xref: /titanic_41/usr/src/uts/common/inet/ipf/netinet/ip_rpcb_pxy.c (revision 33f2fefd46350ca5992567761c46a5b70f864340)
1 /*
2  * Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  */
9 /*
10  * Overview:
11  *   This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
12  *   protocol as defined in RFC1833.  It is far from complete, mostly
13  *   lacking in less-likely corner cases, but it's definitely functional.
14  *
15  *   Invocation:
16  *     rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
17  *
18  *   If the host running IP Filter is the same as the RPC server, it's
19  *   perfectly legal for both the internal and external addresses and ports
20  *   to match.
21  *
22  *   When triggered by appropriate IP NAT rules, this proxy works by
23  *   examining data contained in received packets.  Requests and replies are
24  *   modified, NAT and state table entries created, etc., as necessary.
25  */
26 /*
27  * TODO / NOTES
28  *
29  *   o Must implement locking to protect proxy session data.
30  *   o Fragmentation isn't supported.
31  *   o Only supports UDP.
32  *   o Doesn't support multiple RPC records in a single request.
33  *   o Errors should be more fine-grained.  (e.g., malloc failure vs.
34  *     illegal RPCB request / reply)
35  *   o Even with the limit on the total amount of recorded transactions,
36  *     should there be a timeout on transaction removal?
37  *   o There is a potential collision between cloning, wildcard NAT and
38  *     state entries.  There should be an appr_getport routine for
39  *     to avoid this.
40  *   o The enclosed hack of STREAMS support is pretty sick and most likely
41  *     broken.
42  *
43  *	$Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp $
44  */
45 
46 #define	IPF_RPCB_PROXY
47 
48 typedef struct ifs_rpcbpxy {
49 	frentry_t	rpcbfr;	/* Skeleton rule for reference by entities
50 				   this proxy creates. */
51 	int		rpcbcnt;/* Upper bound of allocated RPCB sessions. */
52 				/* XXX rpcbcnt still requires locking. */
53 	int		rpcb_proxy_init;
54 } ifs_rpcbpxy_t;
55 
56 /*
57  * Function prototypes
58  */
59 int	ippr_rpcb_init __P((void **, ipf_stack_t *));
60 void	ippr_rpcb_fini __P((void **, ipf_stack_t *));
61 int	ippr_rpcb_new __P((fr_info_t *, ap_session_t *, nat_t *, void *));
62 void	ippr_rpcb_del __P((ap_session_t *, void *, ipf_stack_t *));
63 int	ippr_rpcb_in __P((fr_info_t *, ap_session_t *, nat_t *, void *));
64 int	ippr_rpcb_out __P((fr_info_t *, ap_session_t *, nat_t *, void *));
65 
66 static void	ippr_rpcb_flush __P((rpcb_session_t *));
67 static int	ippr_rpcb_decodereq __P((fr_info_t *, nat_t *,
68 	rpcb_session_t *, rpc_msg_t *, ifs_rpcbpxy_t *));
69 static int	ippr_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **));
70 static int	ippr_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *,
71 				      ifs_rpcbpxy_t *));
72 static int	ippr_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *));
73 static int	ippr_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *,
74 	u_32_t **));
75 static u_int	ippr_rpcb_atoi __P((char *));
76 static int	ippr_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *,
77 	mb_t *, u_int));
78 static int	ippr_rpcb_decoderep __P((fr_info_t *, nat_t *,
79 	rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **, ifs_rpcbpxy_t *));
80 static rpcb_xact_t *	ippr_rpcb_lookup __P((rpcb_session_t *, u_32_t));
81 static void	ippr_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *,
82 				     ifs_rpcbpxy_t *));
83 static int	ippr_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *,
84 	u_32_t **));
85 static int	ippr_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int, ifs_rpcbpxy_t *));
86 static int	ippr_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *,
87 	mb_t *, u_int));
88 static int	ippr_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *,
89 	mb_t *, u_int));
90 static void     ippr_rpcb_fixlen __P((fr_info_t *, int));
91 
92 /*
93  * Since rpc_msg contains only pointers, one should use this macro as a
94  * handy way to get to the goods.  (In case you're wondering about the name,
95  * this started as BYTEREF -> BREF -> B.)
96  */
97 #define	B(r)	(u_32_t)ntohl(*(r))
98 
99 /*
100  * Public subroutines
101  */
102 
103 /* --------------------------------------------------------------------	*/
104 /* Function:	ippr_rpcb_init						*/
105 /* Returns:	int - 0 == success					*/
106 /* Parameters:	(void)							*/
107 /*									*/
108 /* Initialize the filter rule entry and session limiter.		*/
109 /* --------------------------------------------------------------------	*/
110 /*ARGSUSED*/
111 int
ippr_rpcb_init(private,ifs)112 ippr_rpcb_init(private, ifs)
113 void **private;
114 ipf_stack_t *ifs;
115 {
116 	ifs_rpcbpxy_t *ifsrpcb;
117 
118 	KMALLOC(ifsrpcb, ifs_rpcbpxy_t *);
119 	if (ifsrpcb == NULL)
120 		return -1;
121 
122 	ifsrpcb->rpcbcnt = 0;
123 
124 	bzero((char *)&ifsrpcb->rpcbfr, sizeof(ifsrpcb->rpcbfr));
125 	ifsrpcb->rpcbfr.fr_ref = 1;
126 	ifsrpcb->rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
127 	MUTEX_INIT(&ifsrpcb->rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
128 	ifsrpcb->rpcb_proxy_init = 1;
129 
130 	*private = (void *)ifsrpcb;
131 
132 	return(0);
133 }
134 
135 /* --------------------------------------------------------------------	*/
136 /* Function:	ippr_rpcb_fini						*/
137 /* Returns:	void							*/
138 /* Parameters:	(void)							*/
139 /*									*/
140 /* Destroy rpcbfr's mutex to avoid a lock leak.				*/
141 /* --------------------------------------------------------------------	*/
142 /*ARGSUSED*/
143 void
ippr_rpcb_fini(private,ifs)144 ippr_rpcb_fini(private, ifs)
145 void **private;
146 ipf_stack_t *ifs;
147 {
148 	ifs_rpcbpxy_t *ifsrpcb = *((ifs_rpcbpxy_t **)private);
149 
150 	if (ifsrpcb->rpcb_proxy_init == 1) {
151 		MUTEX_DESTROY(&ifsrpcb->rpcbfr.fr_lock);
152 		ifsrpcb->rpcb_proxy_init = 0;
153 	}
154 
155 	KFREE(ifsrpcb);
156 	*private = NULL;
157 }
158 
159 /* --------------------------------------------------------------------	*/
160 /* Function:	ippr_rpcb_new						*/
161 /* Returns:	int - -1 == failure, 0 == success			*/
162 /* Parameters:	fin(I)	- pointer to packet information			*/
163 /*		aps(I)	- pointer to proxy session structure		*/
164 /*		nat(I)	- pointer to NAT session structure		*/
165 /*									*/
166 /* Allocate resources for per-session proxy structures.			*/
167 /* --------------------------------------------------------------------	*/
168 /*ARGSUSED*/
169 int
ippr_rpcb_new(fin,aps,nat,private)170 ippr_rpcb_new(fin, aps, nat, private)
171 	fr_info_t *fin;
172 	ap_session_t *aps;
173 	nat_t *nat;
174 	void *private;
175 {
176 	rpcb_session_t *rs;
177 
178 	fin = fin;	/* LINT */
179 	nat = nat;	/* LINT */
180 
181 	KMALLOC(rs, rpcb_session_t *);
182 	if (rs == NULL)
183 		return(-1);
184 
185 	bzero((char *)rs, sizeof(*rs));
186 	MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
187 
188 	aps->aps_data = rs;
189 
190 	return(0);
191 }
192 
193 /* --------------------------------------------------------------------	*/
194 /* Function:	ippr_rpcb_del						*/
195 /* Returns:	void							*/
196 /* Parameters:	aps(I)	- pointer to proxy session structure		*/
197 /*									*/
198 /* Free up a session's list of RPCB requests.				*/
199 /* --------------------------------------------------------------------	*/
200 /*ARGSUSED*/
201 void
ippr_rpcb_del(aps,private,ifs)202 ippr_rpcb_del(aps, private, ifs)
203 	ap_session_t *aps;
204 	void *private;
205 	ipf_stack_t *ifs;
206 {
207 	rpcb_session_t *rs;
208 	rs = (rpcb_session_t *)aps->aps_data;
209 
210 	ifs = ifs;	/* LINT */
211 
212 	MUTEX_ENTER(&rs->rs_rxlock);
213 	ippr_rpcb_flush(rs);
214 	MUTEX_EXIT(&rs->rs_rxlock);
215 	MUTEX_DESTROY(&rs->rs_rxlock);
216 }
217 
218 /* --------------------------------------------------------------------	*/
219 /* Function:	ippr_rpcb_in						*/
220 /* Returns:	int - APR_ERR(1) == drop the packet, 			*/
221 /*		      APR_ERR(2) == kill the proxy session,		*/
222 /*		      else change in packet length (in bytes)		*/
223 /* Parameters:	fin(I)	- pointer to packet information			*/
224 /*		ip(I)	- pointer to packet header			*/
225 /*		aps(I)	- pointer to proxy session structure		*/
226 /*		nat(I)	- pointer to NAT session structure		*/
227 /*									*/
228 /* Given a presumed RPCB request, perform some minor tests and pass off */
229 /* for decoding.  Also pass packet off for a rewrite if necessary.	*/
230 /* --------------------------------------------------------------------	*/
231 int
ippr_rpcb_in(fin,aps,nat,private)232 ippr_rpcb_in(fin, aps, nat, private)
233 	fr_info_t *fin;
234 	ap_session_t *aps;
235 	nat_t *nat;
236 	void *private;
237 {
238 	rpc_msg_t rpcmsg, *rm;
239 	rpcb_session_t *rs;
240 	u_int off, dlen;
241 	mb_t *m;
242 	int rv;
243 
244 	/* Disallow fragmented or illegally short packets. */
245 	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
246 		return(APR_ERR(1));
247 
248 	/* Perform basic variable initialization. */
249 	rs = (rpcb_session_t *)aps->aps_data;
250 
251 	m = fin->fin_m;
252 	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
253 	off += sizeof(udphdr_t) + fin->fin_ipoff;
254 	dlen = fin->fin_dlen - sizeof(udphdr_t);
255 
256 	/* Disallow packets outside legal range for supported requests. */
257 	if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
258 		return(APR_ERR(1));
259 
260 	/* Copy packet over to convenience buffer. */
261 	rm = &rpcmsg;
262 	bzero((char *)rm, sizeof(*rm));
263 	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
264 	rm->rm_buflen = dlen;
265 
266 	/* Send off to decode request. */
267 	rv = ippr_rpcb_decodereq(fin, nat, rs, rm, (ifs_rpcbpxy_t *)private);
268 
269 	switch(rv)
270 	{
271 	case -1:
272 		return(APR_ERR(1));
273 	case 0:
274 		break;
275 	case 1:
276 		rv = ippr_rpcb_modreq(fin, nat, rm, m, off);
277 		break;
278 	default:
279 		/*CONSTANTCONDITION*/
280 		IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_req)", rv));
281 	}
282 
283 	return(rv);
284 }
285 
286 /* --------------------------------------------------------------------	*/
287 /* Function:	ippr_rpcb_out						*/
288 /* Returns:	int - APR_ERR(1) == drop the packet, 			*/
289 /*		      APR_ERR(2) == kill the proxy session,		*/
290 /*		      else change in packet length (in bytes)		*/
291 /* Parameters:	fin(I)	- pointer to packet information			*/
292 /*		ip(I)	- pointer to packet header			*/
293 /*		aps(I)	- pointer to proxy session structure		*/
294 /*		nat(I)	- pointer to NAT session structure		*/
295 /*									*/
296 /* Given a presumed RPCB reply, perform some minor tests and pass off	*/
297 /* for decoding.  If the message indicates a successful request with	*/
298 /* valid addressing information, create NAT and state structures to	*/
299 /* allow direct communication between RPC client and server.		*/
300 /* --------------------------------------------------------------------	*/
301 int
ippr_rpcb_out(fin,aps,nat,private)302 ippr_rpcb_out(fin, aps, nat, private)
303 	fr_info_t *fin;
304 	ap_session_t *aps;
305 	nat_t *nat;
306 	void *private;
307 {
308 	rpc_msg_t rpcmsg, *rm;
309 	rpcb_session_t *rs;
310 	rpcb_xact_t *rx;
311 	u_int off, dlen;
312 	int rv, diff;
313 	mb_t *m;
314 	ifs_rpcbpxy_t *ifsrpcb = (ifs_rpcbpxy_t *)private;
315 
316 	/* Disallow fragmented or illegally short packets. */
317 	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
318 		return(APR_ERR(1));
319 
320 	/* Perform basic variable initialization. */
321 	rs = (rpcb_session_t *)aps->aps_data;
322 
323 	m = fin->fin_m;
324 	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
325 	off += sizeof(udphdr_t) + fin->fin_ipoff;
326 	dlen = fin->fin_dlen - sizeof(udphdr_t);
327 	diff = 0;
328 
329 	/* Disallow packets outside legal range for supported requests. */
330 	if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
331 		return(APR_ERR(1));
332 
333 	/* Copy packet over to convenience buffer. */
334 	rm = &rpcmsg;
335 	bzero((char *)rm, sizeof(*rm));
336 	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
337 	rm->rm_buflen = dlen;
338 
339 	/* Send off to decode reply. */
340 	rv = ippr_rpcb_decoderep(fin, nat, rs, rm, &rx, ifsrpcb);
341 
342 	switch(rv)
343 	{
344 	case -1: /* Bad packet */
345                 if (rx != NULL) {
346                         MUTEX_ENTER(&rs->rs_rxlock);
347                         ippr_rpcb_deref(rs, rx, ifsrpcb);
348                         MUTEX_EXIT(&rs->rs_rxlock);
349                 }
350 		return(APR_ERR(1));
351 	case  0: /* Negative reply / request rejected */
352 		break;
353 	case  1: /* Positive reply */
354 		/*
355 		 * With the IP address embedded in a GETADDR(LIST) reply,
356 		 * we'll need to rewrite the packet in the very possible
357 		 * event that the internal & external addresses aren't the
358 		 * same.  (i.e., this box is either a router or rpcbind
359 		 * only listens on loopback.)
360 		 */
361 		if (nat->nat_inip.s_addr != nat->nat_outip.s_addr) {
362 			if (rx->rx_type == RPCB_RES_STRING)
363 				diff = ippr_rpcb_modv3(fin, nat, rm, m, off);
364 			else if (rx->rx_type == RPCB_RES_LIST)
365 				diff = ippr_rpcb_modv4(fin, nat, rm, m, off);
366 		}
367 		break;
368 	default:
369 		/*CONSTANTCONDITION*/
370 		IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_decoderep)", rv));
371 	}
372 
373 	if (rx != NULL) {
374                 MUTEX_ENTER(&rs->rs_rxlock);
375                 /* XXX Gross hack - I'm overloading the reference
376                  * counter to deal with both threads and retransmitted
377                  * requests.  One deref signals that this thread is
378                  * finished with rx, and the other signals that we've
379                  * processed its reply.
380                  */
381                 ippr_rpcb_deref(rs, rx, ifsrpcb);
382                 ippr_rpcb_deref(rs, rx, ifsrpcb);
383                 MUTEX_EXIT(&rs->rs_rxlock);
384 	}
385 
386 	return(diff);
387 }
388 
389 /*
390  * Private support subroutines
391  */
392 
393 /* --------------------------------------------------------------------	*/
394 /* Function:	ippr_rpcb_flush						*/
395 /* Returns:	void							*/
396 /* Parameters:	rs(I)	- pointer to RPCB session structure		*/
397 /*									*/
398 /* Simply flushes the list of outstanding transactions, if any.		*/
399 /* --------------------------------------------------------------------	*/
400 static void
ippr_rpcb_flush(rs)401 ippr_rpcb_flush(rs)
402 	rpcb_session_t *rs;
403 {
404 	rpcb_xact_t *r1, *r2;
405 
406 	r1 = rs->rs_rxlist;
407 	if (r1 == NULL)
408 		return;
409 
410 	while (r1 != NULL) {
411 		r2 = r1;
412 		r1 = r1->rx_next;
413 		KFREE(r2);
414 	}
415 }
416 
417 /* --------------------------------------------------------------------	*/
418 /* Function:	ippr_rpcb_decodereq					*/
419 /* Returns:	int - -1 == bad request or critical failure,		*/
420 /*		       0 == request successfully decoded,		*/
421 /*		       1 == request successfully decoded; requires	*/
422 /*			    address rewrite/modification		*/
423 /* Parameters:	fin(I)	- pointer to packet information			*/
424 /*		nat(I)	- pointer to NAT session structure		*/
425 /*		rs(I)	- pointer to RPCB session structure		*/
426 /*		rm(I)	- pointer to RPC message structure		*/
427 /*									*/
428 /* Take a presumed RPCB request, decode it, and store the results in	*/
429 /* the transaction list.  If the internal target address needs to be	*/
430 /* modified, store its location in ptr.					*/
431 /* WARNING:  It's the responsibility of the caller to make sure there	*/
432 /* is enough room in rs_buf for the basic RPC message "preamble".	*/
433 /* --------------------------------------------------------------------	*/
434 static int
ippr_rpcb_decodereq(fin,nat,rs,rm,ifsrpcb)435 ippr_rpcb_decodereq(fin, nat, rs, rm, ifsrpcb)
436 	fr_info_t *fin;
437 	nat_t *nat;
438 	rpcb_session_t *rs;
439 	rpc_msg_t *rm;
440 	ifs_rpcbpxy_t *ifsrpcb;
441 {
442 	rpcb_args_t *ra;
443 	u_32_t xdr, *p;
444 	rpc_call_t *rc;
445 	rpcb_xact_t rx;
446 	int mod;
447 
448 	p = (u_32_t *)rm->rm_msgbuf;
449 	mod = 0;
450 
451 	bzero((char *)&rx, sizeof(rx));
452 	rc = &rm->rm_call;
453 
454 	rm->rm_xid = p;
455 	rx.rx_xid = B(p++);	/* Record this message's XID. */
456 
457 	/* Parse out and test the RPC header. */
458 	if ((B(p++) != RPCB_CALL) ||
459 	    (B(p++) != RPCB_MSG_VERSION) ||
460 	    (B(p++) != RPCB_PROG))
461 		return(-1);
462 
463 	/* Record the RPCB version and procedure. */
464 	rc->rc_vers = p++;
465 	rc->rc_proc = p++;
466 
467 	/* Bypass RPC authentication stuff. */
468 	if (ippr_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
469 		return(-1);
470 	if (ippr_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
471 		return(-1);
472 
473 	/* Compare RPCB version and procedure numbers. */
474 	switch(B(rc->rc_vers))
475 	{
476 	case 2:
477 		/* This proxy only supports PMAP_GETPORT. */
478 		if (B(rc->rc_proc) != RPCB_GETPORT)
479 			return(-1);
480 
481 		/* Portmap requests contain four 4 byte parameters. */
482 		if (RPCB_BUF_EQ(rm, p, 16) == 0)
483 			return(-1);
484 
485 		p += 2; /* Skip requested program and version numbers. */
486 
487 		/* Sanity check the requested protocol. */
488 		xdr = B(p);
489 		if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
490 			return(-1);
491 
492 		rx.rx_type = RPCB_RES_PMAP;
493 		rx.rx_proto = xdr;
494 		break;
495 	case 3:
496 	case 4:
497 		/* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
498 		switch(B(rc->rc_proc))
499 		{
500 		case RPCB_GETADDR:
501 			rx.rx_type = RPCB_RES_STRING;
502 			rx.rx_proto = (u_int)fin->fin_p;
503 			break;
504 		case RPCB_GETADDRLIST:
505 			if (B(rc->rc_vers) != 4)
506 				return(-1);
507 			rx.rx_type = RPCB_RES_LIST;
508 			break;
509 		default:
510 			return(-1);
511 		}
512 
513 		ra = &rc->rc_rpcbargs;
514 
515 		/* Decode the 'struct rpcb' request. */
516 		if (ippr_rpcb_xdrrpcb(rm, p, ra) != 0)
517 			return(-1);
518 
519 		/* Are the target address & port valid? */
520 		if ((ra->ra_maddr.xu_ip != nat->nat_outip.s_addr) ||
521 		    (ra->ra_maddr.xu_port != nat->nat_outport))
522 		    	return(-1);
523 
524 		/* Do we need to rewrite this packet? */
525 		if ((nat->nat_outip.s_addr != nat->nat_inip.s_addr) ||
526 		    (nat->nat_outport != nat->nat_inport))
527 		    	mod = 1;
528 		break;
529 	default:
530 		return(-1);
531 	}
532 
533         MUTEX_ENTER(&rs->rs_rxlock);
534 	if (ippr_rpcb_insert(rs, &rx, ifsrpcb) != 0) {
535                 MUTEX_EXIT(&rs->rs_rxlock);
536 		return(-1);
537 	}
538         MUTEX_EXIT(&rs->rs_rxlock);
539 
540 	return(mod);
541 }
542 
543 /* --------------------------------------------------------------------	*/
544 /* Function:	ippr_rpcb_skipauth					*/
545 /* Returns:	int -- -1 == illegal auth parameters (lengths)		*/
546 /*			0 == valid parameters, pointer advanced		*/
547 /* Parameters:	rm(I)	- pointer to RPC message structure		*/
548 /*		auth(I)	- pointer to RPC auth structure			*/
549 /*		buf(IO)	- pointer to location within convenience buffer	*/
550 /*									*/
551 /* Record auth data length & location of auth data, then advance past	*/
552 /* it.									*/
553 /* --------------------------------------------------------------------	*/
554 static int
ippr_rpcb_skipauth(rm,auth,buf)555 ippr_rpcb_skipauth(rm, auth, buf)
556 	rpc_msg_t *rm;
557 	xdr_auth_t *auth;
558 	u_32_t **buf;
559 {
560 	u_32_t *p, xdr;
561 
562 	p = *buf;
563 
564 	/* Make sure we have enough space for expected fixed auth parms. */
565 	if (RPCB_BUF_GEQ(rm, p, 8) == 0)
566 		return(-1);
567 
568 	p++; /* We don't care about auth_flavor. */
569 
570 	auth->xa_string.xs_len = p;
571 	xdr = B(p++);		/* Length of auth_data */
572 
573 	/* Test for absurdity / illegality of auth_data length. */
574 	if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
575 		return(-1);
576 
577 	auth->xa_string.xs_str = (char *)p;
578 
579 	p += XDRALIGN(xdr);	/* Advance our location. */
580 
581 	*buf = (u_32_t *)p;
582 
583 	return(0);
584 }
585 
586 /* --------------------------------------------------------------------	*/
587 /* Function:	ippr_rpcb_insert					*/
588 /* Returns:	int -- -1 == list insertion failed,			*/
589 /*			0 == item successfully added			*/
590 /* Parameters:	rs(I)	- pointer to RPCB session structure		*/
591 /*		rx(I)	- pointer to RPCB transaction structure		*/
592 /* --------------------------------------------------------------------	*/
593 static int
ippr_rpcb_insert(rs,rx,ifsrpcb)594 ippr_rpcb_insert(rs, rx, ifsrpcb)
595 	rpcb_session_t *rs;
596 	rpcb_xact_t *rx;
597 	ifs_rpcbpxy_t *ifsrpcb;
598 {
599 	rpcb_xact_t *rxp;
600 
601 	rxp = ippr_rpcb_lookup(rs, rx->rx_xid);
602 	if (rxp != NULL) {
603                 ++rxp->rx_ref;
604 		return(0);
605         }
606 
607 	if (ifsrpcb->rpcbcnt == RPCB_MAXREQS)
608 		return(-1);
609 
610 	KMALLOC(rxp, rpcb_xact_t *);
611 	if (rxp == NULL)
612 		return(-1);
613 
614 	bcopy((char *)rx, (char *)rxp, sizeof(*rx));
615 
616 	if (rs->rs_rxlist != NULL)
617 		rs->rs_rxlist->rx_pnext = &rxp->rx_next;
618 
619 	rxp->rx_pnext = &rs->rs_rxlist;
620 	rxp->rx_next = rs->rs_rxlist;
621 	rs->rs_rxlist = rxp;
622 
623 	rxp->rx_ref = 1;
624 
625 	++ifsrpcb->rpcbcnt;
626 
627 	return(0);
628 }
629 
630 /* --------------------------------------------------------------------	*/
631 /* Function:	ippr_rpcb_xdrrpcb					*/
632 /* Returns:	int -- -1 == failure to properly decode the request	*/
633 /*			0 == rpcb successfully decoded			*/
634 /* Parameters:	rs(I)	- pointer to RPCB session structure		*/
635 /*		p(I)	- pointer to location within session buffer	*/
636 /*		rpcb(O)	- pointer to rpcb (xdr type) structure		*/
637 /*									*/
638 /* Decode a XDR encoded rpcb structure and record its contents in rpcb  */
639 /* within only the context of TCP/UDP over IP networks.			*/
640 /* --------------------------------------------------------------------	*/
641 static int
ippr_rpcb_xdrrpcb(rm,p,ra)642 ippr_rpcb_xdrrpcb(rm, p, ra)
643 	rpc_msg_t *rm;
644 	u_32_t *p;
645 	rpcb_args_t *ra;
646 {
647 	if (!RPCB_BUF_GEQ(rm, p, 20))
648 		return(-1);
649 
650 	/* Bypass target program & version. */
651 	p += 2;
652 
653 	/* Decode r_netid.  Must be "tcp" or "udp". */
654 	if (ippr_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
655 		return(-1);
656 
657 	/* Decode r_maddr. */
658 	if (ippr_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
659 		return(-1);
660 
661 	/* Advance to r_owner and make sure it's empty. */
662 	if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
663 		return(-1);
664 
665 	return(0);
666 }
667 
668 /* --------------------------------------------------------------------	*/
669 /* Function:	ippr_rpcb_getuaddr					*/
670 /* Returns:	int -- -1 == illegal string,				*/
671 /*			0 == string parsed; contents recorded		*/
672 /* Parameters:	rm(I)	- pointer to RPC message structure		*/
673 /*		xu(I)	- pointer to universal address structure	*/
674 /*		p(IO)	- pointer to location within message buffer	*/
675 /*									*/
676 /* Decode the IP address / port at p and record them in xu.		*/
677 /* --------------------------------------------------------------------	*/
678 static int
ippr_rpcb_getuaddr(rm,xu,p)679 ippr_rpcb_getuaddr(rm, xu, p)
680 	rpc_msg_t *rm;
681 	xdr_uaddr_t *xu;
682 	u_32_t **p;
683 {
684 	char *c, *i, *b, *pp;
685 	u_int d, dd, l, t;
686 	char uastr[24];
687 
688 	/* Test for string length. */
689 	if (!RPCB_BUF_GEQ(rm, *p, 4))
690 		return(-1);
691 
692 	xu->xu_xslen = (*p)++;
693 	xu->xu_xsstr = (char *)*p;
694 
695 	/* Length check */
696 	l = B(xu->xu_xslen);
697 	if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
698 		return(-1);
699 
700 	/* Advance p */
701 	*(char **)p += XDRALIGN(l);
702 
703 	/* Copy string to local buffer & terminate C style */
704 	bcopy(xu->xu_xsstr, uastr, l);
705 	uastr[l] = '\0';
706 
707 	i = (char *)&xu->xu_ip;
708 	pp = (char *)&xu->xu_port;
709 
710 	/*
711 	 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
712 	 * an IP address and [ef] are the bytes of a L4 port.
713 	 */
714 	if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
715 		return(-1);
716 	b = uastr;
717 	for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
718 		if (ISDIGIT(*c)) {
719 			dd = 0;
720 			continue;
721 		}
722 		if (*c == '.') {
723 			if (dd != 0)
724 				return(-1);
725 
726 			/* Check for ASCII byte. */
727 			*c = '\0';
728 			t = ippr_rpcb_atoi(b);
729 			if (t > 255)
730 				return(-1);
731 
732 			/* Aim b at beginning of the next byte. */
733 			b = c + 1;
734 
735 			/* Switch off IP addr vs port parsing. */
736 			if (d < 4)
737 				i[d++] = t & 0xff;
738 			else
739 				pp[d++ - 4] = t & 0xff;
740 
741 			dd = 1;
742 			continue;
743 		}
744 		return(-1);
745 	}
746 	if (d != 5) /* String must contain exactly 5 periods. */
747 		return(-1);
748 
749 	/* Handle the last byte (port low byte) */
750 	t = ippr_rpcb_atoi(b);
751 	if (t > 255)
752 		return(-1);
753 	pp[d - 4] = t & 0xff;
754 
755 	return(0);
756 }
757 
758 /* --------------------------------------------------------------------	*/
759 /* Function:	ippr_rpcb_atoi (XXX should be generic for all proxies)	*/
760 /* Returns:	int -- integer representation of supplied string	*/
761 /* Parameters:	ptr(I)	- input string					*/
762 /*									*/
763 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c.			*/
764 /* --------------------------------------------------------------------	*/
765 static u_int
ippr_rpcb_atoi(ptr)766 ippr_rpcb_atoi(ptr)
767 	char *ptr;
768 {
769 	register char *s = ptr, c;
770 	register u_int i = 0;
771 
772 	while (((c = *s++) != '\0') && ISDIGIT(c)) {
773 		i *= 10;
774 		i += c - '0';
775 	}
776 	return i;
777 }
778 
779 /* --------------------------------------------------------------------	*/
780 /* Function:	ippr_rpcb_modreq					*/
781 /* Returns:	int -- change in datagram length			*/
782 /*			APR_ERR(2) - critical failure			*/
783 /* Parameters:	fin(I)	- pointer to packet information			*/
784 /*		nat(I)	- pointer to NAT session			*/
785 /*		rm(I)	- pointer to RPC message structure		*/
786 /*		m(I)	- pointer to mbuf chain				*/
787 /*		off(I)	- current offset within mbuf chain		*/
788 /*									*/
789 /* When external and internal addresses differ, we rewrite the former	*/
790 /* with the latter.  (This is exclusive to protocol versions 3 & 4).	*/
791 /* --------------------------------------------------------------------	*/
792 static int
ippr_rpcb_modreq(fin,nat,rm,m,off)793 ippr_rpcb_modreq(fin, nat, rm, m, off)
794 	fr_info_t *fin;
795 	nat_t *nat;
796 	rpc_msg_t *rm;
797 	mb_t *m;
798 	u_int off;
799 {
800 	u_int len, xlen, pos, bogo;
801 	rpcb_args_t *ra;
802 	char uaddr[24];
803 	udphdr_t *udp;
804 	char *i, *p;
805 	int diff;
806 
807 	ra = &rm->rm_call.rc_rpcbargs;
808 	i = (char *)&nat->nat_inip.s_addr;
809 	p = (char *)&nat->nat_inport;
810 
811 	/* Form new string. */
812 	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
813 #if defined(SNPRINTF) && defined(_KERNEL)
814 	(void) SNPRINTF(uaddr, sizeof(uaddr),
815 #else
816 	(void) sprintf(uaddr,
817 #endif
818 		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
819 		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
820 	len = strlen(uaddr);
821 	xlen = XDRALIGN(len);
822 
823 	/* Determine mbuf offset to start writing to. */
824 	pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
825 	off += pos;
826 
827 	/* Write new string length. */
828 	bogo = htonl(len);
829 	COPYBACK(m, off, 4, (caddr_t)&bogo);
830 	off += 4;
831 
832 	/* Write new string. */
833 	COPYBACK(m, off, xlen, uaddr);
834 	off += xlen;
835 
836 	/* Write in zero r_owner. */
837 	bogo = 0;
838 	COPYBACK(m, off, 4, (caddr_t)&bogo);
839 
840 	/* Determine difference in data lengths. */
841 	diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
842 
843 	/*
844 	 * If our new string has a different length, make necessary
845 	 * adjustments.
846 	 */
847 	if (diff != 0) {
848 		udp = fin->fin_dp;
849 		udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
850 		fin->fin_ip->ip_len += diff;
851 		fin->fin_dlen += diff;
852 		fin->fin_plen += diff;
853 		/* XXX Storage lengths. */
854 	}
855 
856 	return(diff);
857 }
858 
859 /* --------------------------------------------------------------------	*/
860 /* Function:	ippr_rpcb_decoderep					*/
861 /* Returns:	int - -1 == bad request or critical failure,		*/
862 /*		       0 == valid, negative reply			*/
863 /*		       1 == vaddlid, positive reply; needs no changes	*/
864 /* Parameters:	fin(I)	- pointer to packet information			*/
865 /*		nat(I)	- pointer to NAT session structure		*/
866 /*		rs(I)	- pointer to RPCB session structure		*/
867 /*		rm(I)	- pointer to RPC message structure		*/
868 /*		rxp(O)	- pointer to RPCB transaction structure		*/
869 /*									*/
870 /* Take a presumed RPCB reply, extract the XID, search for the original */
871 /* request information, and determine whether the request was accepted	*/
872 /* or rejected.  With a valid accepted reply, go ahead and create NAT	*/
873 /* and state entries, and finish up by rewriting the packet as 		*/
874 /* required.								*/
875 /*									*/
876 /* WARNING:  It's the responsibility of the caller to make sure there	*/
877 /* is enough room in rs_buf for the basic RPC message "preamble".	*/
878 /* --------------------------------------------------------------------	*/
879 static int
ippr_rpcb_decoderep(fin,nat,rs,rm,rxp,ifsrpcb)880 ippr_rpcb_decoderep(fin, nat, rs, rm, rxp, ifsrpcb)
881 	fr_info_t *fin;
882 	nat_t *nat;
883 	rpcb_session_t *rs;
884 	rpc_msg_t *rm;
885 	rpcb_xact_t **rxp;
886 	ifs_rpcbpxy_t *ifsrpcb;
887 {
888 	rpcb_listp_t *rl;
889 	rpcb_entry_t *re;
890 	rpcb_xact_t *rx;
891 	u_32_t xdr, *p;
892 	rpc_resp_t *rr;
893 	int rv, cnt;
894 
895 	p = (u_32_t *)rm->rm_msgbuf;
896 
897 	bzero((char *)&rx, sizeof(rx));
898 	rr = &rm->rm_resp;
899 
900 	rm->rm_xid = p;
901 	xdr = B(p++);		/* Record this message's XID. */
902 
903 	/* Lookup XID */
904         MUTEX_ENTER(&rs->rs_rxlock);
905 	if ((rx = ippr_rpcb_lookup(rs, xdr)) == NULL) {
906                 MUTEX_EXIT(&rs->rs_rxlock);
907 		return(-1);
908         }
909         ++rx->rx_ref;        /* per thread reference */
910         MUTEX_EXIT(&rs->rs_rxlock);
911 
912 	*rxp = rx;
913 
914 	/* Test call vs reply */
915 	if (B(p++) != RPCB_REPLY)
916 		return(-1);
917 
918 	/* Test reply_stat */
919 	switch(B(p++))
920 	{
921 	case RPCB_MSG_DENIED:
922 		return(0);
923 	case RPCB_MSG_ACCEPTED:
924 		break;
925 	default:
926 		return(-1);
927 	}
928 
929 	/* Bypass RPC authentication stuff. */
930 	if (ippr_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
931 		return(-1);
932 
933 	/* Test accept status */
934 	if (!RPCB_BUF_GEQ(rm, p, 4))
935 		return(-1);
936 	if (B(p++) != 0)
937 		return(0);
938 
939 	/* Parse out the expected reply */
940 	switch(rx->rx_type)
941 	{
942 	case RPCB_RES_PMAP:
943 		/* There must be only one 4 byte argument. */
944 		if (!RPCB_BUF_EQ(rm, p, 4))
945 			return(-1);
946 
947 		rr->rr_v2 = p;
948 		xdr = B(rr->rr_v2);
949 
950 		/* Reply w/ a 0 port indicates service isn't registered */
951 		if (xdr == 0)
952 			return(0);
953 
954 		/* Is the value sane? */
955 		if (xdr > 65535)
956 			return(-1);
957 
958 		/* Create NAT & state table entries. */
959 		if (ippr_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr, ifsrpcb) != 0)
960 			return(-1);
961 		break;
962 	case RPCB_RES_STRING:
963 		/* Expecting a XDR string; need 4 bytes for length */
964 		if (!RPCB_BUF_GEQ(rm, p, 4))
965 			return(-1);
966 
967 		rr->rr_v3.xu_str.xs_len = p++;
968 		rr->rr_v3.xu_str.xs_str = (char *)p;
969 
970 		xdr = B(rr->rr_v3.xu_xslen);
971 
972 		/* A null string indicates an unregistered service */
973 		if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
974 			return(0);
975 
976 		/* Decode the target IP address / port. */
977 		if (ippr_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
978 			return(-1);
979 
980 		/* Validate the IP address and port contained. */
981 		if (nat->nat_inip.s_addr != rr->rr_v3.xu_ip)
982 			return(-1);
983 
984 		/* Create NAT & state table entries. */
985 		if (ippr_rpcb_getnat(fin, nat, rx->rx_proto,
986 				     (u_int)rr->rr_v3.xu_port, ifsrpcb) != 0)
987 			return(-1);
988 		break;
989 	case RPCB_RES_LIST:
990 		if (!RPCB_BUF_GEQ(rm, p, 4))
991 			return(-1);
992 		/* rpcb_entry_list_ptr */
993 		switch(B(p))
994 		{
995 		case 0:
996 			return(0);
997 		case 1:
998 			break;
999 		default:
1000 			return(-1);
1001 		}
1002 		rl = &rr->rr_v4;
1003 		rl->rl_list = p++;
1004 		cnt = 0;
1005 
1006 		for(;;) {
1007 			re = &rl->rl_entries[rl->rl_cnt];
1008 			if (ippr_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
1009 				return(-1);
1010 			if (ippr_rpcb_getproto(rm, &re->re_netid, &p) != 0)
1011 				return(-1);
1012 			/* re_semantics & re_pfamily length */
1013 			if (!RPCB_BUF_GEQ(rm, p, 12))
1014 				return(-1);
1015 			p++; /* Skipping re_semantics. */
1016 			xdr = B(p++);
1017 			if ((xdr != 4) || strncmp((char *)p, "inet", 4))
1018 				return(-1);
1019 			p++;
1020 			if (ippr_rpcb_getproto(rm, &re->re_proto, &p) != 0)
1021 				return(-1);
1022 			if (!RPCB_BUF_GEQ(rm, p, 4))
1023 				return(-1);
1024 			re->re_more = p;
1025 			if (B(re->re_more) > 1) /* 0,1 only legal values */
1026 				return(-1);
1027 			++rl->rl_cnt;
1028 			++cnt;
1029 			if (B(re->re_more) == 0)
1030 				break;
1031 			/* Replies in  max out at 2; TCP and/or UDP */
1032 			if (cnt > 2)
1033 				return(-1);
1034 			p++;
1035 		}
1036 
1037 		for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
1038 			re = &rl->rl_entries[rl->rl_cnt];
1039 			rv = ippr_rpcb_getnat(fin, nat,
1040 			                      re->re_proto.xp_proto,
1041 				              (u_int)re->re_maddr.xu_port,
1042 					      ifsrpcb);
1043 			if (rv != 0)
1044 				return(-1);
1045 		}
1046 		break;
1047 	default:
1048 		/*CONSTANTCONDITION*/
1049 		IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
1050 	}
1051 
1052 	return(1);
1053 }
1054 
1055 /* --------------------------------------------------------------------	*/
1056 /* Function:	ippr_rpcb_lookup					*/
1057 /* Returns:	rpcb_xact_t * 	- NULL == no matching record,		*/
1058 /*				  else pointer to relevant entry	*/
1059 /* Parameters:	rs(I)	- pointer to RPCB session			*/
1060 /*		xid(I)	- XID to look for				*/
1061 /* --------------------------------------------------------------------	*/
1062 static rpcb_xact_t *
ippr_rpcb_lookup(rs,xid)1063 ippr_rpcb_lookup(rs, xid)
1064 	rpcb_session_t *rs;
1065 	u_32_t xid;
1066 {
1067 	rpcb_xact_t *rx;
1068 
1069 	if (rs->rs_rxlist == NULL)
1070 		return(NULL);
1071 
1072 	for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1073 		if (rx->rx_xid == xid)
1074 			break;
1075 
1076 	return(rx);
1077 }
1078 
1079 /* --------------------------------------------------------------------	*/
1080 /* Function:	ippr_rpcb_deref					        */
1081 /* Returns:	(void)							*/
1082 /* Parameters:	rs(I)	- pointer to RPCB session			*/
1083 /*		rx(I)	- pointer to RPC transaction struct to remove	*/
1084 /*              force(I) - indicates to delete entry regardless of      */
1085 /*                         reference count                              */
1086 /* Locking:	rs->rs_rxlock must be held write only			*/
1087 /*									*/
1088 /* Free the RPCB transaction record rx from the chain of entries.	*/
1089 /* --------------------------------------------------------------------	*/
1090 static void
ippr_rpcb_deref(rs,rx,ifsrpcb)1091 ippr_rpcb_deref(rs, rx, ifsrpcb)
1092 	rpcb_session_t *rs;
1093 	rpcb_xact_t *rx;
1094 	ifs_rpcbpxy_t *ifsrpcb;
1095 {
1096 	rs = rs;	/* LINT */
1097 
1098 	if (rx == NULL)
1099 		return;
1100 
1101 	if (--rx->rx_ref != 0)
1102 		return;
1103 
1104 	if (rx->rx_next != NULL)
1105 		rx->rx_next->rx_pnext = rx->rx_pnext;
1106 
1107 	*rx->rx_pnext = rx->rx_next;
1108 
1109 	KFREE(rx);
1110 
1111 	--ifsrpcb->rpcbcnt;
1112 }
1113 
1114 /* --------------------------------------------------------------------	*/
1115 /* Function:	ippr_rpcb_getproto					*/
1116 /* Returns:	int - -1 == illegal protocol/netid,			*/
1117 /*		       0 == legal protocol/netid			*/
1118 /* Parameters:	rm(I)	- pointer to RPC message structure		*/
1119 /*		xp(I)	- pointer to netid structure			*/
1120 /*		p(IO)	- pointer to location within packet buffer	*/
1121 /* 									*/
1122 /* Decode netid/proto stored at p and record its numeric value.	 	*/
1123 /* --------------------------------------------------------------------	*/
1124 static int
ippr_rpcb_getproto(rm,xp,p)1125 ippr_rpcb_getproto(rm, xp, p)
1126 	rpc_msg_t *rm;
1127 	xdr_proto_t *xp;
1128 	u_32_t **p;
1129 {
1130 	u_int len;
1131 
1132 	/* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1133 	if (!RPCB_BUF_GEQ(rm, p, 8))
1134 		return(-1);
1135 
1136 	xp->xp_xslen = (*p)++;
1137 	xp->xp_xsstr = (char *)*p;
1138 
1139 	/* Test the string length. */
1140 	len = B(xp->xp_xslen);
1141 	if (len != 3)
1142 	 	return(-1);
1143 
1144 	/* Test the actual string & record the protocol accordingly. */
1145 	if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1146 		xp->xp_proto = IPPROTO_TCP;
1147 	else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1148 		xp->xp_proto = IPPROTO_UDP;
1149 	else {
1150 		return(-1);
1151 	}
1152 
1153 	/* Advance past the string. */
1154 	(*p)++;
1155 
1156 	return(0);
1157 }
1158 
1159 /* --------------------------------------------------------------------	*/
1160 /* Function:	ippr_rpcb_getnat					*/
1161 /* Returns:	int -- -1 == failed to create table entries,		*/
1162 /*			0 == success					*/
1163 /* Parameters:	fin(I)	- pointer to packet information			*/
1164 /*		nat(I)	- pointer to NAT table entry			*/
1165 /*		proto(I) - transport protocol for new entries		*/
1166 /*		port(I)	- new port to use w/ wildcard table entries	*/
1167 /*									*/
1168 /* Create state and NAT entries to handle an anticipated connection	*/
1169 /* attempt between RPC client and server.				*/
1170 /* --------------------------------------------------------------------	*/
1171 static int
ippr_rpcb_getnat(fin,nat,proto,port,ifsrpcb)1172 ippr_rpcb_getnat(fin, nat, proto, port, ifsrpcb)
1173 	fr_info_t *fin;
1174 	nat_t *nat;
1175 	u_int proto;
1176 	u_int port;
1177 	ifs_rpcbpxy_t *ifsrpcb;
1178 {
1179 	ipnat_t *ipn, ipnat;
1180 	tcphdr_t tcp;
1181 	ipstate_t *is;
1182 	fr_info_t fi;
1183 	nat_t *natl;
1184 	int nflags;
1185 	ipf_stack_t *ifs = fin->fin_ifs;
1186 
1187 	ipn = nat->nat_ptr;
1188 
1189 	/* Generate dummy fr_info */
1190 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
1191 	fi.fin_out = 0;
1192 	fi.fin_src = fin->fin_dst;
1193 	fi.fin_dst = nat->nat_outip;
1194 	fi.fin_p = proto;
1195 	fi.fin_sport = 0;
1196 	fi.fin_dport = port & 0xffff;
1197 	fi.fin_flx |= FI_IGNORE;
1198 
1199 	bzero((char *)&tcp, sizeof(tcp));
1200 	tcp.th_dport = htons(port);
1201 
1202 	if (proto == IPPROTO_TCP) {
1203 		tcp.th_win = htons(8192);
1204 		TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1205 		fi.fin_dlen = sizeof(tcphdr_t);
1206 		tcp.th_flags = TH_SYN;
1207 		nflags = NAT_TCP;
1208 	} else {
1209 		fi.fin_dlen = sizeof(udphdr_t);
1210 		nflags = NAT_UDP;
1211 	}
1212 
1213 	nflags |= SI_W_SPORT|NAT_SEARCH;
1214 	fi.fin_dp = &tcp;
1215 	fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1216 
1217 	/*
1218 	 * Search for existing NAT & state entries.  Pay close attention to
1219 	 * mutexes / locks grabbed from lookup routines, as not doing so could
1220 	 * lead to bad things.
1221 	 *
1222 	 * If successful, fr_stlookup returns with ipf_state locked.  We have
1223 	 * no use for this lock, so simply unlock it if necessary.
1224 	 */
1225 	is = fr_stlookup(&fi, &tcp, NULL);
1226 	if (is != NULL)
1227 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
1228 
1229 	RWLOCK_EXIT(&ifs->ifs_ipf_nat);
1230 
1231 	WRITE_ENTER(&ifs->ifs_ipf_nat);
1232 	natl = nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1233 
1234 	if ((natl != NULL) && (is != NULL)) {
1235 		MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
1236 		return(0);
1237 	}
1238 
1239 	/* Slightly modify the following structures for actual use in creating
1240 	 * NAT and/or state entries.  We're primarily concerned with stripping
1241 	 * flags that may be detrimental to the creation process or simply
1242 	 * shouldn't be associated with a table entry.
1243 	 */
1244 	fi.fin_fr = &ifsrpcb->rpcbfr;
1245 	fi.fin_flx &= ~FI_IGNORE;
1246 	nflags &= ~NAT_SEARCH;
1247 
1248 	if (natl == NULL) {
1249 		/* XXX Since we're just copying the original ipn contents
1250 		 * back, would we be better off just sending a pointer to
1251 		 * the 'temp' copy off to nat_new instead?
1252 		 */
1253 		/* Generate template/bogus NAT rule. */
1254 		bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1255 		ipn->in_flags = nflags & IPN_TCPUDP;
1256 		ipn->in_apr = NULL;
1257 		ipn->in_p = proto;
1258 		ipn->in_pmin = htons(fi.fin_dport);
1259 		ipn->in_pmax = htons(fi.fin_dport);
1260 		ipn->in_pnext = htons(fi.fin_dport);
1261 		ipn->in_space = 1;
1262 		ipn->in_ippip = 1;
1263 		if (ipn->in_flags & IPN_FILTER) {
1264 			ipn->in_scmp = 0;
1265 			ipn->in_dcmp = 0;
1266 		}
1267 		*ipn->in_plabel = '\0';
1268 
1269 		/* Create NAT entry.  return NULL if this fails. */
1270 		natl = nat_new(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1271 			       NAT_INBOUND);
1272 
1273 		bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1274 
1275 		if (natl == NULL) {
1276 			MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
1277 			return(-1);
1278 		}
1279 
1280 		ipn->in_use++;
1281 		(void) nat_proto(&fi, natl, nflags);
1282 		nat_update(&fi, natl, natl->nat_ptr);
1283 	}
1284 	MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
1285 
1286 	if (is == NULL) {
1287 		/* Create state entry.  Return NULL if this fails. */
1288 		fi.fin_dst = nat->nat_inip;
1289 		fi.fin_flx |= FI_NATED;
1290 		fi.fin_flx &= ~FI_STATE;
1291 		nflags &= NAT_TCPUDP;
1292 		nflags |= SI_W_SPORT|SI_CLONE;
1293 
1294 		is = fr_addstate(&fi, NULL, nflags);
1295 		if (is == NULL) {
1296 			/*
1297 			 * XXX nat_delete is private to ip_nat.c.  Should
1298 			 * check w/ Darren about this one.
1299 			 *
1300 			 * nat_delete(natl, NL_EXPIRE, ifs);
1301 			 */
1302 			return(-1);
1303 		}
1304 	}
1305 
1306 	return(0);
1307 }
1308 
1309 /* --------------------------------------------------------------------	*/
1310 /* Function:	ippr_rpcb_modv3						*/
1311 /* Returns:	int -- change in packet length				*/
1312 /* Parameters:	fin(I)	- pointer to packet information			*/
1313 /*		nat(I)	- pointer to NAT session			*/
1314 /*		rm(I)	- pointer to RPC message structure		*/
1315 /*		m(I)	- pointer to mbuf chain				*/
1316 /*		off(I)	- offset within mbuf chain			*/
1317 /*									*/
1318 /* Write a new universal address string to this packet, adjusting	*/
1319 /* lengths as necessary.						*/
1320 /* --------------------------------------------------------------------	*/
1321 static int
ippr_rpcb_modv3(fin,nat,rm,m,off)1322 ippr_rpcb_modv3(fin, nat, rm, m, off)
1323 	fr_info_t *fin;
1324 	nat_t *nat;
1325 	rpc_msg_t *rm;
1326 	mb_t *m;
1327 	u_int off;
1328 {
1329 	u_int len, xlen, pos, bogo;
1330 	rpc_resp_t *rr;
1331 	char uaddr[24];
1332 	char *i, *p;
1333 	int diff;
1334 
1335 	rr = &rm->rm_resp;
1336 	i = (char *)&nat->nat_outip.s_addr;
1337 	p = (char *)&rr->rr_v3.xu_port;
1338 
1339 	/* Form new string. */
1340 	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1341 #if defined(SNPRINTF) && defined(_KERNEL)
1342 	(void) SNPRINTF(uaddr, sizeof(uaddr),
1343 #else
1344 	(void) sprintf(uaddr,
1345 #endif
1346 		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1347 		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1348 	len = strlen(uaddr);
1349 	xlen = XDRALIGN(len);
1350 
1351 	/* Determine mbuf offset to write to. */
1352 	pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1353 	off += pos;
1354 
1355 	/* Write new string length. */
1356 	bogo = htonl(len);
1357 	COPYBACK(m, off, 4, (caddr_t)&bogo);
1358 	off += 4;
1359 
1360 	/* Write new string. */
1361 	COPYBACK(m, off, xlen, uaddr);
1362 
1363 	/* Determine difference in data lengths. */
1364 	diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1365 
1366 	/*
1367 	 * If our new string has a different length, make necessary
1368 	 * adjustments.
1369 	 */
1370 	if (diff != 0)
1371 		ippr_rpcb_fixlen(fin, diff);
1372 
1373 	return(diff);
1374 }
1375 
1376 /* --------------------------------------------------------------------	*/
1377 /* Function:	ippr_rpcb_modv4						*/
1378 /* Returns:	int -- change in packet length				*/
1379 /* Parameters:	fin(I)	- pointer to packet information			*/
1380 /*		nat(I)	- pointer to NAT session			*/
1381 /*		rm(I)	- pointer to RPC message structure		*/
1382 /*		m(I)	- pointer to mbuf chain				*/
1383 /*		off(I)	- offset within mbuf chain			*/
1384 /*									*/
1385 /* Write new rpcb_entry list, adjusting	lengths as necessary.		*/
1386 /* --------------------------------------------------------------------	*/
1387 static int
ippr_rpcb_modv4(fin,nat,rm,m,off)1388 ippr_rpcb_modv4(fin, nat, rm, m, off)
1389 	fr_info_t *fin;
1390 	nat_t *nat;
1391 	rpc_msg_t *rm;
1392 	mb_t *m;
1393 	u_int off;
1394 {
1395 	u_int len, xlen, pos, bogo;
1396 	rpcb_listp_t *rl;
1397 	rpcb_entry_t *re;
1398 	rpc_resp_t *rr;
1399 	char uaddr[24];
1400 	int diff, cnt;
1401 	char *i, *p;
1402 
1403 	diff = 0;
1404 	rr = &rm->rm_resp;
1405 	rl = &rr->rr_v4;
1406 
1407 	i = (char *)&nat->nat_outip.s_addr;
1408 
1409 	/* Determine mbuf offset to write to. */
1410 	re = &rl->rl_entries[0];
1411 	pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1412 	off += pos;
1413 
1414 	for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1415 		re = &rl->rl_entries[cnt];
1416 		p = (char *)&re->re_maddr.xu_port;
1417 
1418 		/* Form new string. */
1419 		bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1420 						padding. */
1421 #if defined(SNPRINTF) && defined(_KERNEL)
1422 		(void) SNPRINTF(uaddr, sizeof(uaddr),
1423 #else
1424 		(void) sprintf(uaddr,
1425 #endif
1426 			       "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1427 			       i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1428 			       p[0] & 0xff, p[1] & 0xff);
1429 		len = strlen(uaddr);
1430 		xlen = XDRALIGN(len);
1431 
1432 		/* Write new string length. */
1433 		bogo = htonl(len);
1434 		COPYBACK(m, off, 4, (caddr_t)&bogo);
1435 		off += 4;
1436 
1437 		/* Write new string. */
1438 		COPYBACK(m, off, xlen, uaddr);
1439 		off += xlen;
1440 
1441 		/* Record any change in length. */
1442 		diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1443 
1444 		/* If the length changed, copy back the rest of this entry. */
1445 		len = ((char *)re->re_more + 4) -
1446 		       (char *)re->re_netid.xp_xslen;
1447 		if (diff != 0) {
1448 			COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
1449 		}
1450 		off += len;
1451 	}
1452 
1453 	/*
1454 	 * If our new string has a different length, make necessary
1455 	 * adjustments.
1456 	 */
1457 	if (diff != 0)
1458 		ippr_rpcb_fixlen(fin, diff);
1459 
1460 	return(diff);
1461 }
1462 
1463 
1464 /* --------------------------------------------------------------------	*/
1465 /* Function:    ippr_rpcb_fixlen                                        */
1466 /* Returns:     (void)                                                  */
1467 /* Parameters:  fin(I)  - pointer to packet information                 */
1468 /*              len(I)  - change in packet length                       */
1469 /*                                                                      */
1470 /* Adjust various packet related lengths held in structure and packet   */
1471 /* header fields.                                                       */
1472 /* --------------------------------------------------------------------	*/
1473 static void
ippr_rpcb_fixlen(fin,len)1474 ippr_rpcb_fixlen(fin, len)
1475         fr_info_t *fin;
1476         int len;
1477 {
1478         udphdr_t *udp;
1479 
1480         udp = fin->fin_dp;
1481         udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1482         fin->fin_ip->ip_len += len;
1483         fin->fin_dlen += len;
1484         fin->fin_plen += len;
1485 }
1486 
1487 #undef B
1488