1 /* $NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $ */
2
3 /*
4 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org>
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 /*
9 * Overview:
10 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
11 * protocol as defined in RFC1833. It is far from complete, mostly
12 * lacking in less-likely corner cases, but it's definitely functional.
13 *
14 * Invocation:
15 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
16 *
17 * If the host running IP Filter is the same as the RPC server, it's
18 * perfectly legal for both the internal and external addresses and ports
19 * to match.
20 *
21 * When triggered by appropriate IP NAT rules, this proxy works by
22 * examining data contained in received packets. Requests and replies are
23 * modified, NAT and state table entries created, etc., as necessary.
24 */
25 /*
26 * TODO / NOTES
27 *
28 * o Must implement locking to protect proxy session data.
29 * o Fragmentation isn't supported.
30 * o Only supports UDP.
31 * o Doesn't support multiple RPC records in a single request.
32 * o Errors should be more fine-grained. (e.g., malloc failure vs.
33 * illegal RPCB request / reply)
34 * o Even with the limit on the total amount of recorded transactions,
35 * should there be a timeout on transaction removal?
36 * o There is a potential collision between cloning, wildcard NAT and
37 * state entries. There should be an appr_getport routine for
38 * to avoid this.
39 * o The enclosed hack of STREAMS support is pretty sick and most likely
40 * broken.
41 *
42 * Id: ip_rpcb_pxy.c,v 1.1.1.2 2012/07/22 13:45:34 darrenr Exp
43 */
44
45 #include <sys/cdefs.h>
46 __KERNEL_RCSID(1, "$NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $");
47
48 #define IPF_RPCB_PROXY
49
50 /*
51 * Function prototypes
52 */
53 void ipf_p_rpcb_main_load(void);
54 void ipf_p_rpcb_main_unload(void);
55 int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *);
56 void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *);
57 int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *);
58 int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *);
59
60 static void ipf_p_rpcb_flush(rpcb_session_t *);
61 static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *,
62 rpcb_session_t *, rpc_msg_t *);
63 static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **);
64 static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *);
65 static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *);
66 static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *,
67 u_32_t **);
68 static u_int ipf_p_rpcb_atoi(char *);
69 static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *,
70 mb_t *, u_int);
71 static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *,
72 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **);
73 static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t);
74 static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *);
75 static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *,
76 u_32_t **);
77 static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int);
78 static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *,
79 mb_t *, u_int);
80 static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *,
81 mb_t *, u_int);
82 static void ipf_p_rpcb_fixlen(fr_info_t *, int);
83
84 /*
85 * Global variables
86 */
87 static frentry_t rpcbfr; /* Skeleton rule for reference by entities
88 this proxy creates. */
89 static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */
90 /* XXX rpcbcnt still requires locking. */
91
92 static int rpcb_proxy_init = 0;
93
94
95 /*
96 * Since rpc_msg contains only pointers, one should use this macro as a
97 * handy way to get to the goods. (In case you're wondering about the name,
98 * this started as BYTEREF -> BREF -> B.)
99 */
100 #define B(r) (u_32_t)ntohl(*(r))
101
102 /*
103 * Public subroutines
104 */
105
106 /* -------------------------------------------------------------------- */
107 /* Function: ipf_p_rpcb_main_load */
108 /* Returns: void */
109 /* Parameters: (void) */
110 /* */
111 /* Initialize the filter rule entry and session limiter. */
112 /* -------------------------------------------------------------------- */
113 void
ipf_p_rpcb_main_load(void)114 ipf_p_rpcb_main_load(void)
115 {
116 rpcbcnt = 0;
117
118 bzero((char *)&rpcbfr, sizeof(rpcbfr));
119 rpcbfr.fr_ref = 1;
120 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
121 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
122 rpcb_proxy_init = 1;
123 }
124
125 /* -------------------------------------------------------------------- */
126 /* Function: ipf_p_rpcb_main_unload */
127 /* Returns: void */
128 /* Parameters: (void) */
129 /* */
130 /* Destroy rpcbfr's mutex to avoid a lock leak. */
131 /* -------------------------------------------------------------------- */
132 void
ipf_p_rpcb_main_unload(void)133 ipf_p_rpcb_main_unload(void)
134 {
135 if (rpcb_proxy_init == 1) {
136 MUTEX_DESTROY(&rpcbfr.fr_lock);
137 rpcb_proxy_init = 0;
138 }
139 }
140
141 /* -------------------------------------------------------------------- */
142 /* Function: ipf_p_rpcb_new */
143 /* Returns: int - -1 == failure, 0 == success */
144 /* Parameters: fin(I) - pointer to packet information */
145 /* aps(I) - pointer to proxy session structure */
146 /* nat(I) - pointer to NAT session structure */
147 /* */
148 /* Allocate resources for per-session proxy structures. */
149 /* -------------------------------------------------------------------- */
150 int
ipf_p_rpcb_new(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)151 ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
152 {
153 rpcb_session_t *rs;
154
155 nat = nat; /* LINT */
156
157 if (fin->fin_v != 4)
158 return -1;
159
160 KMALLOC(rs, rpcb_session_t *);
161 if (rs == NULL)
162 return(-1);
163
164 bzero((char *)rs, sizeof(*rs));
165 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
166
167 aps->aps_data = rs;
168
169 return(0);
170 }
171
172 /* -------------------------------------------------------------------- */
173 /* Function: ipf_p_rpcb_del */
174 /* Returns: void */
175 /* Parameters: aps(I) - pointer to proxy session structure */
176 /* */
177 /* Free up a session's list of RPCB requests. */
178 /* -------------------------------------------------------------------- */
179 void
ipf_p_rpcb_del(ipf_main_softc_t * softc,ap_session_t * aps)180 ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps)
181 {
182 rpcb_session_t *rs;
183 rs = (rpcb_session_t *)aps->aps_data;
184
185 MUTEX_ENTER(&rs->rs_rxlock);
186 ipf_p_rpcb_flush(rs);
187 MUTEX_EXIT(&rs->rs_rxlock);
188 MUTEX_DESTROY(&rs->rs_rxlock);
189 }
190
191 /* -------------------------------------------------------------------- */
192 /* Function: ipf_p_rpcb_in */
193 /* Returns: int - APR_ERR(1) == drop the packet, */
194 /* APR_ERR(2) == kill the proxy session, */
195 /* else change in packet length (in bytes) */
196 /* Parameters: fin(I) - pointer to packet information */
197 /* ip(I) - pointer to packet header */
198 /* aps(I) - pointer to proxy session structure */
199 /* nat(I) - pointer to NAT session structure */
200 /* */
201 /* Given a presumed RPCB request, perform some minor tests and pass off */
202 /* for decoding. Also pass packet off for a rewrite if necessary. */
203 /* -------------------------------------------------------------------- */
204 int
ipf_p_rpcb_in(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)205 ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
206 {
207 rpc_msg_t rpcmsg, *rm;
208 rpcb_session_t *rs;
209 u_int off, dlen;
210 mb_t *m;
211 int rv;
212
213 /* Disallow fragmented or illegally short packets. */
214 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
215 return(APR_ERR(1));
216
217 /* Perform basic variable initialization. */
218 rs = (rpcb_session_t *)aps->aps_data;
219
220 m = fin->fin_m;
221 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
222 off += sizeof(udphdr_t) + fin->fin_ipoff;
223 dlen = fin->fin_dlen - sizeof(udphdr_t);
224
225 /* Disallow packets outside legal range for supported requests. */
226 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
227 return(APR_ERR(1));
228
229 /* Copy packet over to convenience buffer. */
230 rm = &rpcmsg;
231 bzero((char *)rm, sizeof(*rm));
232 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf);
233 rm->rm_buflen = dlen;
234
235 /* Send off to decode request. */
236 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm);
237
238 switch(rv)
239 {
240 case -1:
241 return(APR_ERR(1));
242 /*NOTREACHED*/
243 break;
244 case 0:
245 break;
246 case 1:
247 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off);
248 break;
249 default:
250 /*CONSTANTCONDITION*/
251 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv));
252 }
253
254 return(rv);
255 }
256
257 /* -------------------------------------------------------------------- */
258 /* Function: ipf_p_rpcb_out */
259 /* Returns: int - APR_ERR(1) == drop the packet, */
260 /* APR_ERR(2) == kill the proxy session, */
261 /* else change in packet length (in bytes) */
262 /* Parameters: fin(I) - pointer to packet information */
263 /* ip(I) - pointer to packet header */
264 /* aps(I) - pointer to proxy session structure */
265 /* nat(I) - pointer to NAT session structure */
266 /* */
267 /* Given a presumed RPCB reply, perform some minor tests and pass off */
268 /* for decoding. If the message indicates a successful request with */
269 /* valid addressing information, create NAT and state structures to */
270 /* allow direct communication between RPC client and server. */
271 /* -------------------------------------------------------------------- */
272 int
ipf_p_rpcb_out(void * arg,fr_info_t * fin,ap_session_t * aps,nat_t * nat)273 ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat)
274 {
275 rpc_msg_t rpcmsg, *rm;
276 rpcb_session_t *rs;
277 rpcb_xact_t *rx;
278 u_int off, dlen;
279 int rv, diff;
280 mb_t *m;
281
282 rx = NULL; /* XXX gcc */
283
284 /* Disallow fragmented or illegally short packets. */
285 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
286 return(APR_ERR(1));
287
288 /* Perform basic variable initialization. */
289 rs = (rpcb_session_t *)aps->aps_data;
290 rx = NULL;
291
292 m = fin->fin_m;
293 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
294 off += sizeof(udphdr_t) + fin->fin_ipoff;
295 dlen = fin->fin_dlen - sizeof(udphdr_t);
296 diff = 0;
297
298 /* Disallow packets outside legal range for supported requests. */
299 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
300 return(APR_ERR(1));
301
302 /* Copy packet over to convenience buffer. */
303 rm = &rpcmsg;
304 bzero((char *)rm, sizeof(*rm));
305 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf);
306 rm->rm_buflen = dlen;
307
308 rx = NULL; /* XXX gcc */
309
310 /* Send off to decode reply. */
311 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx);
312
313 switch(rv)
314 {
315 case -1: /* Bad packet */
316 if (rx != NULL) {
317 MUTEX_ENTER(&rs->rs_rxlock);
318 ipf_p_rpcb_deref(rs, rx);
319 MUTEX_EXIT(&rs->rs_rxlock);
320 }
321 return(APR_ERR(1));
322 /*NOTREACHED*/
323 break;
324 case 0: /* Negative reply / request rejected */
325 break;
326 case 1: /* Positive reply */
327 /*
328 * With the IP address embedded in a GETADDR(LIST) reply,
329 * we'll need to rewrite the packet in the very possible
330 * event that the internal & external addresses aren't the
331 * same. (i.e., this box is either a router or rpcbind
332 * only listens on loopback.)
333 */
334 if (nat->nat_odstaddr != nat->nat_ndstaddr) {
335 if (rx->rx_type == RPCB_RES_STRING)
336 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off);
337 else if (rx->rx_type == RPCB_RES_LIST)
338 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off);
339 }
340 break;
341 default:
342 /*CONSTANTCONDITION*/
343 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv));
344 }
345
346 if (rx != NULL) {
347 MUTEX_ENTER(&rs->rs_rxlock);
348 /* XXX Gross hack - I'm overloading the reference
349 * counter to deal with both threads and retransmitted
350 * requests. One deref signals that this thread is
351 * finished with rx, and the other signals that we've
352 * processed its reply.
353 */
354 ipf_p_rpcb_deref(rs, rx);
355 ipf_p_rpcb_deref(rs, rx);
356 MUTEX_EXIT(&rs->rs_rxlock);
357 }
358
359 return(diff);
360 }
361
362 /*
363 * Private support subroutines
364 */
365
366 /* -------------------------------------------------------------------- */
367 /* Function: ipf_p_rpcb_flush */
368 /* Returns: void */
369 /* Parameters: rs(I) - pointer to RPCB session structure */
370 /* */
371 /* Simply flushes the list of outstanding transactions, if any. */
372 /* -------------------------------------------------------------------- */
373 static void
ipf_p_rpcb_flush(rpcb_session_t * rs)374 ipf_p_rpcb_flush(rpcb_session_t *rs)
375 {
376 rpcb_xact_t *r1, *r2;
377
378 r1 = rs->rs_rxlist;
379 if (r1 == NULL)
380 return;
381
382 while (r1 != NULL) {
383 r2 = r1;
384 r1 = r1->rx_next;
385 KFREE(r2);
386 }
387 }
388
389 /* -------------------------------------------------------------------- */
390 /* Function: ipf_p_rpcb_decodereq */
391 /* Returns: int - -1 == bad request or critical failure, */
392 /* 0 == request successfully decoded, */
393 /* 1 == request successfully decoded; requires */
394 /* address rewrite/modification */
395 /* Parameters: fin(I) - pointer to packet information */
396 /* nat(I) - pointer to NAT session structure */
397 /* rs(I) - pointer to RPCB session structure */
398 /* rm(I) - pointer to RPC message structure */
399 /* */
400 /* Take a presumed RPCB request, decode it, and store the results in */
401 /* the transaction list. If the internal target address needs to be */
402 /* modified, store its location in ptr. */
403 /* WARNING: It's the responsibility of the caller to make sure there */
404 /* is enough room in rs_buf for the basic RPC message "preamble". */
405 /* -------------------------------------------------------------------- */
406 static int
ipf_p_rpcb_decodereq(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm)407 ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
408 rpc_msg_t *rm)
409 {
410 rpcb_args_t *ra;
411 u_32_t xdr, *p;
412 rpc_call_t *rc;
413 rpcb_xact_t rx;
414 int mod;
415
416 p = (u_32_t *)rm->rm_msgbuf;
417 mod = 0;
418
419 bzero((char *)&rx, sizeof(rx));
420 rc = &rm->rm_call;
421
422 rm->rm_xid = p;
423 rx.rx_xid = B(p++); /* Record this message's XID. */
424
425 /* Parse out and test the RPC header. */
426 if ((B(p++) != RPCB_CALL) ||
427 (B(p++) != RPCB_MSG_VERSION) ||
428 (B(p++) != RPCB_PROG))
429 return(-1);
430
431 /* Record the RPCB version and procedure. */
432 rc->rc_vers = p++;
433 rc->rc_proc = p++;
434
435 /* Bypass RPC authentication stuff. */
436 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
437 return(-1);
438 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
439 return(-1);
440
441 /* Compare RPCB version and procedure numbers. */
442 switch(B(rc->rc_vers))
443 {
444 case 2:
445 /* This proxy only supports PMAP_GETPORT. */
446 if (B(rc->rc_proc) != RPCB_GETPORT)
447 return(-1);
448
449 /* Portmap requests contain four 4 byte parameters. */
450 if (RPCB_BUF_EQ(rm, p, 16) == 0)
451 return(-1);
452
453 p += 2; /* Skip requested program and version numbers. */
454
455 /* Sanity check the requested protocol. */
456 xdr = B(p);
457 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
458 return(-1);
459
460 rx.rx_type = RPCB_RES_PMAP;
461 rx.rx_proto = xdr;
462 break;
463 case 3:
464 case 4:
465 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
466 switch(B(rc->rc_proc))
467 {
468 case RPCB_GETADDR:
469 rx.rx_type = RPCB_RES_STRING;
470 rx.rx_proto = (u_int)fin->fin_p;
471 break;
472 case RPCB_GETADDRLIST:
473 if (B(rc->rc_vers) != 4)
474 return(-1);
475 rx.rx_type = RPCB_RES_LIST;
476 break;
477 default:
478 return(-1);
479 }
480
481 ra = &rc->rc_rpcbargs;
482
483 /* Decode the 'struct rpcb' request. */
484 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0)
485 return(-1);
486
487 /* Are the target address & port valid? */
488 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) ||
489 (ra->ra_maddr.xu_port != nat->nat_ndport))
490 return(-1);
491
492 /* Do we need to rewrite this packet? */
493 if ((nat->nat_ndstaddr != nat->nat_odstaddr) ||
494 (nat->nat_ndport != nat->nat_odport))
495 mod = 1;
496 break;
497 default:
498 return(-1);
499 }
500
501 MUTEX_ENTER(&rs->rs_rxlock);
502 if (ipf_p_rpcb_insert(rs, &rx) != 0) {
503 MUTEX_EXIT(&rs->rs_rxlock);
504 return(-1);
505 }
506 MUTEX_EXIT(&rs->rs_rxlock);
507
508 return(mod);
509 }
510
511 /* -------------------------------------------------------------------- */
512 /* Function: ipf_p_rpcb_skipauth */
513 /* Returns: int -- -1 == illegal auth parameters (lengths) */
514 /* 0 == valid parameters, pointer advanced */
515 /* Parameters: rm(I) - pointer to RPC message structure */
516 /* auth(I) - pointer to RPC auth structure */
517 /* buf(IO) - pointer to location within convenience buffer */
518 /* */
519 /* Record auth data length & location of auth data, then advance past */
520 /* it. */
521 /* -------------------------------------------------------------------- */
522 static int
ipf_p_rpcb_skipauth(rpc_msg_t * rm,xdr_auth_t * auth,u_32_t ** buf)523 ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf)
524 {
525 u_32_t *p, xdr;
526
527 p = *buf;
528
529 /* Make sure we have enough space for expected fixed auth parms. */
530 if (RPCB_BUF_GEQ(rm, p, 8) == 0)
531 return(-1);
532
533 p++; /* We don't care about auth_flavor. */
534
535 auth->xa_string.xs_len = p;
536 xdr = B(p++); /* Length of auth_data */
537
538 /* Test for absurdity / illegality of auth_data length. */
539 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
540 return(-1);
541
542 auth->xa_string.xs_str = (char *)p;
543
544 p += XDRALIGN(xdr); /* Advance our location. */
545
546 *buf = (u_32_t *)p;
547
548 return(0);
549 }
550
551 /* -------------------------------------------------------------------- */
552 /* Function: ipf_p_rpcb_insert */
553 /* Returns: int -- -1 == list insertion failed, */
554 /* 0 == item successfully added */
555 /* Parameters: rs(I) - pointer to RPCB session structure */
556 /* rx(I) - pointer to RPCB transaction structure */
557 /* -------------------------------------------------------------------- */
558 static int
ipf_p_rpcb_insert(rpcb_session_t * rs,rpcb_xact_t * rx)559 ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx)
560 {
561 rpcb_xact_t *rxp;
562
563 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid);
564 if (rxp != NULL) {
565 ++rxp->rx_ref;
566 return(0);
567 }
568
569 if (rpcbcnt == RPCB_MAXREQS)
570 return(-1);
571
572 KMALLOC(rxp, rpcb_xact_t *);
573 if (rxp == NULL)
574 return(-1);
575
576 bcopy((char *)rx, (char *)rxp, sizeof(*rx));
577
578 if (rs->rs_rxlist != NULL)
579 rs->rs_rxlist->rx_pnext = &rxp->rx_next;
580
581 rxp->rx_pnext = &rs->rs_rxlist;
582 rxp->rx_next = rs->rs_rxlist;
583 rs->rs_rxlist = rxp;
584
585 rxp->rx_ref = 1;
586
587 ++rpcbcnt;
588
589 return(0);
590 }
591
592 /* -------------------------------------------------------------------- */
593 /* Function: ipf_p_rpcb_xdrrpcb */
594 /* Returns: int -- -1 == failure to properly decode the request */
595 /* 0 == rpcb successfully decoded */
596 /* Parameters: rs(I) - pointer to RPCB session structure */
597 /* p(I) - pointer to location within session buffer */
598 /* rpcb(O) - pointer to rpcb (xdr type) structure */
599 /* */
600 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */
601 /* within only the context of TCP/UDP over IP networks. */
602 /* -------------------------------------------------------------------- */
603 static int
ipf_p_rpcb_xdrrpcb(rpc_msg_t * rm,u_32_t * p,rpcb_args_t * ra)604 ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra)
605 {
606 if (!RPCB_BUF_GEQ(rm, p, 20))
607 return(-1);
608
609 /* Bypass target program & version. */
610 p += 2;
611
612 /* Decode r_netid. Must be "tcp" or "udp". */
613 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
614 return(-1);
615
616 /* Decode r_maddr. */
617 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
618 return(-1);
619
620 /* Advance to r_owner and make sure it's empty. */
621 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
622 return(-1);
623
624 return(0);
625 }
626
627 /* -------------------------------------------------------------------- */
628 /* Function: ipf_p_rpcb_getuaddr */
629 /* Returns: int -- -1 == illegal string, */
630 /* 0 == string parsed; contents recorded */
631 /* Parameters: rm(I) - pointer to RPC message structure */
632 /* xu(I) - pointer to universal address structure */
633 /* p(IO) - pointer to location within message buffer */
634 /* */
635 /* Decode the IP address / port at p and record them in xu. */
636 /* -------------------------------------------------------------------- */
637 static int
ipf_p_rpcb_getuaddr(rpc_msg_t * rm,xdr_uaddr_t * xu,u_32_t ** p)638 ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p)
639 {
640 char *c, *i, *b, *pp;
641 u_int d, dd, l, t;
642 char uastr[24];
643
644 /* Test for string length. */
645 if (!RPCB_BUF_GEQ(rm, *p, 4))
646 return(-1);
647
648 xu->xu_xslen = (*p)++;
649 xu->xu_xsstr = (char *)*p;
650
651 /* Length check */
652 l = B(xu->xu_xslen);
653 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
654 return(-1);
655
656 /* Advance p */
657 *(char **)p += XDRALIGN(l);
658
659 /* Copy string to local buffer & terminate C style */
660 bcopy(xu->xu_xsstr, uastr, l);
661 uastr[l] = '\0';
662
663 i = (char *)&xu->xu_ip;
664 pp = (char *)&xu->xu_port;
665
666 /*
667 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
668 * an IP address and [ef] are the bytes of a L4 port.
669 */
670 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
671 return(-1);
672 b = uastr;
673 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
674 if (ISDIGIT(*c)) {
675 dd = 0;
676 continue;
677 }
678 if (*c == '.') {
679 if (dd != 0)
680 return(-1);
681
682 /* Check for ASCII byte. */
683 *c = '\0';
684 t = ipf_p_rpcb_atoi(b);
685 if (t > 255)
686 return(-1);
687
688 /* Aim b at beginning of the next byte. */
689 b = c + 1;
690
691 /* Switch off IP addr vs port parsing. */
692 if (d < 4)
693 i[d++] = t & 0xff;
694 else
695 pp[d++ - 4] = t & 0xff;
696
697 dd = 1;
698 continue;
699 }
700 return(-1);
701 }
702 if (d != 5) /* String must contain exactly 5 periods. */
703 return(-1);
704
705 /* Handle the last byte (port low byte) */
706 t = ipf_p_rpcb_atoi(b);
707 if (t > 255)
708 return(-1);
709 pp[d - 4] = t & 0xff;
710
711 return(0);
712 }
713
714 /* -------------------------------------------------------------------- */
715 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */
716 /* Returns: int -- integer representation of supplied string */
717 /* Parameters: ptr(I) - input string */
718 /* */
719 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */
720 /* -------------------------------------------------------------------- */
721 static u_int
ipf_p_rpcb_atoi(char * ptr)722 ipf_p_rpcb_atoi(char *ptr)
723 {
724 char *s = ptr, c;
725 u_int i = 0;
726
727 while (((c = *s++) != '\0') && ISDIGIT(c)) {
728 i *= 10;
729 i += c - '0';
730 }
731 return i;
732 }
733
734 /* -------------------------------------------------------------------- */
735 /* Function: ipf_p_rpcb_modreq */
736 /* Returns: int -- change in datagram length */
737 /* APR_ERR(2) - critical failure */
738 /* Parameters: fin(I) - pointer to packet information */
739 /* nat(I) - pointer to NAT session */
740 /* rm(I) - pointer to RPC message structure */
741 /* m(I) - pointer to mbuf chain */
742 /* off(I) - current offset within mbuf chain */
743 /* */
744 /* When external and internal addresses differ, we rewrite the former */
745 /* with the latter. (This is exclusive to protocol versions 3 & 4). */
746 /* -------------------------------------------------------------------- */
747 static int
ipf_p_rpcb_modreq(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)748 ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off)
749 {
750 u_int len, xlen, pos, bogo;
751 rpcb_args_t *ra;
752 char uaddr[24];
753 udphdr_t *udp;
754 char *i, *p;
755 int diff;
756
757 ra = &rm->rm_call.rc_rpcbargs;
758 i = (char *)&nat->nat_odstaddr;
759 p = (char *)&nat->nat_odport;
760
761 /* Form new string. */
762 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
763 snprintf(uaddr, sizeof(uaddr),
764 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
765 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
766 len = strlen(uaddr);
767 xlen = XDRALIGN(len);
768
769 /* Determine mbuf offset to start writing to. */
770 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
771 off += pos;
772
773 /* Write new string length. */
774 bogo = htonl(len);
775 COPYBACK(m, off, 4, (void *)&bogo);
776 off += 4;
777
778 /* Write new string. */
779 COPYBACK(m, off, xlen, uaddr);
780 off += xlen;
781
782 /* Write in zero r_owner. */
783 bogo = 0;
784 COPYBACK(m, off, 4, (void *)&bogo);
785
786 /* Determine difference in data lengths. */
787 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
788
789 /*
790 * If our new string has a different length, make necessary
791 * adjustments.
792 */
793 if (diff != 0) {
794 udp = fin->fin_dp;
795 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
796 fin->fin_plen += diff;
797 fin->fin_ip->ip_len = htons(fin->fin_plen);
798 fin->fin_dlen += diff;
799 /* XXX Storage lengths. */
800 }
801
802 return(diff);
803 }
804
805 /* -------------------------------------------------------------------- */
806 /* Function: ipf_p_rpcb_decoderep */
807 /* Returns: int - -1 == bad request or critical failure, */
808 /* 0 == valid, negative reply */
809 /* 1 == vaddlid, positive reply; needs no changes */
810 /* Parameters: fin(I) - pointer to packet information */
811 /* nat(I) - pointer to NAT session structure */
812 /* rs(I) - pointer to RPCB session structure */
813 /* rm(I) - pointer to RPC message structure */
814 /* rxp(O) - pointer to RPCB transaction structure */
815 /* */
816 /* Take a presumed RPCB reply, extract the XID, search for the original */
817 /* request information, and determine whether the request was accepted */
818 /* or rejected. With a valid accepted reply, go ahead and create NAT */
819 /* and state entries, and finish up by rewriting the packet as */
820 /* required. */
821 /* */
822 /* WARNING: It's the responsibility of the caller to make sure there */
823 /* is enough room in rs_buf for the basic RPC message "preamble". */
824 /* -------------------------------------------------------------------- */
825 static int
ipf_p_rpcb_decoderep(fr_info_t * fin,nat_t * nat,rpcb_session_t * rs,rpc_msg_t * rm,rpcb_xact_t ** rxp)826 ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs,
827 rpc_msg_t *rm, rpcb_xact_t **rxp)
828 {
829 rpcb_listp_t *rl;
830 rpcb_entry_t *re;
831 rpcb_xact_t *rx;
832 u_32_t xdr, *p;
833 rpc_resp_t *rr;
834 int rv, cnt;
835
836 p = (u_32_t *)rm->rm_msgbuf;
837
838 bzero((char *)&rx, sizeof(rx));
839 rr = &rm->rm_resp;
840
841 rm->rm_xid = p;
842 xdr = B(p++); /* Record this message's XID. */
843
844 /* Lookup XID */
845 MUTEX_ENTER(&rs->rs_rxlock);
846 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) {
847 MUTEX_EXIT(&rs->rs_rxlock);
848 return(-1);
849 }
850 ++rx->rx_ref; /* per thread reference */
851 MUTEX_EXIT(&rs->rs_rxlock);
852
853 *rxp = rx;
854
855 /* Test call vs reply */
856 if (B(p++) != RPCB_REPLY)
857 return(-1);
858
859 /* Test reply_stat */
860 switch(B(p++))
861 {
862 case RPCB_MSG_DENIED:
863 return(0);
864 case RPCB_MSG_ACCEPTED:
865 break;
866 default:
867 return(-1);
868 }
869
870 /* Bypass RPC authentication stuff. */
871 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
872 return(-1);
873
874 /* Test accept status */
875 if (!RPCB_BUF_GEQ(rm, p, 4))
876 return(-1);
877 if (B(p++) != 0)
878 return(0);
879
880 /* Parse out the expected reply */
881 switch(rx->rx_type)
882 {
883 case RPCB_RES_PMAP:
884 /* There must be only one 4 byte argument. */
885 if (!RPCB_BUF_EQ(rm, p, 4))
886 return(-1);
887
888 rr->rr_v2 = p;
889 xdr = B(rr->rr_v2);
890
891 /* Reply w/ a 0 port indicates service isn't registered */
892 if (xdr == 0)
893 return(0);
894
895 /* Is the value sane? */
896 if (xdr > 65535)
897 return(-1);
898
899 /* Create NAT & state table entries. */
900 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
901 return(-1);
902 break;
903 case RPCB_RES_STRING:
904 /* Expecting a XDR string; need 4 bytes for length */
905 if (!RPCB_BUF_GEQ(rm, p, 4))
906 return(-1);
907
908 rr->rr_v3.xu_str.xs_len = p++;
909 rr->rr_v3.xu_str.xs_str = (char *)p;
910
911 xdr = B(rr->rr_v3.xu_xslen);
912
913 /* A null string indicates an unregistered service */
914 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
915 return(0);
916
917 /* Decode the target IP address / port. */
918 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
919 return(-1);
920
921 /* Validate the IP address and port contained. */
922 if (nat->nat_odstaddr != rr->rr_v3.xu_ip)
923 return(-1);
924
925 /* Create NAT & state table entries. */
926 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto,
927 (u_int)rr->rr_v3.xu_port) != 0)
928 return(-1);
929 break;
930 case RPCB_RES_LIST:
931 if (!RPCB_BUF_GEQ(rm, p, 4))
932 return(-1);
933 /* rpcb_entry_list_ptr */
934 switch(B(p))
935 {
936 case 0:
937 return(0);
938 /*NOTREACHED*/
939 break;
940 case 1:
941 break;
942 default:
943 return(-1);
944 }
945 rl = &rr->rr_v4;
946 rl->rl_list = p++;
947 cnt = 0;
948
949 for(;;) {
950 re = &rl->rl_entries[rl->rl_cnt];
951 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
952 return(-1);
953 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0)
954 return(-1);
955 /* re_semantics & re_pfamily length */
956 if (!RPCB_BUF_GEQ(rm, p, 12))
957 return(-1);
958 p++; /* Skipping re_semantics. */
959 xdr = B(p++);
960 if ((xdr != 4) || strncmp((char *)p, "inet", 4))
961 return(-1);
962 p++;
963 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0)
964 return(-1);
965 if (!RPCB_BUF_GEQ(rm, p, 4))
966 return(-1);
967 re->re_more = p;
968 if (B(re->re_more) > 1) /* 0,1 only legal values */
969 return(-1);
970 ++rl->rl_cnt;
971 ++cnt;
972 if (B(re->re_more) == 0)
973 break;
974 /* Replies in max out at 2; TCP and/or UDP */
975 if (cnt > 2)
976 return(-1);
977 p++;
978 }
979
980 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
981 re = &rl->rl_entries[rl->rl_cnt];
982 rv = ipf_p_rpcb_getnat(fin, nat,
983 re->re_proto.xp_proto,
984 (u_int)re->re_maddr.xu_port);
985 if (rv != 0)
986 return(-1);
987 }
988 break;
989 default:
990 /*CONSTANTCONDITION*/
991 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
992 }
993
994 return(1);
995 }
996
997 /* -------------------------------------------------------------------- */
998 /* Function: ipf_p_rpcb_lookup */
999 /* Returns: rpcb_xact_t * - NULL == no matching record, */
1000 /* else pointer to relevant entry */
1001 /* Parameters: rs(I) - pointer to RPCB session */
1002 /* xid(I) - XID to look for */
1003 /* -------------------------------------------------------------------- */
1004 static rpcb_xact_t *
ipf_p_rpcb_lookup(rpcb_session_t * rs,u_32_t xid)1005 ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid)
1006 {
1007 rpcb_xact_t *rx;
1008
1009 if (rs->rs_rxlist == NULL)
1010 return(NULL);
1011
1012 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1013 if (rx->rx_xid == xid)
1014 break;
1015
1016 return(rx);
1017 }
1018
1019 /* -------------------------------------------------------------------- */
1020 /* Function: ipf_p_rpcb_deref */
1021 /* Returns: (void) */
1022 /* Parameters: rs(I) - pointer to RPCB session */
1023 /* rx(I) - pointer to RPC transaction struct to remove */
1024 /* force(I) - indicates to delete entry regardless of */
1025 /* reference count */
1026 /* Locking: rs->rs_rxlock must be held write only */
1027 /* */
1028 /* Free the RPCB transaction record rx from the chain of entries. */
1029 /* -------------------------------------------------------------------- */
1030 static void
ipf_p_rpcb_deref(rpcb_session_t * rs,rpcb_xact_t * rx)1031 ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx)
1032 {
1033 rs = rs; /* LINT */
1034
1035 if (rx == NULL)
1036 return;
1037
1038 if (--rx->rx_ref != 0)
1039 return;
1040
1041 if (rx->rx_next != NULL)
1042 rx->rx_next->rx_pnext = rx->rx_pnext;
1043
1044 *rx->rx_pnext = rx->rx_next;
1045
1046 KFREE(rx);
1047
1048 --rpcbcnt;
1049 }
1050
1051 /* -------------------------------------------------------------------- */
1052 /* Function: ipf_p_rpcb_getproto */
1053 /* Returns: int - -1 == illegal protocol/netid, */
1054 /* 0 == legal protocol/netid */
1055 /* Parameters: rm(I) - pointer to RPC message structure */
1056 /* xp(I) - pointer to netid structure */
1057 /* p(IO) - pointer to location within packet buffer */
1058 /* */
1059 /* Decode netid/proto stored at p and record its numeric value. */
1060 /* -------------------------------------------------------------------- */
1061 static int
ipf_p_rpcb_getproto(rpc_msg_t * rm,xdr_proto_t * xp,u_32_t ** p)1062 ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p)
1063 {
1064 u_int len;
1065
1066 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1067 if (!RPCB_BUF_GEQ(rm, p, 8))
1068 return(-1);
1069
1070 xp->xp_xslen = (*p)++;
1071 xp->xp_xsstr = (char *)*p;
1072
1073 /* Test the string length. */
1074 len = B(xp->xp_xslen);
1075 if (len != 3)
1076 return(-1);
1077
1078 /* Test the actual string & record the protocol accordingly. */
1079 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1080 xp->xp_proto = IPPROTO_TCP;
1081 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1082 xp->xp_proto = IPPROTO_UDP;
1083 else {
1084 return(-1);
1085 }
1086
1087 /* Advance past the string. */
1088 (*p)++;
1089
1090 return(0);
1091 }
1092
1093 /* -------------------------------------------------------------------- */
1094 /* Function: ipf_p_rpcb_getnat */
1095 /* Returns: int -- -1 == failed to create table entries, */
1096 /* 0 == success */
1097 /* Parameters: fin(I) - pointer to packet information */
1098 /* nat(I) - pointer to NAT table entry */
1099 /* proto(I) - transport protocol for new entries */
1100 /* port(I) - new port to use w/ wildcard table entries */
1101 /* */
1102 /* Create state and NAT entries to handle an anticipated connection */
1103 /* attempt between RPC client and server. */
1104 /* -------------------------------------------------------------------- */
1105 static int
ipf_p_rpcb_getnat(fr_info_t * fin,nat_t * nat,u_int proto,u_int port)1106 ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port)
1107 {
1108 ipf_main_softc_t *softc = fin->fin_main_soft;
1109 ipnat_t *ipn, ipnat;
1110 tcphdr_t tcp;
1111 ipstate_t *is;
1112 fr_info_t fi;
1113 nat_t *natl;
1114 int nflags;
1115
1116 ipn = nat->nat_ptr;
1117
1118 /* Generate dummy fr_info */
1119 bcopy((char *)fin, (char *)&fi, sizeof(fi));
1120 fi.fin_out = 0;
1121 fi.fin_p = proto;
1122 fi.fin_sport = 0;
1123 fi.fin_dport = port & 0xffff;
1124 fi.fin_flx |= FI_IGNORE;
1125 fi.fin_saddr = nat->nat_osrcaddr;
1126 fi.fin_daddr = nat->nat_odstaddr;
1127
1128 bzero((char *)&tcp, sizeof(tcp));
1129 tcp.th_dport = htons(port);
1130
1131 if (proto == IPPROTO_TCP) {
1132 tcp.th_win = htons(8192);
1133 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1134 fi.fin_dlen = sizeof(tcphdr_t);
1135 tcp.th_flags = TH_SYN;
1136 nflags = NAT_TCP;
1137 } else {
1138 fi.fin_dlen = sizeof(udphdr_t);
1139 nflags = NAT_UDP;
1140 }
1141
1142 nflags |= SI_W_SPORT|NAT_SEARCH;
1143 fi.fin_dp = &tcp;
1144 fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1145
1146 /*
1147 * Search for existing NAT & state entries. Pay close attention to
1148 * mutexes / locks grabbed from lookup routines, as not doing so could
1149 * lead to bad things.
1150 *
1151 * If successful, fr_stlookup returns with ipf_state locked. We have
1152 * no use for this lock, so simply unlock it if necessary.
1153 */
1154 is = ipf_state_lookup(&fi, &tcp, NULL);
1155 if (is != NULL) {
1156 RWLOCK_EXIT(&softc->ipf_state);
1157 }
1158
1159 RWLOCK_EXIT(&softc->ipf_nat);
1160
1161 WRITE_ENTER(&softc->ipf_nat);
1162 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1163
1164 if ((natl != NULL) && (is != NULL)) {
1165 MUTEX_DOWNGRADE(&softc->ipf_nat);
1166 return(0);
1167 }
1168
1169 /* Slightly modify the following structures for actual use in creating
1170 * NAT and/or state entries. We're primarily concerned with stripping
1171 * flags that may be detrimental to the creation process or simply
1172 * shouldn't be associated with a table entry.
1173 */
1174 fi.fin_fr = &rpcbfr;
1175 fi.fin_flx &= ~FI_IGNORE;
1176 nflags &= ~NAT_SEARCH;
1177
1178 if (natl == NULL) {
1179 #ifdef USE_MUTEXES
1180 ipf_nat_softc_t *softn = softc->ipf_nat_soft;
1181 #endif
1182
1183 /* XXX Since we're just copying the original ipn contents
1184 * back, would we be better off just sending a pointer to
1185 * the 'temp' copy off to nat_new instead?
1186 */
1187 /* Generate template/bogus NAT rule. */
1188 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1189 ipn->in_flags = nflags & IPN_TCPUDP;
1190 ipn->in_apr = NULL;
1191 ipn->in_pr[0] = proto;
1192 ipn->in_pr[1] = proto;
1193 ipn->in_dpmin = fi.fin_dport;
1194 ipn->in_dpmax = fi.fin_dport;
1195 ipn->in_dpnext = fi.fin_dport;
1196 ipn->in_space = 1;
1197 ipn->in_ippip = 1;
1198 if (ipn->in_flags & IPN_FILTER) {
1199 ipn->in_scmp = 0;
1200 ipn->in_dcmp = 0;
1201 }
1202 ipn->in_plabel = -1;
1203
1204 /* Create NAT entry. return NULL if this fails. */
1205 MUTEX_ENTER(&softn->ipf_nat_new);
1206 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1207 NAT_INBOUND);
1208 MUTEX_EXIT(&softn->ipf_nat_new);
1209
1210 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1211
1212 if (natl == NULL) {
1213 MUTEX_DOWNGRADE(&softc->ipf_nat);
1214 return(-1);
1215 }
1216
1217 natl->nat_ptr = ipn;
1218 fi.fin_saddr = natl->nat_nsrcaddr;
1219 fi.fin_daddr = natl->nat_ndstaddr;
1220 ipn->in_use++;
1221 (void) ipf_nat_proto(&fi, natl, nflags);
1222 MUTEX_ENTER(&natl->nat_lock);
1223 ipf_nat_update(&fi, natl);
1224 MUTEX_EXIT(&natl->nat_lock);
1225 }
1226 MUTEX_DOWNGRADE(&softc->ipf_nat);
1227
1228 if (is == NULL) {
1229 /* Create state entry. Return NULL if this fails. */
1230 fi.fin_flx |= FI_NATED;
1231 fi.fin_flx &= ~FI_STATE;
1232 nflags &= NAT_TCPUDP;
1233 nflags |= SI_W_SPORT|SI_CLONE;
1234
1235 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) {
1236 /*
1237 * XXX nat_delete is private to ip_nat.c. Should
1238 * check w/ Darren about this one.
1239 *
1240 * nat_delete(natl, NL_EXPIRE);
1241 */
1242 return(-1);
1243 }
1244 }
1245
1246 return(0);
1247 }
1248
1249 /* -------------------------------------------------------------------- */
1250 /* Function: ipf_p_rpcb_modv3 */
1251 /* Returns: int -- change in packet length */
1252 /* Parameters: fin(I) - pointer to packet information */
1253 /* nat(I) - pointer to NAT session */
1254 /* rm(I) - pointer to RPC message structure */
1255 /* m(I) - pointer to mbuf chain */
1256 /* off(I) - offset within mbuf chain */
1257 /* */
1258 /* Write a new universal address string to this packet, adjusting */
1259 /* lengths as necessary. */
1260 /* -------------------------------------------------------------------- */
1261 static int
ipf_p_rpcb_modv3(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1262 ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off)
1263 {
1264 u_int len, xlen, pos, bogo;
1265 rpc_resp_t *rr;
1266 char uaddr[24];
1267 char *i, *p;
1268 int diff;
1269
1270 rr = &rm->rm_resp;
1271 i = (char *)&nat->nat_ndstaddr;
1272 p = (char *)&rr->rr_v3.xu_port;
1273
1274 /* Form new string. */
1275 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1276 snprintf(uaddr, sizeof(uaddr),
1277 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1278 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1279 len = strlen(uaddr);
1280 xlen = XDRALIGN(len);
1281
1282 /* Determine mbuf offset to write to. */
1283 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1284 off += pos;
1285
1286 /* Write new string length. */
1287 bogo = htonl(len);
1288 COPYBACK(m, off, 4, (void *)&bogo);
1289 off += 4;
1290
1291 /* Write new string. */
1292 COPYBACK(m, off, xlen, uaddr);
1293
1294 /* Determine difference in data lengths. */
1295 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1296
1297 /*
1298 * If our new string has a different length, make necessary
1299 * adjustments.
1300 */
1301 if (diff != 0)
1302 ipf_p_rpcb_fixlen(fin, diff);
1303
1304 return(diff);
1305 }
1306
1307 /* -------------------------------------------------------------------- */
1308 /* Function: ipf_p_rpcb_modv4 */
1309 /* Returns: int -- change in packet length */
1310 /* Parameters: fin(I) - pointer to packet information */
1311 /* nat(I) - pointer to NAT session */
1312 /* rm(I) - pointer to RPC message structure */
1313 /* m(I) - pointer to mbuf chain */
1314 /* off(I) - offset within mbuf chain */
1315 /* */
1316 /* Write new rpcb_entry list, adjusting lengths as necessary. */
1317 /* -------------------------------------------------------------------- */
1318 static int
ipf_p_rpcb_modv4(fr_info_t * fin,nat_t * nat,rpc_msg_t * rm,mb_t * m,u_int off)1319 ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off)
1320 {
1321 u_int len, xlen, pos, bogo;
1322 rpcb_listp_t *rl;
1323 rpcb_entry_t *re;
1324 rpc_resp_t *rr;
1325 char uaddr[24];
1326 int diff, cnt;
1327 char *i, *p;
1328
1329 diff = 0;
1330 rr = &rm->rm_resp;
1331 rl = &rr->rr_v4;
1332
1333 i = (char *)&nat->nat_ndstaddr;
1334
1335 /* Determine mbuf offset to write to. */
1336 re = &rl->rl_entries[0];
1337 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1338 off += pos;
1339
1340 for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1341 re = &rl->rl_entries[cnt];
1342 p = (char *)&re->re_maddr.xu_port;
1343
1344 /* Form new string. */
1345 bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1346 padding. */
1347 snprintf(uaddr, sizeof(uaddr),
1348 "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1349 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1350 p[0] & 0xff, p[1] & 0xff);
1351 len = strlen(uaddr);
1352 xlen = XDRALIGN(len);
1353
1354 /* Write new string length. */
1355 bogo = htonl(len);
1356 COPYBACK(m, off, 4, (void *)&bogo);
1357 off += 4;
1358
1359 /* Write new string. */
1360 COPYBACK(m, off, xlen, uaddr);
1361 off += xlen;
1362
1363 /* Record any change in length. */
1364 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1365
1366 /* If the length changed, copy back the rest of this entry. */
1367 len = ((char *)re->re_more + 4) -
1368 (char *)re->re_netid.xp_xslen;
1369 if (diff != 0) {
1370 COPYBACK(m, off, len, (void *)re->re_netid.xp_xslen);
1371 }
1372 off += len;
1373 }
1374
1375 /*
1376 * If our new string has a different length, make necessary
1377 * adjustments.
1378 */
1379 if (diff != 0)
1380 ipf_p_rpcb_fixlen(fin, diff);
1381
1382 return(diff);
1383 }
1384
1385
1386 /* -------------------------------------------------------------------- */
1387 /* Function: ipf_p_rpcb_fixlen */
1388 /* Returns: (void) */
1389 /* Parameters: fin(I) - pointer to packet information */
1390 /* len(I) - change in packet length */
1391 /* */
1392 /* Adjust various packet related lengths held in structure and packet */
1393 /* header fields. */
1394 /* -------------------------------------------------------------------- */
1395 static void
ipf_p_rpcb_fixlen(fr_info_t * fin,int len)1396 ipf_p_rpcb_fixlen(fr_info_t *fin, int len)
1397 {
1398 udphdr_t *udp;
1399
1400 udp = fin->fin_dp;
1401 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1402 fin->fin_plen += len;
1403 fin->fin_ip->ip_len = htons(fin->fin_plen);
1404 fin->fin_dlen += len;
1405 }
1406
1407 #undef B
1408