1 /*
2 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org>
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6 /*
7 * Overview:
8 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
9 * protocol as defined in RFC1833. It is far from complete, mostly
10 * lacking in less-likely corner cases, but it's definitely functional.
11 *
12 * Invocation:
13 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
14 *
15 * If the host running IP Filter is the same as the RPC server, it's
16 * perfectly legal for both the internal and external addresses and ports
17 * to match.
18 *
19 * When triggered by appropriate IP NAT rules, this proxy works by
20 * examining data contained in received packets. Requests and replies are
21 * modified, NAT and state table entries created, etc., as necessary.
22 */
23 /*
24 * TODO / NOTES
25 *
26 * o Must implement locking to protect proxy session data.
27 * o Fragmentation isn't supported.
28 * o Only supports UDP.
29 * o Doesn't support multiple RPC records in a single request.
30 * o Errors should be more fine-grained. (e.g., malloc failure vs.
31 * illegal RPCB request / reply)
32 * o Even with the limit on the total amount of recorded transactions,
33 * should there be a timeout on transaction removal?
34 * o There is a potential collision between cloning, wildcard NAT and
35 * state entries. There should be an appr_getport routine for
36 * to avoid this.
37 * o The enclosed hack of STREAMS support is pretty sick and most likely
38 * broken.
39 *
40 * $Id$
41 */
42 #define IPF_RPCB_PROXY
43
44 /*
45 * Function prototypes
46 */
47 void ipf_p_rpcb_main_load __P((void));
48 void ipf_p_rpcb_main_unload __P((void));
49 int ipf_p_rpcb_new __P((void *, fr_info_t *, ap_session_t *, nat_t *));
50 void ipf_p_rpcb_del __P((ipf_main_softc_t *, ap_session_t *));
51 int ipf_p_rpcb_in __P((void *, fr_info_t *, ap_session_t *, nat_t *));
52 int ipf_p_rpcb_out __P((void *, fr_info_t *, ap_session_t *, nat_t *));
53
54 static void ipf_p_rpcb_flush __P((rpcb_session_t *));
55 static int ipf_p_rpcb_decodereq __P((fr_info_t *, nat_t *,
56 rpcb_session_t *, rpc_msg_t *));
57 static int ipf_p_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **));
58 static int ipf_p_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *));
59 static int ipf_p_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *));
60 static int ipf_p_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *,
61 u_32_t **));
62 static u_int ipf_p_rpcb_atoi __P((char *));
63 static int ipf_p_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *,
64 mb_t *, u_int));
65 static int ipf_p_rpcb_decoderep __P((fr_info_t *, nat_t *,
66 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **));
67 static rpcb_xact_t * ipf_p_rpcb_lookup __P((rpcb_session_t *, u_32_t));
68 static void ipf_p_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *));
69 static int ipf_p_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *,
70 u_32_t **));
71 static int ipf_p_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int));
72 static int ipf_p_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *,
73 mb_t *, u_int));
74 static int ipf_p_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *,
75 mb_t *, u_int));
76 static void ipf_p_rpcb_fixlen __P((fr_info_t *, int));
77
78 /*
79 * Global variables
80 */
81 static frentry_t rpcbfr; /* Skeleton rule for reference by entities
82 this proxy creates. */
83 static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */
84 /* XXX rpcbcnt still requires locking. */
85
86 static int rpcb_proxy_init = 0;
87
88
89 /*
90 * Since rpc_msg contains only pointers, one should use this macro as a
91 * handy way to get to the goods. (In case you're wondering about the name,
92 * this started as BYTEREF -> BREF -> B.)
93 */
94 #define B(r) (u_32_t)ntohl(*(r))
95
96 /*
97 * Public subroutines
98 */
99
100 /* -------------------------------------------------------------------- */
101 /* Function: ipf_p_rpcb_main_load */
102 /* Returns: void */
103 /* Parameters: (void) */
104 /* */
105 /* Initialize the filter rule entry and session limiter. */
106 /* -------------------------------------------------------------------- */
107 void
ipf_p_rpcb_main_load()108 ipf_p_rpcb_main_load()
109 {
110 rpcbcnt = 0;
111
112 bzero((char *)&rpcbfr, sizeof(rpcbfr));
113 rpcbfr.fr_ref = 1;
114 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
115 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
116 rpcb_proxy_init = 1;
117 }
118
119 /* -------------------------------------------------------------------- */
120 /* Function: ipf_p_rpcb_main_unload */
121 /* Returns: void */
122 /* Parameters: (void) */
123 /* */
124 /* Destroy rpcbfr's mutex to avoid a lock leak. */
125 /* -------------------------------------------------------------------- */
126 void
ipf_p_rpcb_main_unload()127 ipf_p_rpcb_main_unload()
128 {
129 if (rpcb_proxy_init == 1) {
130 MUTEX_DESTROY(&rpcbfr.fr_lock);
131 rpcb_proxy_init = 0;
132 }
133 }
134
135 /* -------------------------------------------------------------------- */
136 /* Function: ipf_p_rpcb_new */
137 /* Returns: int - -1 == failure, 0 == success */
138 /* Parameters: fin(I) - pointer to packet information */
139 /* aps(I) - pointer to proxy session structure */
140 /* nat(I) - pointer to NAT session structure */
141 /* */
142 /* Allocate resources for per-session proxy structures. */
143 /* -------------------------------------------------------------------- */
144 int
ipf_p_rpcb_new(arg,fin,aps,nat)145 ipf_p_rpcb_new(arg, fin, aps, nat)
146 void *arg;
147 fr_info_t *fin;
148 ap_session_t *aps;
149 nat_t *nat;
150 {
151 rpcb_session_t *rs;
152
153 nat = nat; /* LINT */
154
155 if (fin->fin_v != 4)
156 return -1;
157
158 KMALLOC(rs, rpcb_session_t *);
159 if (rs == NULL)
160 return(-1);
161
162 bzero((char *)rs, sizeof(*rs));
163 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
164
165 aps->aps_data = rs;
166
167 return(0);
168 }
169
170 /* -------------------------------------------------------------------- */
171 /* Function: ipf_p_rpcb_del */
172 /* Returns: void */
173 /* Parameters: aps(I) - pointer to proxy session structure */
174 /* */
175 /* Free up a session's list of RPCB requests. */
176 /* -------------------------------------------------------------------- */
177 void
ipf_p_rpcb_del(softc,aps)178 ipf_p_rpcb_del(softc, aps)
179 ipf_main_softc_t *softc;
180 ap_session_t *aps;
181 {
182 rpcb_session_t *rs;
183 rs = (rpcb_session_t *)aps->aps_data;
184
185 MUTEX_ENTER(&rs->rs_rxlock);
186 ipf_p_rpcb_flush(rs);
187 MUTEX_EXIT(&rs->rs_rxlock);
188 MUTEX_DESTROY(&rs->rs_rxlock);
189 }
190
191 /* -------------------------------------------------------------------- */
192 /* Function: ipf_p_rpcb_in */
193 /* Returns: int - APR_ERR(1) == drop the packet, */
194 /* APR_ERR(2) == kill the proxy session, */
195 /* else change in packet length (in bytes) */
196 /* Parameters: fin(I) - pointer to packet information */
197 /* ip(I) - pointer to packet header */
198 /* aps(I) - pointer to proxy session structure */
199 /* nat(I) - pointer to NAT session structure */
200 /* */
201 /* Given a presumed RPCB request, perform some minor tests and pass off */
202 /* for decoding. Also pass packet off for a rewrite if necessary. */
203 /* -------------------------------------------------------------------- */
204 int
ipf_p_rpcb_in(arg,fin,aps,nat)205 ipf_p_rpcb_in(arg, fin, aps, nat)
206 void *arg;
207 fr_info_t *fin;
208 ap_session_t *aps;
209 nat_t *nat;
210 {
211 rpc_msg_t rpcmsg, *rm;
212 rpcb_session_t *rs;
213 u_int off, dlen;
214 mb_t *m;
215 int rv;
216
217 /* Disallow fragmented or illegally short packets. */
218 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
219 return(APR_ERR(1));
220
221 /* Perform basic variable initialization. */
222 rs = (rpcb_session_t *)aps->aps_data;
223
224 m = fin->fin_m;
225 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
226 off += sizeof(udphdr_t) + fin->fin_ipoff;
227 dlen = fin->fin_dlen - sizeof(udphdr_t);
228
229 /* Disallow packets outside legal range for supported requests. */
230 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
231 return(APR_ERR(1));
232
233 /* Copy packet over to convenience buffer. */
234 rm = &rpcmsg;
235 bzero((char *)rm, sizeof(*rm));
236 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
237 rm->rm_buflen = dlen;
238
239 /* Send off to decode request. */
240 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm);
241
242 switch(rv)
243 {
244 case -1:
245 return(APR_ERR(1));
246 /*NOTREACHED*/
247 break;
248 case 0:
249 break;
250 case 1:
251 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off);
252 break;
253 default:
254 /*CONSTANTCONDITION*/
255 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv));
256 }
257
258 return(rv);
259 }
260
261 /* -------------------------------------------------------------------- */
262 /* Function: ipf_p_rpcb_out */
263 /* Returns: int - APR_ERR(1) == drop the packet, */
264 /* APR_ERR(2) == kill the proxy session, */
265 /* else change in packet length (in bytes) */
266 /* Parameters: fin(I) - pointer to packet information */
267 /* ip(I) - pointer to packet header */
268 /* aps(I) - pointer to proxy session structure */
269 /* nat(I) - pointer to NAT session structure */
270 /* */
271 /* Given a presumed RPCB reply, perform some minor tests and pass off */
272 /* for decoding. If the message indicates a successful request with */
273 /* valid addressing information, create NAT and state structures to */
274 /* allow direct communication between RPC client and server. */
275 /* -------------------------------------------------------------------- */
276 int
ipf_p_rpcb_out(arg,fin,aps,nat)277 ipf_p_rpcb_out(arg, fin, aps, nat)
278 void *arg;
279 fr_info_t *fin;
280 ap_session_t *aps;
281 nat_t *nat;
282 {
283 rpc_msg_t rpcmsg, *rm;
284 rpcb_session_t *rs;
285 rpcb_xact_t *rx;
286 u_int off, dlen;
287 int rv, diff;
288 mb_t *m;
289
290 /* Disallow fragmented or illegally short packets. */
291 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
292 return(APR_ERR(1));
293
294 /* Perform basic variable initialization. */
295 rs = (rpcb_session_t *)aps->aps_data;
296 rx = NULL;
297
298 m = fin->fin_m;
299 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
300 off += sizeof(udphdr_t) + fin->fin_ipoff;
301 dlen = fin->fin_dlen - sizeof(udphdr_t);
302 diff = 0;
303
304 /* Disallow packets outside legal range for supported requests. */
305 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
306 return(APR_ERR(1));
307
308 /* Copy packet over to convenience buffer. */
309 rm = &rpcmsg;
310 bzero((char *)rm, sizeof(*rm));
311 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
312 rm->rm_buflen = dlen;
313
314 rx = NULL; /* XXX gcc */
315
316 /* Send off to decode reply. */
317 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx);
318
319 switch(rv)
320 {
321 case -1: /* Bad packet */
322 if (rx != NULL) {
323 MUTEX_ENTER(&rs->rs_rxlock);
324 ipf_p_rpcb_deref(rs, rx);
325 MUTEX_EXIT(&rs->rs_rxlock);
326 }
327 return(APR_ERR(1));
328 /*NOTREACHED*/
329 break;
330 case 0: /* Negative reply / request rejected */
331 break;
332 case 1: /* Positive reply */
333 /*
334 * With the IP address embedded in a GETADDR(LIST) reply,
335 * we'll need to rewrite the packet in the very possible
336 * event that the internal & external addresses aren't the
337 * same. (i.e., this box is either a router or rpcbind
338 * only listens on loopback.)
339 */
340 if (nat->nat_odstaddr != nat->nat_ndstaddr) {
341 if (rx->rx_type == RPCB_RES_STRING)
342 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off);
343 else if (rx->rx_type == RPCB_RES_LIST)
344 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off);
345 }
346 break;
347 default:
348 /*CONSTANTCONDITION*/
349 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv));
350 }
351
352 if (rx != NULL) {
353 MUTEX_ENTER(&rs->rs_rxlock);
354 /* XXX Gross hack - I'm overloading the reference
355 * counter to deal with both threads and retransmitted
356 * requests. One deref signals that this thread is
357 * finished with rx, and the other signals that we've
358 * processed its reply.
359 */
360 ipf_p_rpcb_deref(rs, rx);
361 ipf_p_rpcb_deref(rs, rx);
362 MUTEX_EXIT(&rs->rs_rxlock);
363 }
364
365 return(diff);
366 }
367
368 /*
369 * Private support subroutines
370 */
371
372 /* -------------------------------------------------------------------- */
373 /* Function: ipf_p_rpcb_flush */
374 /* Returns: void */
375 /* Parameters: rs(I) - pointer to RPCB session structure */
376 /* */
377 /* Simply flushes the list of outstanding transactions, if any. */
378 /* -------------------------------------------------------------------- */
379 static void
ipf_p_rpcb_flush(rs)380 ipf_p_rpcb_flush(rs)
381 rpcb_session_t *rs;
382 {
383 rpcb_xact_t *r1, *r2;
384
385 r1 = rs->rs_rxlist;
386 if (r1 == NULL)
387 return;
388
389 while (r1 != NULL) {
390 r2 = r1;
391 r1 = r1->rx_next;
392 KFREE(r2);
393 }
394 }
395
396 /* -------------------------------------------------------------------- */
397 /* Function: ipf_p_rpcb_decodereq */
398 /* Returns: int - -1 == bad request or critical failure, */
399 /* 0 == request successfully decoded, */
400 /* 1 == request successfully decoded; requires */
401 /* address rewrite/modification */
402 /* Parameters: fin(I) - pointer to packet information */
403 /* nat(I) - pointer to NAT session structure */
404 /* rs(I) - pointer to RPCB session structure */
405 /* rm(I) - pointer to RPC message structure */
406 /* */
407 /* Take a presumed RPCB request, decode it, and store the results in */
408 /* the transaction list. If the internal target address needs to be */
409 /* modified, store its location in ptr. */
410 /* WARNING: It's the responsibility of the caller to make sure there */
411 /* is enough room in rs_buf for the basic RPC message "preamble". */
412 /* -------------------------------------------------------------------- */
413 static int
ipf_p_rpcb_decodereq(fin,nat,rs,rm)414 ipf_p_rpcb_decodereq(fin, nat, rs, rm)
415 fr_info_t *fin;
416 nat_t *nat;
417 rpcb_session_t *rs;
418 rpc_msg_t *rm;
419 {
420 rpcb_args_t *ra;
421 u_32_t xdr, *p;
422 rpc_call_t *rc;
423 rpcb_xact_t rx;
424 int mod;
425
426 p = (u_32_t *)rm->rm_msgbuf;
427 mod = 0;
428
429 bzero((char *)&rx, sizeof(rx));
430 rc = &rm->rm_call;
431
432 rm->rm_xid = p;
433 rx.rx_xid = B(p++); /* Record this message's XID. */
434
435 /* Parse out and test the RPC header. */
436 if ((B(p++) != RPCB_CALL) ||
437 (B(p++) != RPCB_MSG_VERSION) ||
438 (B(p++) != RPCB_PROG))
439 return(-1);
440
441 /* Record the RPCB version and procedure. */
442 rc->rc_vers = p++;
443 rc->rc_proc = p++;
444
445 /* Bypass RPC authentication stuff. */
446 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
447 return(-1);
448 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
449 return(-1);
450
451 /* Compare RPCB version and procedure numbers. */
452 switch(B(rc->rc_vers))
453 {
454 case 2:
455 /* This proxy only supports PMAP_GETPORT. */
456 if (B(rc->rc_proc) != RPCB_GETPORT)
457 return(-1);
458
459 /* Portmap requests contain four 4 byte parameters. */
460 if (RPCB_BUF_EQ(rm, p, 16) == 0)
461 return(-1);
462
463 p += 2; /* Skip requested program and version numbers. */
464
465 /* Sanity check the requested protocol. */
466 xdr = B(p);
467 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
468 return(-1);
469
470 rx.rx_type = RPCB_RES_PMAP;
471 rx.rx_proto = xdr;
472 break;
473 case 3:
474 case 4:
475 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
476 switch(B(rc->rc_proc))
477 {
478 case RPCB_GETADDR:
479 rx.rx_type = RPCB_RES_STRING;
480 rx.rx_proto = (u_int)fin->fin_p;
481 break;
482 case RPCB_GETADDRLIST:
483 if (B(rc->rc_vers) != 4)
484 return(-1);
485 rx.rx_type = RPCB_RES_LIST;
486 break;
487 default:
488 return(-1);
489 }
490
491 ra = &rc->rc_rpcbargs;
492
493 /* Decode the 'struct rpcb' request. */
494 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0)
495 return(-1);
496
497 /* Are the target address & port valid? */
498 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) ||
499 (ra->ra_maddr.xu_port != nat->nat_ndport))
500 return(-1);
501
502 /* Do we need to rewrite this packet? */
503 if ((nat->nat_ndstaddr != nat->nat_odstaddr) ||
504 (nat->nat_ndport != nat->nat_odport))
505 mod = 1;
506 break;
507 default:
508 return(-1);
509 }
510
511 MUTEX_ENTER(&rs->rs_rxlock);
512 if (ipf_p_rpcb_insert(rs, &rx) != 0) {
513 MUTEX_EXIT(&rs->rs_rxlock);
514 return(-1);
515 }
516 MUTEX_EXIT(&rs->rs_rxlock);
517
518 return(mod);
519 }
520
521 /* -------------------------------------------------------------------- */
522 /* Function: ipf_p_rpcb_skipauth */
523 /* Returns: int -- -1 == illegal auth parameters (lengths) */
524 /* 0 == valid parameters, pointer advanced */
525 /* Parameters: rm(I) - pointer to RPC message structure */
526 /* auth(I) - pointer to RPC auth structure */
527 /* buf(IO) - pointer to location within convenience buffer */
528 /* */
529 /* Record auth data length & location of auth data, then advance past */
530 /* it. */
531 /* -------------------------------------------------------------------- */
532 static int
ipf_p_rpcb_skipauth(rm,auth,buf)533 ipf_p_rpcb_skipauth(rm, auth, buf)
534 rpc_msg_t *rm;
535 xdr_auth_t *auth;
536 u_32_t **buf;
537 {
538 u_32_t *p, xdr;
539
540 p = *buf;
541
542 /* Make sure we have enough space for expected fixed auth parms. */
543 if (RPCB_BUF_GEQ(rm, p, 8) == 0)
544 return(-1);
545
546 p++; /* We don't care about auth_flavor. */
547
548 auth->xa_string.xs_len = p;
549 xdr = B(p++); /* Length of auth_data */
550
551 /* Test for absurdity / illegality of auth_data length. */
552 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
553 return(-1);
554
555 auth->xa_string.xs_str = (char *)p;
556
557 p += XDRALIGN(xdr); /* Advance our location. */
558
559 *buf = (u_32_t *)p;
560
561 return(0);
562 }
563
564 /* -------------------------------------------------------------------- */
565 /* Function: ipf_p_rpcb_insert */
566 /* Returns: int -- -1 == list insertion failed, */
567 /* 0 == item successfully added */
568 /* Parameters: rs(I) - pointer to RPCB session structure */
569 /* rx(I) - pointer to RPCB transaction structure */
570 /* -------------------------------------------------------------------- */
571 static int
ipf_p_rpcb_insert(rs,rx)572 ipf_p_rpcb_insert(rs, rx)
573 rpcb_session_t *rs;
574 rpcb_xact_t *rx;
575 {
576 rpcb_xact_t *rxp;
577
578 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid);
579 if (rxp != NULL) {
580 ++rxp->rx_ref;
581 return(0);
582 }
583
584 if (rpcbcnt == RPCB_MAXREQS)
585 return(-1);
586
587 KMALLOC(rxp, rpcb_xact_t *);
588 if (rxp == NULL)
589 return(-1);
590
591 bcopy((char *)rx, (char *)rxp, sizeof(*rx));
592
593 if (rs->rs_rxlist != NULL)
594 rs->rs_rxlist->rx_pnext = &rxp->rx_next;
595
596 rxp->rx_pnext = &rs->rs_rxlist;
597 rxp->rx_next = rs->rs_rxlist;
598 rs->rs_rxlist = rxp;
599
600 rxp->rx_ref = 1;
601
602 ++rpcbcnt;
603
604 return(0);
605 }
606
607 /* -------------------------------------------------------------------- */
608 /* Function: ipf_p_rpcb_xdrrpcb */
609 /* Returns: int -- -1 == failure to properly decode the request */
610 /* 0 == rpcb successfully decoded */
611 /* Parameters: rs(I) - pointer to RPCB session structure */
612 /* p(I) - pointer to location within session buffer */
613 /* rpcb(O) - pointer to rpcb (xdr type) structure */
614 /* */
615 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */
616 /* within only the context of TCP/UDP over IP networks. */
617 /* -------------------------------------------------------------------- */
618 static int
ipf_p_rpcb_xdrrpcb(rm,p,ra)619 ipf_p_rpcb_xdrrpcb(rm, p, ra)
620 rpc_msg_t *rm;
621 u_32_t *p;
622 rpcb_args_t *ra;
623 {
624 if (!RPCB_BUF_GEQ(rm, p, 20))
625 return(-1);
626
627 /* Bypass target program & version. */
628 p += 2;
629
630 /* Decode r_netid. Must be "tcp" or "udp". */
631 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
632 return(-1);
633
634 /* Decode r_maddr. */
635 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
636 return(-1);
637
638 /* Advance to r_owner and make sure it's empty. */
639 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
640 return(-1);
641
642 return(0);
643 }
644
645 /* -------------------------------------------------------------------- */
646 /* Function: ipf_p_rpcb_getuaddr */
647 /* Returns: int -- -1 == illegal string, */
648 /* 0 == string parsed; contents recorded */
649 /* Parameters: rm(I) - pointer to RPC message structure */
650 /* xu(I) - pointer to universal address structure */
651 /* p(IO) - pointer to location within message buffer */
652 /* */
653 /* Decode the IP address / port at p and record them in xu. */
654 /* -------------------------------------------------------------------- */
655 static int
ipf_p_rpcb_getuaddr(rm,xu,p)656 ipf_p_rpcb_getuaddr(rm, xu, p)
657 rpc_msg_t *rm;
658 xdr_uaddr_t *xu;
659 u_32_t **p;
660 {
661 char *c, *i, *b, *pp;
662 u_int d, dd, l, t;
663 char uastr[24];
664
665 /* Test for string length. */
666 if (!RPCB_BUF_GEQ(rm, *p, 4))
667 return(-1);
668
669 xu->xu_xslen = (*p)++;
670 xu->xu_xsstr = (char *)*p;
671
672 /* Length check */
673 l = B(xu->xu_xslen);
674 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
675 return(-1);
676
677 /* Advance p */
678 *(char **)p += XDRALIGN(l);
679
680 /* Copy string to local buffer & terminate C style */
681 bcopy(xu->xu_xsstr, uastr, l);
682 uastr[l] = '\0';
683
684 i = (char *)&xu->xu_ip;
685 pp = (char *)&xu->xu_port;
686
687 /*
688 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
689 * an IP address and [ef] are the bytes of a L4 port.
690 */
691 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
692 return(-1);
693 b = uastr;
694 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
695 if (ISDIGIT(*c)) {
696 dd = 0;
697 continue;
698 }
699 if (*c == '.') {
700 if (dd != 0)
701 return(-1);
702
703 /* Check for ASCII byte. */
704 *c = '\0';
705 t = ipf_p_rpcb_atoi(b);
706 if (t > 255)
707 return(-1);
708
709 /* Aim b at beginning of the next byte. */
710 b = c + 1;
711
712 /* Switch off IP addr vs port parsing. */
713 if (d < 4)
714 i[d++] = t & 0xff;
715 else
716 pp[d++ - 4] = t & 0xff;
717
718 dd = 1;
719 continue;
720 }
721 return(-1);
722 }
723 if (d != 5) /* String must contain exactly 5 periods. */
724 return(-1);
725
726 /* Handle the last byte (port low byte) */
727 t = ipf_p_rpcb_atoi(b);
728 if (t > 255)
729 return(-1);
730 pp[d - 4] = t & 0xff;
731
732 return(0);
733 }
734
735 /* -------------------------------------------------------------------- */
736 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */
737 /* Returns: int -- integer representation of supplied string */
738 /* Parameters: ptr(I) - input string */
739 /* */
740 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */
741 /* -------------------------------------------------------------------- */
742 static u_int
ipf_p_rpcb_atoi(ptr)743 ipf_p_rpcb_atoi(ptr)
744 char *ptr;
745 {
746 register char *s = ptr, c;
747 register u_int i = 0;
748
749 while (((c = *s++) != '\0') && ISDIGIT(c)) {
750 i *= 10;
751 i += c - '0';
752 }
753 return i;
754 }
755
756 /* -------------------------------------------------------------------- */
757 /* Function: ipf_p_rpcb_modreq */
758 /* Returns: int -- change in datagram length */
759 /* APR_ERR(2) - critical failure */
760 /* Parameters: fin(I) - pointer to packet information */
761 /* nat(I) - pointer to NAT session */
762 /* rm(I) - pointer to RPC message structure */
763 /* m(I) - pointer to mbuf chain */
764 /* off(I) - current offset within mbuf chain */
765 /* */
766 /* When external and internal addresses differ, we rewrite the former */
767 /* with the latter. (This is exclusive to protocol versions 3 & 4). */
768 /* -------------------------------------------------------------------- */
769 static int
ipf_p_rpcb_modreq(fin,nat,rm,m,off)770 ipf_p_rpcb_modreq(fin, nat, rm, m, off)
771 fr_info_t *fin;
772 nat_t *nat;
773 rpc_msg_t *rm;
774 mb_t *m;
775 u_int off;
776 {
777 u_int len, xlen, pos, bogo;
778 rpcb_args_t *ra;
779 char uaddr[24];
780 udphdr_t *udp;
781 char *i, *p;
782 int diff;
783
784 ra = &rm->rm_call.rc_rpcbargs;
785 i = (char *)&nat->nat_odstaddr;
786 p = (char *)&nat->nat_odport;
787
788 /* Form new string. */
789 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
790 #if defined(SNPRINTF) && defined(_KERNEL)
791 SNPRINTF(uaddr, sizeof(uaddr),
792 #else
793 (void) sprintf(uaddr,
794 #endif
795 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
796 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
797 len = strlen(uaddr);
798 xlen = XDRALIGN(len);
799
800 /* Determine mbuf offset to start writing to. */
801 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
802 off += pos;
803
804 /* Write new string length. */
805 bogo = htonl(len);
806 COPYBACK(m, off, 4, (caddr_t)&bogo);
807 off += 4;
808
809 /* Write new string. */
810 COPYBACK(m, off, xlen, uaddr);
811 off += xlen;
812
813 /* Write in zero r_owner. */
814 bogo = 0;
815 COPYBACK(m, off, 4, (caddr_t)&bogo);
816
817 /* Determine difference in data lengths. */
818 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
819
820 /*
821 * If our new string has a different length, make necessary
822 * adjustments.
823 */
824 if (diff != 0) {
825 udp = fin->fin_dp;
826 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
827 fin->fin_plen += diff;
828 fin->fin_ip->ip_len = htons(fin->fin_plen);
829 fin->fin_dlen += diff;
830 /* XXX Storage lengths. */
831 }
832
833 return(diff);
834 }
835
836 /* -------------------------------------------------------------------- */
837 /* Function: ipf_p_rpcb_decoderep */
838 /* Returns: int - -1 == bad request or critical failure, */
839 /* 0 == valid, negative reply */
840 /* 1 == vaddlid, positive reply; needs no changes */
841 /* Parameters: fin(I) - pointer to packet information */
842 /* nat(I) - pointer to NAT session structure */
843 /* rs(I) - pointer to RPCB session structure */
844 /* rm(I) - pointer to RPC message structure */
845 /* rxp(O) - pointer to RPCB transaction structure */
846 /* */
847 /* Take a presumed RPCB reply, extract the XID, search for the original */
848 /* request information, and determine whether the request was accepted */
849 /* or rejected. With a valid accepted reply, go ahead and create NAT */
850 /* and state entries, and finish up by rewriting the packet as */
851 /* required. */
852 /* */
853 /* WARNING: It's the responsibility of the caller to make sure there */
854 /* is enough room in rs_buf for the basic RPC message "preamble". */
855 /* -------------------------------------------------------------------- */
856 static int
ipf_p_rpcb_decoderep(fin,nat,rs,rm,rxp)857 ipf_p_rpcb_decoderep(fin, nat, rs, rm, rxp)
858 fr_info_t *fin;
859 nat_t *nat;
860 rpcb_session_t *rs;
861 rpc_msg_t *rm;
862 rpcb_xact_t **rxp;
863 {
864 rpcb_listp_t *rl;
865 rpcb_entry_t *re;
866 rpcb_xact_t *rx;
867 u_32_t xdr, *p;
868 rpc_resp_t *rr;
869 int rv, cnt;
870
871 p = (u_32_t *)rm->rm_msgbuf;
872
873 bzero((char *)&rx, sizeof(rx));
874 rr = &rm->rm_resp;
875
876 rm->rm_xid = p;
877 xdr = B(p++); /* Record this message's XID. */
878
879 /* Lookup XID */
880 MUTEX_ENTER(&rs->rs_rxlock);
881 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) {
882 MUTEX_EXIT(&rs->rs_rxlock);
883 return(-1);
884 }
885 ++rx->rx_ref; /* per thread reference */
886 MUTEX_EXIT(&rs->rs_rxlock);
887
888 *rxp = rx;
889
890 /* Test call vs reply */
891 if (B(p++) != RPCB_REPLY)
892 return(-1);
893
894 /* Test reply_stat */
895 switch(B(p++))
896 {
897 case RPCB_MSG_DENIED:
898 return(0);
899 case RPCB_MSG_ACCEPTED:
900 break;
901 default:
902 return(-1);
903 }
904
905 /* Bypass RPC authentication stuff. */
906 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
907 return(-1);
908
909 /* Test accept status */
910 if (!RPCB_BUF_GEQ(rm, p, 4))
911 return(-1);
912 if (B(p++) != 0)
913 return(0);
914
915 /* Parse out the expected reply */
916 switch(rx->rx_type)
917 {
918 case RPCB_RES_PMAP:
919 /* There must be only one 4 byte argument. */
920 if (!RPCB_BUF_EQ(rm, p, 4))
921 return(-1);
922
923 rr->rr_v2 = p;
924 xdr = B(rr->rr_v2);
925
926 /* Reply w/ a 0 port indicates service isn't registered */
927 if (xdr == 0)
928 return(0);
929
930 /* Is the value sane? */
931 if (xdr > 65535)
932 return(-1);
933
934 /* Create NAT & state table entries. */
935 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
936 return(-1);
937 break;
938 case RPCB_RES_STRING:
939 /* Expecting a XDR string; need 4 bytes for length */
940 if (!RPCB_BUF_GEQ(rm, p, 4))
941 return(-1);
942
943 rr->rr_v3.xu_str.xs_len = p++;
944 rr->rr_v3.xu_str.xs_str = (char *)p;
945
946 xdr = B(rr->rr_v3.xu_xslen);
947
948 /* A null string indicates an unregistered service */
949 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
950 return(0);
951
952 /* Decode the target IP address / port. */
953 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
954 return(-1);
955
956 /* Validate the IP address and port contained. */
957 if (nat->nat_odstaddr != rr->rr_v3.xu_ip)
958 return(-1);
959
960 /* Create NAT & state table entries. */
961 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto,
962 (u_int)rr->rr_v3.xu_port) != 0)
963 return(-1);
964 break;
965 case RPCB_RES_LIST:
966 if (!RPCB_BUF_GEQ(rm, p, 4))
967 return(-1);
968 /* rpcb_entry_list_ptr */
969 switch(B(p))
970 {
971 case 0:
972 return(0);
973 /*NOTREACHED*/
974 break;
975 case 1:
976 break;
977 default:
978 return(-1);
979 }
980 rl = &rr->rr_v4;
981 rl->rl_list = p++;
982 cnt = 0;
983
984 for(;;) {
985 re = &rl->rl_entries[rl->rl_cnt];
986 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
987 return(-1);
988 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0)
989 return(-1);
990 /* re_semantics & re_pfamily length */
991 if (!RPCB_BUF_GEQ(rm, p, 12))
992 return(-1);
993 p++; /* Skipping re_semantics. */
994 xdr = B(p++);
995 if ((xdr != 4) || strncmp((char *)p, "inet", 4))
996 return(-1);
997 p++;
998 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0)
999 return(-1);
1000 if (!RPCB_BUF_GEQ(rm, p, 4))
1001 return(-1);
1002 re->re_more = p;
1003 if (B(re->re_more) > 1) /* 0,1 only legal values */
1004 return(-1);
1005 ++rl->rl_cnt;
1006 ++cnt;
1007 if (B(re->re_more) == 0)
1008 break;
1009 /* Replies in max out at 2; TCP and/or UDP */
1010 if (cnt > 2)
1011 return(-1);
1012 p++;
1013 }
1014
1015 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
1016 re = &rl->rl_entries[rl->rl_cnt];
1017 rv = ipf_p_rpcb_getnat(fin, nat,
1018 re->re_proto.xp_proto,
1019 (u_int)re->re_maddr.xu_port);
1020 if (rv != 0)
1021 return(-1);
1022 }
1023 break;
1024 default:
1025 /*CONSTANTCONDITION*/
1026 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
1027 }
1028
1029 return(1);
1030 }
1031
1032 /* -------------------------------------------------------------------- */
1033 /* Function: ipf_p_rpcb_lookup */
1034 /* Returns: rpcb_xact_t * - NULL == no matching record, */
1035 /* else pointer to relevant entry */
1036 /* Parameters: rs(I) - pointer to RPCB session */
1037 /* xid(I) - XID to look for */
1038 /* -------------------------------------------------------------------- */
1039 static rpcb_xact_t *
ipf_p_rpcb_lookup(rs,xid)1040 ipf_p_rpcb_lookup(rs, xid)
1041 rpcb_session_t *rs;
1042 u_32_t xid;
1043 {
1044 rpcb_xact_t *rx;
1045
1046 if (rs->rs_rxlist == NULL)
1047 return(NULL);
1048
1049 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1050 if (rx->rx_xid == xid)
1051 break;
1052
1053 return(rx);
1054 }
1055
1056 /* -------------------------------------------------------------------- */
1057 /* Function: ipf_p_rpcb_deref */
1058 /* Returns: (void) */
1059 /* Parameters: rs(I) - pointer to RPCB session */
1060 /* rx(I) - pointer to RPC transaction struct to remove */
1061 /* force(I) - indicates to delete entry regardless of */
1062 /* reference count */
1063 /* Locking: rs->rs_rxlock must be held write only */
1064 /* */
1065 /* Free the RPCB transaction record rx from the chain of entries. */
1066 /* -------------------------------------------------------------------- */
1067 static void
ipf_p_rpcb_deref(rs,rx)1068 ipf_p_rpcb_deref(rs, rx)
1069 rpcb_session_t *rs;
1070 rpcb_xact_t *rx;
1071 {
1072 rs = rs; /* LINT */
1073
1074 if (rx == NULL)
1075 return;
1076
1077 if (--rx->rx_ref != 0)
1078 return;
1079
1080 if (rx->rx_next != NULL)
1081 rx->rx_next->rx_pnext = rx->rx_pnext;
1082
1083 *rx->rx_pnext = rx->rx_next;
1084
1085 KFREE(rx);
1086
1087 --rpcbcnt;
1088 }
1089
1090 /* -------------------------------------------------------------------- */
1091 /* Function: ipf_p_rpcb_getproto */
1092 /* Returns: int - -1 == illegal protocol/netid, */
1093 /* 0 == legal protocol/netid */
1094 /* Parameters: rm(I) - pointer to RPC message structure */
1095 /* xp(I) - pointer to netid structure */
1096 /* p(IO) - pointer to location within packet buffer */
1097 /* */
1098 /* Decode netid/proto stored at p and record its numeric value. */
1099 /* -------------------------------------------------------------------- */
1100 static int
ipf_p_rpcb_getproto(rm,xp,p)1101 ipf_p_rpcb_getproto(rm, xp, p)
1102 rpc_msg_t *rm;
1103 xdr_proto_t *xp;
1104 u_32_t **p;
1105 {
1106 u_int len;
1107
1108 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1109 if (!RPCB_BUF_GEQ(rm, p, 8))
1110 return(-1);
1111
1112 xp->xp_xslen = (*p)++;
1113 xp->xp_xsstr = (char *)*p;
1114
1115 /* Test the string length. */
1116 len = B(xp->xp_xslen);
1117 if (len != 3)
1118 return(-1);
1119
1120 /* Test the actual string & record the protocol accordingly. */
1121 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1122 xp->xp_proto = IPPROTO_TCP;
1123 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1124 xp->xp_proto = IPPROTO_UDP;
1125 else {
1126 return(-1);
1127 }
1128
1129 /* Advance past the string. */
1130 (*p)++;
1131
1132 return(0);
1133 }
1134
1135 /* -------------------------------------------------------------------- */
1136 /* Function: ipf_p_rpcb_getnat */
1137 /* Returns: int -- -1 == failed to create table entries, */
1138 /* 0 == success */
1139 /* Parameters: fin(I) - pointer to packet information */
1140 /* nat(I) - pointer to NAT table entry */
1141 /* proto(I) - transport protocol for new entries */
1142 /* port(I) - new port to use w/ wildcard table entries */
1143 /* */
1144 /* Create state and NAT entries to handle an anticipated connection */
1145 /* attempt between RPC client and server. */
1146 /* -------------------------------------------------------------------- */
1147 static int
ipf_p_rpcb_getnat(fin,nat,proto,port)1148 ipf_p_rpcb_getnat(fin, nat, proto, port)
1149 fr_info_t *fin;
1150 nat_t *nat;
1151 u_int proto;
1152 u_int port;
1153 {
1154 ipf_main_softc_t *softc = fin->fin_main_soft;
1155 ipnat_t *ipn, ipnat;
1156 tcphdr_t tcp;
1157 ipstate_t *is;
1158 fr_info_t fi;
1159 nat_t *natl;
1160 int nflags;
1161
1162 ipn = nat->nat_ptr;
1163
1164 /* Generate dummy fr_info */
1165 bcopy((char *)fin, (char *)&fi, sizeof(fi));
1166 fi.fin_out = 0;
1167 fi.fin_p = proto;
1168 fi.fin_sport = 0;
1169 fi.fin_dport = port & 0xffff;
1170 fi.fin_flx |= FI_IGNORE;
1171 fi.fin_saddr = nat->nat_osrcaddr;
1172 fi.fin_daddr = nat->nat_odstaddr;
1173
1174 bzero((char *)&tcp, sizeof(tcp));
1175 tcp.th_dport = htons(port);
1176
1177 if (proto == IPPROTO_TCP) {
1178 tcp.th_win = htons(8192);
1179 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1180 fi.fin_dlen = sizeof(tcphdr_t);
1181 tcp.th_flags = TH_SYN;
1182 nflags = NAT_TCP;
1183 } else {
1184 fi.fin_dlen = sizeof(udphdr_t);
1185 nflags = NAT_UDP;
1186 }
1187
1188 nflags |= SI_W_SPORT|NAT_SEARCH;
1189 fi.fin_dp = &tcp;
1190 fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1191
1192 /*
1193 * Search for existing NAT & state entries. Pay close attention to
1194 * mutexes / locks grabbed from lookup routines, as not doing so could
1195 * lead to bad things.
1196 *
1197 * If successful, fr_stlookup returns with ipf_state locked. We have
1198 * no use for this lock, so simply unlock it if necessary.
1199 */
1200 is = ipf_state_lookup(&fi, &tcp, NULL);
1201 if (is != NULL) {
1202 RWLOCK_EXIT(&softc->ipf_state);
1203 }
1204
1205 RWLOCK_EXIT(&softc->ipf_nat);
1206
1207 WRITE_ENTER(&softc->ipf_nat);
1208 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1209
1210 if ((natl != NULL) && (is != NULL)) {
1211 MUTEX_DOWNGRADE(&softc->ipf_nat);
1212 return(0);
1213 }
1214
1215 /* Slightly modify the following structures for actual use in creating
1216 * NAT and/or state entries. We're primarily concerned with stripping
1217 * flags that may be detrimental to the creation process or simply
1218 * shouldn't be associated with a table entry.
1219 */
1220 fi.fin_fr = &rpcbfr;
1221 fi.fin_flx &= ~FI_IGNORE;
1222 nflags &= ~NAT_SEARCH;
1223
1224 if (natl == NULL) {
1225 #ifdef USE_MUTEXES
1226 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1227 #endif
1228
1229 /* XXX Since we're just copying the original ipn contents
1230 * back, would we be better off just sending a pointer to
1231 * the 'temp' copy off to nat_new instead?
1232 */
1233 /* Generate template/bogus NAT rule. */
1234 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1235 ipn->in_flags = nflags & IPN_TCPUDP;
1236 ipn->in_apr = NULL;
1237 ipn->in_pr[0] = proto;
1238 ipn->in_pr[1] = proto;
1239 ipn->in_dpmin = fi.fin_dport;
1240 ipn->in_dpmax = fi.fin_dport;
1241 ipn->in_dpnext = fi.fin_dport;
1242 ipn->in_space = 1;
1243 ipn->in_ippip = 1;
1244 if (ipn->in_flags & IPN_FILTER) {
1245 ipn->in_scmp = 0;
1246 ipn->in_dcmp = 0;
1247 }
1248 ipn->in_plabel = -1;
1249
1250 /* Create NAT entry. return NULL if this fails. */
1251 MUTEX_ENTER(&softn->ipf_nat_new);
1252 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1253 NAT_INBOUND);
1254 MUTEX_EXIT(&softn->ipf_nat_new);
1255
1256 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1257
1258 if (natl == NULL) {
1259 MUTEX_DOWNGRADE(&softc->ipf_nat);
1260 return(-1);
1261 }
1262
1263 natl->nat_ptr = ipn;
1264 fi.fin_saddr = natl->nat_nsrcaddr;
1265 fi.fin_daddr = natl->nat_ndstaddr;
1266 ipn->in_use++;
1267 (void) ipf_nat_proto(&fi, natl, nflags);
1268 MUTEX_ENTER(&natl->nat_lock);
1269 ipf_nat_update(&fi, natl);
1270 MUTEX_EXIT(&natl->nat_lock);
1271 }
1272 MUTEX_DOWNGRADE(&softc->ipf_nat);
1273
1274 if (is == NULL) {
1275 /* Create state entry. Return NULL if this fails. */
1276 fi.fin_flx |= FI_NATED;
1277 fi.fin_flx &= ~FI_STATE;
1278 nflags &= NAT_TCPUDP;
1279 nflags |= SI_W_SPORT|SI_CLONE;
1280
1281 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) {
1282 /*
1283 * XXX nat_delete is private to ip_nat.c. Should
1284 * check w/ Darren about this one.
1285 *
1286 * nat_delete(natl, NL_EXPIRE);
1287 */
1288 return(-1);
1289 }
1290 }
1291
1292 return(0);
1293 }
1294
1295 /* -------------------------------------------------------------------- */
1296 /* Function: ipf_p_rpcb_modv3 */
1297 /* Returns: int -- change in packet length */
1298 /* Parameters: fin(I) - pointer to packet information */
1299 /* nat(I) - pointer to NAT session */
1300 /* rm(I) - pointer to RPC message structure */
1301 /* m(I) - pointer to mbuf chain */
1302 /* off(I) - offset within mbuf chain */
1303 /* */
1304 /* Write a new universal address string to this packet, adjusting */
1305 /* lengths as necessary. */
1306 /* -------------------------------------------------------------------- */
1307 static int
ipf_p_rpcb_modv3(fin,nat,rm,m,off)1308 ipf_p_rpcb_modv3(fin, nat, rm, m, off)
1309 fr_info_t *fin;
1310 nat_t *nat;
1311 rpc_msg_t *rm;
1312 mb_t *m;
1313 u_int off;
1314 {
1315 u_int len, xlen, pos, bogo;
1316 rpc_resp_t *rr;
1317 char uaddr[24];
1318 char *i, *p;
1319 int diff;
1320
1321 rr = &rm->rm_resp;
1322 i = (char *)&nat->nat_ndstaddr;
1323 p = (char *)&rr->rr_v3.xu_port;
1324
1325 /* Form new string. */
1326 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1327 #if defined(SNPRINTF) && defined(_KERNEL)
1328 SNPRINTF(uaddr, sizeof(uaddr),
1329 #else
1330 (void) sprintf(uaddr,
1331 #endif
1332 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1333 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1334 len = strlen(uaddr);
1335 xlen = XDRALIGN(len);
1336
1337 /* Determine mbuf offset to write to. */
1338 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1339 off += pos;
1340
1341 /* Write new string length. */
1342 bogo = htonl(len);
1343 COPYBACK(m, off, 4, (caddr_t)&bogo);
1344 off += 4;
1345
1346 /* Write new string. */
1347 COPYBACK(m, off, xlen, uaddr);
1348
1349 /* Determine difference in data lengths. */
1350 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1351
1352 /*
1353 * If our new string has a different length, make necessary
1354 * adjustments.
1355 */
1356 if (diff != 0)
1357 ipf_p_rpcb_fixlen(fin, diff);
1358
1359 return(diff);
1360 }
1361
1362 /* -------------------------------------------------------------------- */
1363 /* Function: ipf_p_rpcb_modv4 */
1364 /* Returns: int -- change in packet length */
1365 /* Parameters: fin(I) - pointer to packet information */
1366 /* nat(I) - pointer to NAT session */
1367 /* rm(I) - pointer to RPC message structure */
1368 /* m(I) - pointer to mbuf chain */
1369 /* off(I) - offset within mbuf chain */
1370 /* */
1371 /* Write new rpcb_entry list, adjusting lengths as necessary. */
1372 /* -------------------------------------------------------------------- */
1373 static int
ipf_p_rpcb_modv4(fin,nat,rm,m,off)1374 ipf_p_rpcb_modv4(fin, nat, rm, m, off)
1375 fr_info_t *fin;
1376 nat_t *nat;
1377 rpc_msg_t *rm;
1378 mb_t *m;
1379 u_int off;
1380 {
1381 u_int len, xlen, pos, bogo;
1382 rpcb_listp_t *rl;
1383 rpcb_entry_t *re;
1384 rpc_resp_t *rr;
1385 char uaddr[24];
1386 int diff, cnt;
1387 char *i, *p;
1388
1389 diff = 0;
1390 rr = &rm->rm_resp;
1391 rl = &rr->rr_v4;
1392
1393 i = (char *)&nat->nat_ndstaddr;
1394
1395 /* Determine mbuf offset to write to. */
1396 re = &rl->rl_entries[0];
1397 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1398 off += pos;
1399
1400 for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1401 re = &rl->rl_entries[cnt];
1402 p = (char *)&re->re_maddr.xu_port;
1403
1404 /* Form new string. */
1405 bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1406 padding. */
1407 #if defined(SNPRINTF) && defined(_KERNEL)
1408 SNPRINTF(uaddr, sizeof(uaddr),
1409 #else
1410 (void) sprintf(uaddr,
1411 #endif
1412 "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1413 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1414 p[0] & 0xff, p[1] & 0xff);
1415 len = strlen(uaddr);
1416 xlen = XDRALIGN(len);
1417
1418 /* Write new string length. */
1419 bogo = htonl(len);
1420 COPYBACK(m, off, 4, (caddr_t)&bogo);
1421 off += 4;
1422
1423 /* Write new string. */
1424 COPYBACK(m, off, xlen, uaddr);
1425 off += xlen;
1426
1427 /* Record any change in length. */
1428 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1429
1430 /* If the length changed, copy back the rest of this entry. */
1431 len = ((char *)re->re_more + 4) -
1432 (char *)re->re_netid.xp_xslen;
1433 if (diff != 0) {
1434 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
1435 }
1436 off += len;
1437 }
1438
1439 /*
1440 * If our new string has a different length, make necessary
1441 * adjustments.
1442 */
1443 if (diff != 0)
1444 ipf_p_rpcb_fixlen(fin, diff);
1445
1446 return(diff);
1447 }
1448
1449
1450 /* -------------------------------------------------------------------- */
1451 /* Function: ipf_p_rpcb_fixlen */
1452 /* Returns: (void) */
1453 /* Parameters: fin(I) - pointer to packet information */
1454 /* len(I) - change in packet length */
1455 /* */
1456 /* Adjust various packet related lengths held in structure and packet */
1457 /* header fields. */
1458 /* -------------------------------------------------------------------- */
1459 static void
ipf_p_rpcb_fixlen(fin,len)1460 ipf_p_rpcb_fixlen(fin, len)
1461 fr_info_t *fin;
1462 int len;
1463 {
1464 udphdr_t *udp;
1465
1466 udp = fin->fin_dp;
1467 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1468 fin->fin_plen += len;
1469 fin->fin_ip->ip_len = htons(fin->fin_plen);
1470 fin->fin_dlen += len;
1471 }
1472
1473 #undef B
1474