREACHED*/
237 break;
238 case 0:
239 break;
240 case 1:
241 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off);
242 break;
243 default:
244 /*CONSTANTCONDITION*/
245 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv));
246 }
247
248 return (rv);
249 }
250
251 /* -------------------------------------------------------------------- */
252 /* Function: ipf_p_rpcb_out */
253 /* Returns: int - APR_ERR(1) == drop the packet, */
254 /* APR_ERR(2) == kill the proxy session, */
255 /* else change in packet length (in bytes) */
256 /* Parameters: fin(I) - pointer to packet information */
257 /* ip(I) - pointer to packet header */
258 /* aps(I) - pointer to proxy session structure */
259 /* nat(I) - pointer to NAT session structure */
260 /* */
261 /* Given a presumed RPCB reply, perform some minor tests and pass off */
262 /* for decoding. If the message indicates a successful request with */
263 /* valid addressing information, create NAT and state structures to */
264 /* allow direct communication between RPC client and server. */
265 /* -------------------------------------------------------------------- */
266 int
ipf_p_rpcb_out(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)267 ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
268 {
269 rpc_msg_t rpcmsg, *rm;
270 rpcb_session_t *rs;
271 rpcb_xact_t *rx;
272 u_int off, dlen;
273 int rv, diff;
274 mb_t *m;
275
276 /* Disallow fragmented or illegally short packets. */
277 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
278 return (APR_ERR(1));
279
280 /* Perform basic variable initialization. */
281 rs = (rpcb_session_t *)aps->aps_data;
282 rx = NULL;
283
284 m = fin->fin_m;
285 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
286 off += sizeof(udphdr_t) + fin->fin_ipoff;
287 dlen = fin->fin_dlen - sizeof(udphdr_t);
288 diff = 0;
289
290 /* Disallow packets outside legal range for supported requests. */
291 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
292 return (APR_ERR(1));
293
294 /* Copy packet over to convenience buffer. */
295 rm = &rpcmsg;
296 bzero((char *)rm, sizeof(*rm));
297 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
298 rm->rm_buflen = dlen;
299
300 rx = NULL; /* XXX gcc */
301
302 /* Send off to decode reply. */
303 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx);
304
305 switch(rv)
306 {
307 case -1: /* Bad packet */
308 if (rx != NULL) {
309 MUTEX_ENTER(&rs->rs_rxlock);
310 ipf_p_rpcb_deref(rs, rx);
311 MUTEX_EXIT(&rs->rs_rxlock);
312 }
313 return (APR_ERR(1));
314 /*NOTREACHED*/
315 break;
316 case 0: /* Negative reply / request rejected */
317 break;
318 case 1: /* Positive reply */
319 /*
320 * With the IP address embedded in a GETADDR(LIST) reply,
321 * we'll need to rewrite the packet in the very possible
322 * event that the internal & external addresses aren't the
323 * same. (i.e., this box is either a router or rpcbind
324 * only listens on loopback.)
325 */
326 if (nat->nat_odstaddr != nat->nat_ndstaddr) {
327 if (rx->rx_type == RPCB_RES_STRING)
328 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off);
329 else if (rx->rx_type == RPCB_RES_LIST)
330 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off);
331 }
332 break;
333 default:
334 /*CONSTANTCONDITION*/
335 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv));
336 }
337
338 if (rx != NULL) {
339 MUTEX_ENTER(&rs->rs_rxlock);
340 /* XXX Gross hack - I'm overloading the reference
341 * counter to deal with both threads and retransmitted
342 * requests. One deref signals that this thread is
343 * finished with rx, and the other signals that we've
344 * processed its reply.
345 */
346 ipf_p_rpcb_deref(rs, rx);
347 ipf_p_rpcb_deref(rs, rx);
348 MUTEX_EXIT(&rs->rs_rxlock);
349 }
350
351 return (diff);
352 }
353
354 /*
355 * Private support subroutines
356 */
357
358 /* -------------------------------------------------------------------- */
359 /* Function: ipf_p_rpcb_flush */
360 /* Returns: void */
361 /* Parameters: rs(I) - pointer to RPCB session structure */
362 /* */
363 /* Simply flushes the list of outstanding transactions, if any. */
364 /* -------------------------------------------------------------------- */
365 static void
ipf_p_rpcb_flush(rpcb_session_t * rs)366 ipf_p_rpcb_flush(rpcb_session_t *rs)
367 {
368 rpcb_xact_t *r1, *r2;
369
370 r1 = rs->rs_rxlist;
371 if (r1 == NULL)
372 return;
373
374 while (r1 != NULL) {
375 r2 = r1;
376 r1 = r1->rx_next;
377 KFREE(r2);
378 }
379 }
380
381 /* -------------------------------------------------------------------- */
382 /* Function: ipf_p_rpcb_decodereq */
383 /* Returns: int - -1 == bad request or critical failure, */
384 /* 0 == request successfully decoded, */
385 /* 1 == request successfully decoded; requires */
386 /* address rewrite/modification */
387 /* Parameters: fin(I) - pointer to packet information */
388 /* nat(I) - pointer to NAT session structure */
389 /* rs(I) - pointer to RPCB session structure */
390 /* rm(I) - pointer to RPC message structure */
391 /* */
392 /* Take a presumed RPCB request, decode it, and store the results in */
393 /* the transaction list. If the internal target address needs to be */
394 /* modified, store its location in ptr. */
395 /* WARNING: It's the responsibility of the caller to make sure there */
396 /* is enough room in rs_buf for the basic RPC message "preamble". */
397 /* -------------------------------------------------------------------- */
398 static int
ipf_p_rpcb_decodereq(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm)399 ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
400 rpc_msg_t *rm)
401 {
402 rpcb_args_t *ra;
403 u_32_t xdr, *p;
404 rpc_call_t *rc;
405 rpcb_xact_t rx;
406 int mod;
407
408 p = (u_32_t *)rm->rm_msgbuf;
409 mod = 0;
410
411 bzero((char *)&rx, sizeof(rx));
412 rc = &rm->rm_call;
413
414 rm->rm_xid = p;
415 rx.rx_xid = B(p++); /* Record this message's XID. */
416
417 /* Parse out and test the RPC header. */
418 if ((B(p++) != RPCB_CALL) ||
419 (B(p++) != RPCB_MSG_VERSION) ||
420 (B(p++) != RPCB_PROG))
421 return (-1);
422
423 /* Record the RPCB version and procedure. */
424 rc->rc_vers = p++;
425 rc->rc_proc = p++;
426
427 /* Bypass RPC authentication stuff. */
428 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
429 return (-1);
430 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
431 return (-1);
432
433 /* Compare RPCB version and procedure numbers. */
434 switch(B(rc->rc_vers))
435 {
436 case 2:
437 /* This proxy only supports PMAP_GETPORT. */
438 if (B(rc->rc_proc) != RPCB_GETPORT)
439 return (-1);
440
441 /* Portmap requests contain four 4 byte parameters. */
442 if (RPCB_BUF_EQ(rm, p, 16) == 0)
443 return (-1);
444
445 p += 2; /* Skip requested program and version numbers. */
446
447 /* Sanity check the requested protocol. */
448 xdr = B(p);
449 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
450 return (-1);
451
452 rx.rx_type = RPCB_RES_PMAP;
453 rx.rx_proto = xdr;
454 break;
455 case 3:
456 case 4:
457 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
458 switch(B(rc->rc_proc))
459 {
460 case RPCB_GETADDR:
461 rx.rx_type = RPCB_RES_STRING;
462 rx.rx_proto = (u_int)fin->fin_p;
463 break;
464 case RPCB_GETADDRLIST:
465 if (B(rc->rc_vers) != 4)
466 return (-1);
467 rx.rx_type = RPCB_RES_LIST;
468 break;
469 default:
470 return (-1);
471 }
472
473 ra = &rc->rc_rpcbargs;
474
475 /* Decode the 'struct rpcb' request. */
476 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0)
477 return (-1);
478
479 /* Are the target address & port valid? */
480 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) ||
481 (ra->ra_maddr.xu_port != nat->nat_ndport))
482 return (-1);
483
484 /* Do we need to rewrite this packet? */
485 if ((nat->nat_ndstaddr != nat->nat_odstaddr) ||
486 (nat->nat_ndport != nat->nat_odport))
487 mod = 1;
488 break;
489 default:
490 return (-1);
491 }
492
493 MUTEX_ENTER(&rs->rs_rxlock);
494 if (ipf_p_rpcb_insert(rs, &rx) != 0) {
495 MUTEX_EXIT(&rs->rs_rxlock);
496 return (-1);
497 }
498 MUTEX_EXIT(&rs->rs_rxlock);
499
500 return (mod);
501 }
502
503 /* -------------------------------------------------------------------- */
504 /* Function: ipf_p_rpcb_skipauth */
505 /* Returns: int -- -1 == illegal auth parameters (lengths) */
506 /* 0 == valid parameters, pointer advanced */
507 /* Parameters: rm(I) - pointer to RPC message structure */
508 /* auth(I) - pointer to RPC auth structure */
509 /* buf(IO) - pointer to location within convenience buffer */
510 /* */
511 /* Record auth data length & location of auth data, then advance past */
512 /* it. */
513 /* -------------------------------------------------------------------- */
514 static int
ipf_p_rpcb_skipauth(rpc_msg_t * rm,xdr_auth_t * auth,u_32_t ** buf)515 ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf)
516 {
517 u_32_t *p, xdr;
518
519 p = *buf;
520
521 /* Make sure we have enough space for expected fixed auth parms. */
522 if (RPCB_BUF_GEQ(rm, p, 8) == 0)
523 return (-1);
524
525 p++; /* We don't care about auth_flavor. */
526
527 auth->xa_string.xs_len = p;
528 xdr = B(p++); /* Length of auth_data */
529
530 /* Test for absurdity / illegality of auth_data length. */
531 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
532 return (-1);
533
534 auth->xa_string.xs_str = (char *)p;
535
536 p += XDRALIGN(xdr); /* Advance our location. */
537
538 *buf = (u_32_t *)p;
539
540 return (0);
541 }
542
543 /* -------------------------------------------------------------------- */
544 /* Function: ipf_p_rpcb_insert */
545 /* Returns: int -- -1 == list insertion failed, */
546 /* 0 == item successfully added */
547 /* Parameters: rs(I) - pointer to RPCB session structure */
548 /* rx(I) - pointer to RPCB transaction structure */
549 /* -------------------------------------------------------------------- */
550 static int
ipf_p_rpcb_insert(rpcb_session_t * rs,rpcb_xact_t * rx)551 ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx)
552 {
553 rpcb_xact_t *rxp;
554
555 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid);
556 if (rxp != NULL) {
557 ++rxp->rx_ref;
558 return (0);
559 }
560
561 if (V_rpcbcnt == RPCB_MAXREQS)
562 return (-1);
563
564 KMALLOC(rxp, rpcb_xact_t *);
565 if (rxp == NULL)
566 return (-1);
567
568 bcopy((char *)rx, (char *)rxp, sizeof(*rx));
569
570 if (rs->rs_rxlist != NULL)
571 rs->rs_rxlist->rx_pnext = &rxp->rx_next;
572
573 rxp->rx_pnext = &rs->rs_rxlist;
574 rxp->rx_next = rs->rs_rxlist;
575 rs->rs_rxlist = rxp;
576
577 rxp->rx_ref = 1;
578
579 ++V_rpcbcnt;
580
581 return (0);
582 }
583
584 /* -------------------------------------------------------------------- */
585 /* Function: ipf_p_rpcb_xdrrpcb */
586 /* Returns: int -- -1 == failure to properly decode the request */
587 /* 0 == rpcb successfully decoded */
588 /* Parameters: rs(I) - pointer to RPCB session structure */
589 /* p(I) - pointer to location within session buffer */
590 /* rpcb(O) - pointer to rpcb (xdr type) structure */
591 /* */
592 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */
593 /* within only the context of TCP/UDP over IP networks. */
594 /* -------------------------------------------------------------------- */
595 static int
ipf_p_rpcb_xdrrpcb(rpc_msg_t * rm,u_32_t * p,rpcb_args_t * ra)596 ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra)
597 {
598 if (!RPCB_BUF_GEQ(rm, p, 20))
599 return (-1);
600
601 /* Bypass target program & version. */
602 p += 2;
603
604 /* Decode r_netid. Must be "tcp" or "udp". */
605 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
606 return (-1);
607
608 /* Decode r_maddr. */
609 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
610 return (-1);
611
612 /* Advance to r_owner and make sure it's empty. */
613 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
614 return (-1);
615
616 return (0);
617 }
618
619 /* -------------------------------------------------------------------- */
620 /* Function: ipf_p_rpcb_getuaddr */
621 /* Returns: int -- -1 == illegal string, */
622 /* 0 == string parsed; contents recorded */
623 /* Parameters: rm(I) - pointer to RPC message structure */
624 /* xu(I) - pointer to universal address structure */
625 /* p(IO) - pointer to location within message buffer */
626 /* */
627 /* Decode the IP address / port at p and record them in xu. */
628 /* -------------------------------------------------------------------- */
629 static int
ipf_p_rpcb_getuaddr(rpc_msg_t * rm,xdr_uaddr_t * xu,u_32_t ** p)630 ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p)
631 {
632 char *c, *i, *b, *pp;
633 u_int d, dd, l, t;
634 char uastr[24];
635
636 /* Test for string length. */
637 if (!RPCB_BUF_GEQ(rm, *p, 4))
638 return (-1);
639
640 xu->xu_xslen = (*p)++;
641 xu->xu_xsstr = (char *)*p;
642
643 /* Length check */
644 l = B(xu->xu_xslen);
645 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
646 return (-1);
647
648 /* Advance p */
649 *(char **)p += XDRALIGN(l);
650
651 /* Copy string to local buffer & terminate C style */
652 bcopy(xu->xu_xsstr, uastr, l);
653 uastr[l] = '\0';
654
655 i = (char *)&xu->xu_ip;
656 pp = (char *)&xu->xu_port;
657
658 /*
659 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
660 * an IP address and [ef] are the bytes of a L4 port.
661 */
662 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
663 return (-1);
664 b = uastr;
665 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
666 if (ISDIGIT(*c)) {
667 dd = 0;
668 continue;
669 }
670 if (*c == '.') {
671 if (dd != 0)
672 return (-1);
673
674 /* Check for ASCII byte. */
675 *c = '\0';
676 t = ipf_p_rpcb_atoi(b);
677 if (t > 255)
678 return (-1);
679
680 /* Aim b at beginning of the next byte. */
681 b = c + 1;
682
683 /* Switch off IP addr vs port parsing. */
684 if (d < 4)
685 i[d++] = t & 0xff;
686 else
687 pp[d++ - 4] = t & 0xff;
688
689 dd = 1;
690 continue;
691 }
692 return (-1);
693 }
694 if (d != 5) /* String must contain exactly 5 periods. */
695 return (-1);
696
697 /* Handle the last byte (port low byte) */
698 t = ipf_p_rpcb_atoi(b);
699 if (t > 255)
700 return (-1);
701 pp[d - 4] = t & 0xff;
702
703 return (0);
704 }
705
706 /* -------------------------------------------------------------------- */
707 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */
708 /* Returns: int -- integer representation of supplied string */
709 /* Parameters: ptr(I) - input string */
710 /* */
711 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */
712 /* -------------------------------------------------------------------- */
713 static u_int
ipf_p_rpcb_atoi(char * ptr)714 ipf_p_rpcb_atoi(char *ptr)
715 {
716 register char *s = ptr, c;
717 register u_int i = 0;
718
719 while (((c = *s++) != '\0') && ISDIGIT(c)) {
720 i *= 10;
721 i += c - '0';
722 }
723 return (i);
724 }
725
726 /* -------------------------------------------------------------------- */
727 /* Function: ipf_p_rpcb_modreq */
728 /* Returns: int -- change in datagram length */
729 /* APR_ERR(2) - critical failure */
730 /* Parameters: fin(I) - pointer to packet information */
731 /* nat(I) - pointer to NAT session */
732 /* rm(I) - pointer to RPC message structure */
733 /* m(I) - pointer to mbuf chain */
734 /* off(I) - current offset within mbuf chain */
735 /* */
736 /* When external and internal addresses differ, we rewrite the former */
737 /* with the latter. (This is exclusive to protocol versions 3 & 4). */
738 /* -------------------------------------------------------------------- */
739 static int
ipf_p_rpcb_modreq(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)740 ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
741 u_int off)
742 {
743 u_int len, xlen, pos, bogo;
744 rpcb_args_t *ra;
745 char uaddr[24];
746 udphdr_t *udp;
747 char *i, *p;
748 int diff;
749
750 ra = &rm->rm_call.rc_rpcbargs;
751 i = (char *)&nat->nat_odstaddr;
752 p = (char *)&nat->nat_odport;
753
754 /* Form new string. */
755 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
756 (void) snprintf(uaddr, sizeof(uaddr),
757 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
758 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
759 len = strlen(uaddr);
760 xlen = XDRALIGN(len);
761
762 /* Determine mbuf offset to start writing to. */
763 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
764 off += pos;
765
766 /* Write new string length. */
767 bogo = htonl(len);
768 COPYBACK(m, off, 4, (caddr_t)&bogo);
769 off += 4;
770
771 /* Write new string. */
772 COPYBACK(m, off, xlen, uaddr);
773 off += xlen;
774
775 /* Write in zero r_owner. */
776 bogo = 0;
777 COPYBACK(m, off, 4, (caddr_t)&bogo);
778
779 /* Determine difference in data lengths. */
780 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
781
782 /*
783 * If our new string has a different length, make necessary
784 * adjustments.
785 */
786 if (diff != 0) {
787 udp = fin->fin_dp;
788 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
789 fin->fin_plen += diff;
790 fin->fin_ip->ip_len = htons(fin->fin_plen);
791 fin->fin_dlen += diff;
792 /* XXX Storage lengths. */
793 }
794
795 return (diff);
796 }
797
798 /* -------------------------------------------------------------------- */
799 /* Function: ipf_p_rpcb_decoderep */
800 /* Returns: int - -1 == bad request or critical failure, */
801 /* 0 == valid, negative reply */
802 /* 1 == vaddlid, positive reply; needs no changes */
803 /* Parameters: fin(I) - pointer to packet information */
804 /* nat(I) - pointer to NAT session structure */
805 /* rs(I) - pointer to RPCB session structure */
806 /* rm(I) - pointer to RPC message structure */
807 /* rxp(O) - pointer to RPCB transaction structure */
808 /* */
809 /* Take a presumed RPCB reply, extract the XID, search for the original */
810 /* request information, and determine whether the request was accepted */
811 /* or rejected. With a valid accepted reply, go ahead and create NAT */
812 /* and state entries, and finish up by rewriting the packet as */
813 /* required. */
814 /* */
815 /* WARNING: It's the responsibility of the caller to make sure there */
816 /* is enough room in rs_buf for the basic RPC message "preamble". */
817 /* -------------------------------------------------------------------- */
818 static int
ipf_p_rpcb_decoderep(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm,rpcb_xact_t ** rxp)819 ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
820 rpc_msg_t *rm, rpcb_xact_t **rxp)
821 {
822 rpcb_listp_t *rl;
823 rpcb_entry_t *re;
824 rpcb_xact_t *rx;
825 u_32_t xdr, *p;
826 rpc_resp_t *rr;
827 int rv, cnt;
828
829 p = (u_32_t *)rm->rm_msgbuf;
830
831 bzero((char *)&rx, sizeof(rx));
832 rr = &rm->rm_resp;
833
834 rm->rm_xid = p;
835 xdr = B(p++); /* Record this message's XID. */
836
837 /* Lookup XID */
838 MUTEX_ENTER(&rs->rs_rxlock);
839 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) {
840 MUTEX_EXIT(&rs->rs_rxlock);
841 return (-1);
842 }
843 ++rx->rx_ref; /* per thread reference */
844 MUTEX_EXIT(&rs->rs_rxlock);
845
846 *rxp = rx;
847
848 /* Test call vs reply */
849 if (B(p++) != RPCB_REPLY)
850 return (-1);
851
852 /* Test reply_stat */
853 switch(B(p++))
854 {
855 case RPCB_MSG_DENIED:
856 return (0);
857 case RPCB_MSG_ACCEPTED:
858 break;
859 default:
860 return (-1);
861 }
862
863 /* Bypass RPC authentication stuff. */
864 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
865 return (-1);
866
867 /* Test accept status */
868 if (!RPCB_BUF_GEQ(rm, p, 4))
869 return (-1);
870 if (B(p++) != 0)
871 return (0);
872
873 /* Parse out the expected reply */
874 switch(rx->rx_type)
875 {
876 case RPCB_RES_PMAP:
877 /* There must be only one 4 byte argument. */
878 if (!RPCB_BUF_EQ(rm, p, 4))
879 return (-1);
880
881 rr->rr_v2 = p;
882 xdr = B(rr->rr_v2);
883
884 /* Reply w/ a 0 port indicates service isn't registered */
885 if (xdr == 0)
886 return (0);
887
888 /* Is the value sane? */
889 if (xdr > 65535)
890 return (-1);
891
892 /* Create NAT & state table entries. */
893 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
894 return (-1);
895 break;
896 case RPCB_RES_STRING:
897 /* Expecting a XDR string; need 4 bytes for length */
898 if (!RPCB_BUF_GEQ(rm, p, 4))
899 return (-1);
900
901 rr->rr_v3.xu_str.xs_len = p++;
902 rr->rr_v3.xu_str.xs_str = (char *)p;
903
904 xdr = B(rr->rr_v3.xu_xslen);
905
906 /* A null string indicates an unregistered service */
907 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
908 return (0);
909
910 /* Decode the target IP address / port. */
911 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
912 return (-1);
913
914 /* Validate the IP address and port contained. */
915 if (nat->nat_odstaddr != rr->rr_v3.xu_ip)
916 return (-1);
917
918 /* Create NAT & state table entries. */
919 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto,
920 (u_int)rr->rr_v3.xu_port) != 0)
921 return (-1);
922 break;
923 case RPCB_RES_LIST:
924 if (!RPCB_BUF_GEQ(rm, p, 4))
925 return (-1);
926 /* rpcb_entry_list_ptr */
927 switch(B(p))
928 {
929 case 0:
930 return (0);
931 /*NOTREACHED*/
932 break;
933 case 1:
934 break;
935 default:
936 return (-1);
937 }
938 rl = &rr->rr_v4;
939 rl->rl_list = p++;
940 cnt = 0;
941
942 for(;;) {
943 re = &rl->rl_entries[rl->rl_cnt];
944 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
945 return (-1);
946 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0)
947 return (-1);
948 /* re_semantics & re_pfamily length */
949 if (!RPCB_BUF_GEQ(rm, p, 12))
950 return (-1);
951 p++; /* Skipping re_semantics. */
952 xdr = B(p++);
953 if ((xdr != 4) || strncmp((char *)p, "inet", 4))
954 return (-1);
955 p++;
956 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0)
957 return (-1);
958 if (!RPCB_BUF_GEQ(rm, p, 4))
959 return (-1);
960 re->re_more = p;
961 if (B(re->re_more) > 1) /* 0,1 only legal values */
962 return (-1);
963 ++rl->rl_cnt;
964 ++cnt;
965 if (B(re->re_more) == 0)
966 break;
967 /* Replies in max out at 2; TCP and/or UDP */
968 if (cnt > 2)
969 return (-1);
970 p++;
971 }
972
973 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
974 re = &rl->rl_entries[rl->rl_cnt];
975 rv = ipf_p_rpcb_getnat(fin, nat,
976 re->re_proto.xp_proto,
977 (u_int)re->re_maddr.xu_port);
978 if (rv != 0)
979 return (-1);
980 }
981 break;
982 default:
983 /*CONSTANTCONDITION*/
984 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
985 }
986
987 return (1);
988 }
989
990 /* -------------------------------------------------------------------- */
991 /* Function: ipf_p_rpcb_lookup */
992 /* Returns: rpcb_xact_t * - NULL == no matching record, */
993 /* else pointer to relevant entry */
994 /* Parameters: rs(I) - pointer to RPCB session */
995 /* xid(I) - XID to look for */
996 /* -------------------------------------------------------------------- */
997 static rpcb_xact_t *
ipf_p_rpcb_lookup(rpcb_session_t * rs,u_32_t xid)998 ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid)
999 {
1000 rpcb_xact_t *rx;
1001
1002 if (rs->rs_rxlist == NULL)
1003 return (NULL);
1004
1005 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1006 if (rx->rx_xid == xid)
1007 break;
1008
1009 return (rx);
1010 }
1011
1012 /* -------------------------------------------------------------------- */
1013 /* Function: ipf_p_rpcb_deref */
1014 /* Returns: (void) */
1015 /* Parameters: rs(I) - pointer to RPCB session */
1016 /* rx(I) - pointer to RPC transaction struct to remove */
1017 /* force(I) - indicates to delete entry regardless of */
1018 /* reference count */
1019 /* Locking: rs->rs_rxlock must be held write only */
1020 /* */
1021 /* Free the RPCB transaction record rx from the chain of entries. */
1022 /* -------------------------------------------------------------------- */
1023 static void
ipf_p_rpcb_deref(rpcb_session_t * rs __unused,rpcb_xact_t * rx)1024 ipf_p_rpcb_deref(rpcb_session_t *rs __unused, rpcb_xact_t *rx)
1025 {
1026 if (rx == NULL)
1027 return;
1028
1029 if (--rx->rx_ref != 0)
1030 return;
1031
1032 if (rx->rx_next != NULL)
1033 rx->rx_next->rx_pnext = rx->rx_pnext;
1034
1035 *rx->rx_pnext = rx->rx_next;
1036
1037 KFREE(rx);
1038
1039 --V_rpcbcnt;
1040 }
1041
1042 /* -------------------------------------------------------------------- */
1043 /* Function: ipf_p_rpcb_getproto */
1044 /* Returns: int - -1 == illegal protocol/netid, */
1045 /* 0 == legal protocol/netid */
1046 /* Parameters: rm(I) - pointer to RPC message structure */
1047 /* xp(I) - pointer to netid structure */
1048 /* p(IO) - pointer to location within packet buffer */
1049 /* */
1050 /* Decode netid/proto stored at p and record its numeric value. */
1051 /* -------------------------------------------------------------------- */
1052 static int
ipf_p_rpcb_getproto(rpc_msg_t * rm,xdr_proto_t * xp,u_32_t ** p)1053 ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p)
1054 {
1055 u_int len;
1056
1057 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1058 if (!RPCB_BUF_GEQ(rm, p, 8))
1059 return (-1);
1060
1061 xp->xp_xslen = (*p)++;
1062 xp->xp_xsstr = (char *)*p;
1063
1064 /* Test the string length. */
1065 len = B(xp->xp_xslen);
1066 if (len != 3)
1067 return (-1);
1068
1069 /* Test the actual string & record the protocol accordingly. */
1070 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1071 xp->xp_proto = IPPROTO_TCP;
1072 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1073 xp->xp_proto = IPPROTO_UDP;
1074 else {
1075 return (-1);
1076 }
1077
1078 /* Advance past the string. */
1079 (*p)++;
1080
1081 return (0);
1082 }
1083
1084 /* -------------------------------------------------------------------- */
1085 /* Function: ipf_p_rpcb_getnat */
1086 /* Returns: int -- -1 == failed to create table entries, */
1087 /* 0 == success */
1088 /* Parameters: fin(I) - pointer to packet information */
1089 /* nat(I) - pointer to NAT table entry */
1090 /* proto(I) - transport protocol for new entries */
1091 /* port(I) - new port to use w/ wildcard table entries */
1092 /* */
1093 /* Create state and NAT entries to handle an anticipated connection */
1094 /* attempt between RPC client and server. */
1095 /* -------------------------------------------------------------------- */
1096 static int
ipf_p_rpcb_getnat(fr_info_t * fin,nat_t * nat,u_int proto,u_int port)1097 ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port)
1098 {
1099 ipf_main_softc_t *softc = fin->fin_main_soft;
1100 ipnat_t *ipn, ipnat;
1101 tcphdr_t tcp;
1102 ipstate_t *is;
1103 fr_info_t fi;
1104 nat_t *natl;
1105 int nflags;
1106
1107 ipn = nat->nat_ptr;
1108
1109 /* Generate dummy fr_info */
1110 bcopy((char *)fin, (char *)&fi, sizeof(fi));
1111 fi.fin_out = 0;
1112 fi.fin_p = proto;
1113 fi.fin_sport = 0;
1114 fi.fin_dport = port & 0xffff;
1115 fi.fin_flx |= FI_IGNORE;
1116 fi.fin_saddr = nat->nat_osrcaddr;
1117 fi.fin_daddr = nat->nat_odstaddr;
1118
1119 bzero((char *)&tcp, sizeof(tcp));
1120 tcp.th_dport = htons(port);
1121
1122 if (proto == IPPROTO_TCP) {
1123 tcp.th_win = htons(8192);
1124 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1125 fi.fin_dlen = sizeof(tcphdr_t);
1126 tcp_set_flags(&tcp, TH_SYN);
1127 nflags = NAT_TCP;
1128 } else {
1129 fi.fin_dlen = sizeof(udphdr_t);
1130 nflags = NAT_UDP;
1131 }
1132
1133 nflags |= SI_W_SPORT|NAT_SEARCH;
1134 fi.fin_dp = &tcp;
1135 fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1136
1137 /*
1138 * Search for existing NAT & state entries. Pay close attention to
1139 * mutexes / locks grabbed from lookup routines, as not doing so could
1140 * lead to bad things.
1141 *
1142 * If successful, fr_stlookup returns with ipf_state locked. We have
1143 * no use for this lock, so simply unlock it if necessary.
1144 */
1145 is = ipf_state_lookup(&fi, &tcp, NULL);
1146 if (is != NULL) {
1147 RWLOCK_EXIT(&softc->ipf_state);
1148 }
1149
1150 RWLOCK_EXIT(&softc->ipf_nat);
1151
1152 WRITE_ENTER(&softc->ipf_nat);
1153 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1154
1155 if ((natl != NULL) && (is != NULL)) {
1156 MUTEX_DOWNGRADE(&softc->ipf_nat);
1157 return (0);
1158 }
1159
1160 /* Slightly modify the following structures for actual use in creating
1161 * NAT and/or state entries. We're primarily concerned with stripping
1162 * flags that may be detrimental to the creation process or simply
1163 * shouldn't be associated with a table entry.
1164 */
1165 fi.fin_fr = &rpcbfr;
1166 fi.fin_flx &= ~FI_IGNORE;
1167 nflags &= ~NAT_SEARCH;
1168
1169 if (natl == NULL) {
1170 #ifdef USE_MUTEXES
1171 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1172 #endif
1173
1174 /* XXX Since we're just copying the original ipn contents
1175 * back, would we be better off just sending a pointer to
1176 * the 'temp' copy off to nat_new instead?
1177 */
1178 /* Generate template/bogus NAT rule. */
1179 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1180 ipn->in_flags = nflags & IPN_TCPUDP;
1181 ipn->in_apr = NULL;
1182 ipn->in_pr[0] = proto;
1183 ipn->in_pr[1] = proto;
1184 ipn->in_dpmin = fi.fin_dport;
1185 ipn->in_dpmax = fi.fin_dport;
1186 ipn->in_dpnext = fi.fin_dport;
1187 ipn->in_space = 1;
1188 ipn->in_ippip = 1;
1189 if (ipn->in_flags & IPN_FILTER) {
1190 ipn->in_scmp = 0;
1191 ipn->in_dcmp = 0;
1192 }
1193 ipn->in_plabel = -1;
1194
1195 /* Create NAT entry. return NULL if this fails. */
1196 MUTEX_ENTER(&softn->ipf_nat_new);
1197 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1198 NAT_INBOUND);
1199 MUTEX_EXIT(&softn->ipf_nat_new);
1200
1201 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1202
1203 if (natl == NULL) {
1204 MUTEX_DOWNGRADE(&softc->ipf_nat);
1205 return (-1);
1206 }
1207
1208 natl->nat_ptr = ipn;
1209 fi.fin_saddr = natl->nat_nsrcaddr;
1210 fi.fin_daddr = natl->nat_ndstaddr;
1211 ipn->in_use++;
1212 (void) ipf_nat_proto(&fi, natl, nflags);
1213 MUTEX_ENTER(&natl->nat_lock);
1214 ipf_nat_update(&fi, natl);
1215 MUTEX_EXIT(&natl->nat_lock);
1216 }
1217 MUTEX_DOWNGRADE(&softc->ipf_nat);
1218
1219 if (is == NULL) {
1220 /* Create state entry. Return NULL if this fails. */
1221 fi.fin_flx |= FI_NATED;
1222 fi.fin_flx &= ~FI_STATE;
1223 nflags &= NAT_TCPUDP;
1224 nflags |= SI_W_SPORT|SI_CLONE;
1225
1226 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) {
1227 /*
1228 * XXX nat_delete is private to ip_nat.c. Should
1229 * check w/ Darren about this one.
1230 *
1231 * nat_delete(natl, NL_EXPIRE);
1232 */
1233 return (-1);
1234 }
1235 }
1236
1237 return (0);
1238 }
1239
1240 /* -------------------------------------------------------------------- */
1241 /* Function: ipf_p_rpcb_modv3 */
1242 /* Returns: int -- change in packet length */
1243 /* Parameters: fin(I) - pointer to packet information */
1244 /* nat(I) - pointer to NAT session */
1245 /* rm(I) - pointer to RPC message structure */
1246 /* m(I) - pointer to mbuf chain */
1247 /* off(I) - offset within mbuf chain */
1248 /* */
1249 /* Write a new universal address string to this packet, adjusting */
1250 /* lengths as necessary. */
1251 /* -------------------------------------------------------------------- */
1252 static int
ipf_p_rpcb_modv3(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1253 ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
1254 u_int off)
1255 {
1256 u_int len, xlen, pos, bogo;
1257 rpc_resp_t *rr;
1258 char uaddr[24];
1259 char *i, *p;
1260 int diff;
1261
1262 rr = &rm->rm_resp;
1263 i = (char *)&nat->nat_ndstaddr;
1264 p = (char *)&rr->rr_v3.xu_port;
1265
1266 /* Form new string. */
1267 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1268 (void) snprintf(uaddr, sizeof(uaddr),
1269 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1270 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1271 len = strlen(uaddr);
1272 xlen = XDRALIGN(len);
1273
1274 /* Determine mbuf offset to write to. */
1275 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1276 off += pos;
1277
1278 /* Write new string length. */
1279 bogo = htonl(len);
1280 COPYBACK(m, off, 4, (caddr_t)&bogo);
1281 off += 4;
1282
1283 /* Write new string. */
1284 COPYBACK(m, off, xlen, uaddr);
1285
1286 /* Determine difference in data lengths. */
1287 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1288
1289 /*
1290 * If our new string has a different length, make necessary
1291 * adjustments.
1292 */
1293 if (diff != 0)
1294 ipf_p_rpcb_fixlen(fin, diff);
1295
1296 return (diff);
1297 }
1298
1299 /* -------------------------------------------------------------------- */
1300 /* Function: ipf_p_rpcb_modv4 */
1301 /* Returns: int -- change in packet length */
1302 /* Parameters: fin(I) - pointer to packet information */
1303 /* nat(I) - pointer to NAT session */
1304 /* rm(I) - pointer to RPC message structure */
1305 /* m(I) - pointer to mbuf chain */
1306 /* off(I) - offset within mbuf chain */
1307 /* */
1308 /* Write new rpcb_entry list, adjusting lengths as necessary. */
1309 /* -------------------------------------------------------------------- */
1310 static int
ipf_p_rpcb_modv4(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1311 ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m,
1312 u_int off)
1313 {
1314 u_int len, xlen, pos, bogo;
1315 rpcb_listp_t *rl;
1316 rpcb_entry_t *re;
1317 rpc_resp_t *rr;
1318 char uaddr[24];
1319 int diff, cnt;
1320 char *i, *p;
1321
1322 diff = 0;
1323 rr = &rm->rm_resp;
1324 rl = &rr->rr_v4;
1325
1326 i = (char *)&nat->nat_ndstaddr;
1327
1328 /* Determine mbuf offset to write to. */
1329 re = &rl->rl_entries[0];
1330 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1331 off += pos;
1332
1333 for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1334 re = &rl->rl_entries[cnt];
1335 p = (char *)&re->re_maddr.xu_port;
1336
1337 /* Form new string. */
1338 bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1339 padding. */
1340 (void) snprintf(uaddr, sizeof(uaddr),
1341 "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1342 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1343 p[0] & 0xff, p[1] & 0xff);
1344 len = strlen(uaddr);
1345 xlen = XDRALIGN(len);
1346
1347 /* Write new string length. */
1348 bogo = htonl(len);
1349 COPYBACK(m, off, 4, (caddr_t)&bogo);
1350 off += 4;
1351
1352 /* Write new string. */
1353 COPYBACK(m, off, xlen, uaddr);
1354 off += xlen;
1355
1356 /* Record any change in length. */
1357 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1358
1359 /* If the length changed, copy back the rest of this entry. */
1360 len = ((char *)re->re_more + 4) -
1361 (char *)re->re_netid.xp_xslen;
1362 if (diff != 0) {
1363 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
1364 }
1365 off += len;
1366 }
1367
1368 /*
1369 * If our new string has a different length, make necessary
1370 * adjustments.
1371 */
1372 if (diff != 0)
1373 ipf_p_rpcb_fixlen(fin, diff);
1374
1375 return (diff);
1376 }
1377
1378
1379 /* -------------------------------------------------------------------- */
1380 /* Function: ipf_p_rpcb_fixlen */
1381 /* Returns: (void) */
1382 /* Parameters: fin(I) - pointer to packet information */
1383 /* len(I) - change in packet length */
1384 /* */
1385 /* Adjust various packet related lengths held in structure and packet */
1386 /* header fields. */
1387 /* -------------------------------------------------------------------- */
1388 static void
ipf_p_rpcb_fixlen(fr_info_t * fin,int len)1389 ipf_p_rpcb_fixlen(fr_info_t *fin, int len)
1390 {
1391 udphdr_t *udp;
1392
1393 udp = fin->fin_dp;
1394 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1395 fin->fin_plen += len;
1396 fin->fin_ip->ip_len = htons(fin->fin_plen);
1397 fin->fin_dlen += len;
1398 }
1399
1400 #undef B
1401