1 /* $NetBSD: ip_rpcb_pxy.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $ */ 2 3 /* 4 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org> 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 /* 9 * Overview: 10 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) 11 * protocol as defined in RFC1833. It is far from complete, mostly 12 * lacking in less-likely corner cases, but it's definitely functional. 13 * 14 * Invocation: 15 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu 16 * 17 * If the host running IP Filter is the same as the RPC server, it's 18 * perfectly legal for both the internal and external addresses and ports 19 * to match. 20 * 21 * When triggered by appropriate IP NAT rules, this proxy works by 22 * examining data contained in received packets. Requests and replies are 23 * modified, NAT and state table entries created, etc., as necessary. 24 */ 25 /* 26 * TODO / NOTES 27 * 28 * o Must implement locking to protect proxy session data. 29 * o Fragmentation isn't supported. 30 * o Only supports UDP. 31 * o Doesn't support multiple RPC records in a single request. 32 * o Errors should be more fine-grained. (e.g., malloc failure vs. 33 * illegal RPCB request / reply) 34 * o Even with the limit on the total amount of recorded transactions, 35 * should there be a timeout on transaction removal? 36 * o There is a potential collision between cloning, wildcard NAT and 37 * state entries. There should be an appr_getport routine for 38 * to avoid this. 39 * o The enclosed hack of STREAMS support is pretty sick and most likely 40 * broken. 41 * 42 * Id: ip_rpcb_pxy.c,v 1.1.1.2 2012/07/22 13:45:34 darrenr Exp 43 */ 44 45 #include <sys/cdefs.h> 46 __KERNEL_RCSID(1, "$NetBSD: ip_rpcb_pxy.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $"); 47 48 #define IPF_RPCB_PROXY 49 50 /* 51 * Function prototypes 52 */ 53 void ipf_p_rpcb_main_load(void); 54 void ipf_p_rpcb_main_unload(void); 55 int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *); 56 void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *); 57 int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *); 58 int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *); 59 60 static void ipf_p_rpcb_flush(rpcb_session_t *); 61 static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *, 62 rpcb_session_t *, rpc_msg_t *); 63 static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **); 64 static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *); 65 static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *); 66 static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *, 67 u_32_t **); 68 static u_int ipf_p_rpcb_atoi(char *); 69 static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *, 70 mb_t *, u_int); 71 static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *, 72 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **); 73 static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t); 74 static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *); 75 static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *, 76 u_32_t **); 77 static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int); 78 static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *, 79 mb_t *, u_int); 80 static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *, 81 mb_t *, u_int); 82 static void ipf_p_rpcb_fixlen(fr_info_t *, int); 83 84 /* 85 * Global variables 86 */ 87 static frentry_t rpcbfr; /* Skeleton rule for reference by entities 88 this proxy creates. */ 89 static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ 90 /* XXX rpcbcnt still requires locking. */ 91 92 static int rpcb_proxy_init = 0; 93 94 95 /* 96 * Since rpc_msg contains only pointers, one should use this macro as a 97 * handy way to get to the goods. (In case you're wondering about the name, 98 * this started as BYTEREF -> BREF -> B.) 99 */ 100 #define B(r) (u_32_t)ntohl(*(r)) 101 102 /* 103 * Public subroutines 104 */ 105 106 /* -------------------------------------------------------------------- */ 107 /* Function: ipf_p_rpcb_main_load */ 108 /* Returns: void */ 109 /* Parameters: (void) */ 110 /* */ 111 /* Initialize the filter rule entry and session limiter. */ 112 /* -------------------------------------------------------------------- */ 113 void 114 ipf_p_rpcb_main_load(void) 115 { 116 rpcbcnt = 0; 117 118 bzero((char *)&rpcbfr, sizeof(rpcbfr)); 119 rpcbfr.fr_ref = 1; 120 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; 121 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock"); 122 rpcb_proxy_init = 1; 123 } 124 125 /* -------------------------------------------------------------------- */ 126 /* Function: ipf_p_rpcb_main_unload */ 127 /* Returns: void */ 128 /* Parameters: (void) */ 129 /* */ 130 /* Destroy rpcbfr's mutex to avoid a lock leak. */ 131 /* -------------------------------------------------------------------- */ 132 void 133 ipf_p_rpcb_main_unload(void) 134 { 135 if (rpcb_proxy_init == 1) { 136 MUTEX_DESTROY(&rpcbfr.fr_lock); 137 rpcb_proxy_init = 0; 138 } 139 } 140 141 /* -------------------------------------------------------------------- */ 142 /* Function: ipf_p_rpcb_new */ 143 /* Returns: int - -1 == failure, 0 == success */ 144 /* Parameters: fin(I) - pointer to packet information */ 145 /* aps(I) - pointer to proxy session structure */ 146 /* nat(I) - pointer to NAT session structure */ 147 /* */ 148 /* Allocate resources for per-session proxy structures. */ 149 /* -------------------------------------------------------------------- */ 150 int 151 ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 152 { 153 rpcb_session_t *rs; 154 155 nat = nat; /* LINT */ 156 157 if (fin->fin_v != 4) 158 return -1; 159 160 KMALLOC(rs, rpcb_session_t *); 161 if (rs == NULL) 162 return(-1); 163 164 bzero((char *)rs, sizeof(*rs)); 165 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock"); 166 167 aps->aps_data = rs; 168 169 return(0); 170 } 171 172 /* -------------------------------------------------------------------- */ 173 /* Function: ipf_p_rpcb_del */ 174 /* Returns: void */ 175 /* Parameters: aps(I) - pointer to proxy session structure */ 176 /* */ 177 /* Free up a session's list of RPCB requests. */ 178 /* -------------------------------------------------------------------- */ 179 void 180 ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps) 181 { 182 rpcb_session_t *rs; 183 rs = (rpcb_session_t *)aps->aps_data; 184 185 MUTEX_ENTER(&rs->rs_rxlock); 186 ipf_p_rpcb_flush(rs); 187 MUTEX_EXIT(&rs->rs_rxlock); 188 MUTEX_DESTROY(&rs->rs_rxlock); 189 } 190 191 /* -------------------------------------------------------------------- */ 192 /* Function: ipf_p_rpcb_in */ 193 /* Returns: int - APR_ERR(1) == drop the packet, */ 194 /* APR_ERR(2) == kill the proxy session, */ 195 /* else change in packet length (in bytes) */ 196 /* Parameters: fin(I) - pointer to packet information */ 197 /* ip(I) - pointer to packet header */ 198 /* aps(I) - pointer to proxy session structure */ 199 /* nat(I) - pointer to NAT session structure */ 200 /* */ 201 /* Given a presumed RPCB request, perform some minor tests and pass off */ 202 /* for decoding. Also pass packet off for a rewrite if necessary. */ 203 /* -------------------------------------------------------------------- */ 204 int 205 ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 206 { 207 rpc_msg_t rpcmsg, *rm; 208 rpcb_session_t *rs; 209 u_int off, dlen; 210 mb_t *m; 211 int rv; 212 213 /* Disallow fragmented or illegally short packets. */ 214 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 215 return(APR_ERR(1)); 216 217 /* Perform basic variable initialization. */ 218 rs = (rpcb_session_t *)aps->aps_data; 219 220 m = fin->fin_m; 221 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 222 off += sizeof(udphdr_t) + fin->fin_ipoff; 223 dlen = fin->fin_dlen - sizeof(udphdr_t); 224 225 /* Disallow packets outside legal range for supported requests. */ 226 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) 227 return(APR_ERR(1)); 228 229 /* Copy packet over to convenience buffer. */ 230 rm = &rpcmsg; 231 bzero((char *)rm, sizeof(*rm)); 232 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); 233 rm->rm_buflen = dlen; 234 235 /* Send off to decode request. */ 236 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); 237 238 switch(rv) 239 { 240 case -1: 241 return(APR_ERR(1)); 242 /*NOTREACHED*/ 243 break; 244 case 0: 245 break; 246 case 1: 247 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); 248 break; 249 default: 250 /*CONSTANTCONDITION*/ 251 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv)); 252 } 253 254 return(rv); 255 } 256 257 /* -------------------------------------------------------------------- */ 258 /* Function: ipf_p_rpcb_out */ 259 /* Returns: int - APR_ERR(1) == drop the packet, */ 260 /* APR_ERR(2) == kill the proxy session, */ 261 /* else change in packet length (in bytes) */ 262 /* Parameters: fin(I) - pointer to packet information */ 263 /* ip(I) - pointer to packet header */ 264 /* aps(I) - pointer to proxy session structure */ 265 /* nat(I) - pointer to NAT session structure */ 266 /* */ 267 /* Given a presumed RPCB reply, perform some minor tests and pass off */ 268 /* for decoding. If the message indicates a successful request with */ 269 /* valid addressing information, create NAT and state structures to */ 270 /* allow direct communication between RPC client and server. */ 271 /* -------------------------------------------------------------------- */ 272 int 273 ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 274 { 275 rpc_msg_t rpcmsg, *rm; 276 rpcb_session_t *rs; 277 rpcb_xact_t *rx; 278 u_int off, dlen; 279 int rv, diff; 280 mb_t *m; 281 282 rx = NULL; /* XXX gcc */ 283 284 /* Disallow fragmented or illegally short packets. */ 285 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 286 return(APR_ERR(1)); 287 288 /* Perform basic variable initialization. */ 289 rs = (rpcb_session_t *)aps->aps_data; 290 rx = NULL; 291 292 m = fin->fin_m; 293 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 294 off += sizeof(udphdr_t) + fin->fin_ipoff; 295 dlen = fin->fin_dlen - sizeof(udphdr_t); 296 diff = 0; 297 298 /* Disallow packets outside legal range for supported requests. */ 299 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) 300 return(APR_ERR(1)); 301 302 /* Copy packet over to convenience buffer. */ 303 rm = &rpcmsg; 304 bzero((char *)rm, sizeof(*rm)); 305 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); 306 rm->rm_buflen = dlen; 307 308 rx = NULL; /* XXX gcc */ 309 310 /* Send off to decode reply. */ 311 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); 312 313 switch(rv) 314 { 315 case -1: /* Bad packet */ 316 if (rx != NULL) { 317 MUTEX_ENTER(&rs->rs_rxlock); 318 ipf_p_rpcb_deref(rs, rx); 319 MUTEX_EXIT(&rs->rs_rxlock); 320 } 321 return(APR_ERR(1)); 322 /*NOTREACHED*/ 323 break; 324 case 0: /* Negative reply / request rejected */ 325 break; 326 case 1: /* Positive reply */ 327 /* 328 * With the IP address embedded in a GETADDR(LIST) reply, 329 * we'll need to rewrite the packet in the very possible 330 * event that the internal & external addresses aren't the 331 * same. (i.e., this box is either a router or rpcbind 332 * only listens on loopback.) 333 */ 334 if (nat->nat_odstaddr != nat->nat_ndstaddr) { 335 if (rx->rx_type == RPCB_RES_STRING) 336 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); 337 else if (rx->rx_type == RPCB_RES_LIST) 338 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); 339 } 340 break; 341 default: 342 /*CONSTANTCONDITION*/ 343 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv)); 344 } 345 346 if (rx != NULL) { 347 MUTEX_ENTER(&rs->rs_rxlock); 348 /* XXX Gross hack - I'm overloading the reference 349 * counter to deal with both threads and retransmitted 350 * requests. One deref signals that this thread is 351 * finished with rx, and the other signals that we've 352 * processed its reply. 353 */ 354 ipf_p_rpcb_deref(rs, rx); 355 ipf_p_rpcb_deref(rs, rx); 356 MUTEX_EXIT(&rs->rs_rxlock); 357 } 358 359 return(diff); 360 } 361 362 /* 363 * Private support subroutines 364 */ 365 366 /* -------------------------------------------------------------------- */ 367 /* Function: ipf_p_rpcb_flush */ 368 /* Returns: void */ 369 /* Parameters: rs(I) - pointer to RPCB session structure */ 370 /* */ 371 /* Simply flushes the list of outstanding transactions, if any. */ 372 /* -------------------------------------------------------------------- */ 373 static void 374 ipf_p_rpcb_flush(rpcb_session_t *rs) 375 { 376 rpcb_xact_t *r1, *r2; 377 378 r1 = rs->rs_rxlist; 379 if (r1 == NULL) 380 return; 381 382 while (r1 != NULL) { 383 r2 = r1; 384 r1 = r1->rx_next; 385 KFREE(r2); 386 } 387 } 388 389 /* -------------------------------------------------------------------- */ 390 /* Function: ipf_p_rpcb_decodereq */ 391 /* Returns: int - -1 == bad request or critical failure, */ 392 /* 0 == request successfully decoded, */ 393 /* 1 == request successfully decoded; requires */ 394 /* address rewrite/modification */ 395 /* Parameters: fin(I) - pointer to packet information */ 396 /* nat(I) - pointer to NAT session structure */ 397 /* rs(I) - pointer to RPCB session structure */ 398 /* rm(I) - pointer to RPC message structure */ 399 /* */ 400 /* Take a presumed RPCB request, decode it, and store the results in */ 401 /* the transaction list. If the internal target address needs to be */ 402 /* modified, store its location in ptr. */ 403 /* WARNING: It's the responsibility of the caller to make sure there */ 404 /* is enough room in rs_buf for the basic RPC message "preamble". */ 405 /* -------------------------------------------------------------------- */ 406 static int 407 ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, 408 rpc_msg_t *rm) 409 { 410 rpcb_args_t *ra; 411 u_32_t xdr, *p; 412 rpc_call_t *rc; 413 rpcb_xact_t rx; 414 int mod; 415 416 p = (u_32_t *)rm->rm_msgbuf; 417 mod = 0; 418 419 bzero((char *)&rx, sizeof(rx)); 420 rc = &rm->rm_call; 421 422 rm->rm_xid = p; 423 rx.rx_xid = B(p++); /* Record this message's XID. */ 424 425 /* Parse out and test the RPC header. */ 426 if ((B(p++) != RPCB_CALL) || 427 (B(p++) != RPCB_MSG_VERSION) || 428 (B(p++) != RPCB_PROG)) 429 return(-1); 430 431 /* Record the RPCB version and procedure. */ 432 rc->rc_vers = p++; 433 rc->rc_proc = p++; 434 435 /* Bypass RPC authentication stuff. */ 436 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) 437 return(-1); 438 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) 439 return(-1); 440 441 /* Compare RPCB version and procedure numbers. */ 442 switch(B(rc->rc_vers)) 443 { 444 case 2: 445 /* This proxy only supports PMAP_GETPORT. */ 446 if (B(rc->rc_proc) != RPCB_GETPORT) 447 return(-1); 448 449 /* Portmap requests contain four 4 byte parameters. */ 450 if (RPCB_BUF_EQ(rm, p, 16) == 0) 451 return(-1); 452 453 p += 2; /* Skip requested program and version numbers. */ 454 455 /* Sanity check the requested protocol. */ 456 xdr = B(p); 457 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) 458 return(-1); 459 460 rx.rx_type = RPCB_RES_PMAP; 461 rx.rx_proto = xdr; 462 break; 463 case 3: 464 case 4: 465 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ 466 switch(B(rc->rc_proc)) 467 { 468 case RPCB_GETADDR: 469 rx.rx_type = RPCB_RES_STRING; 470 rx.rx_proto = (u_int)fin->fin_p; 471 break; 472 case RPCB_GETADDRLIST: 473 if (B(rc->rc_vers) != 4) 474 return(-1); 475 rx.rx_type = RPCB_RES_LIST; 476 break; 477 default: 478 return(-1); 479 } 480 481 ra = &rc->rc_rpcbargs; 482 483 /* Decode the 'struct rpcb' request. */ 484 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) 485 return(-1); 486 487 /* Are the target address & port valid? */ 488 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || 489 (ra->ra_maddr.xu_port != nat->nat_ndport)) 490 return(-1); 491 492 /* Do we need to rewrite this packet? */ 493 if ((nat->nat_ndstaddr != nat->nat_odstaddr) || 494 (nat->nat_ndport != nat->nat_odport)) 495 mod = 1; 496 break; 497 default: 498 return(-1); 499 } 500 501 MUTEX_ENTER(&rs->rs_rxlock); 502 if (ipf_p_rpcb_insert(rs, &rx) != 0) { 503 MUTEX_EXIT(&rs->rs_rxlock); 504 return(-1); 505 } 506 MUTEX_EXIT(&rs->rs_rxlock); 507 508 return(mod); 509 } 510 511 /* -------------------------------------------------------------------- */ 512 /* Function: ipf_p_rpcb_skipauth */ 513 /* Returns: int -- -1 == illegal auth parameters (lengths) */ 514 /* 0 == valid parameters, pointer advanced */ 515 /* Parameters: rm(I) - pointer to RPC message structure */ 516 /* auth(I) - pointer to RPC auth structure */ 517 /* buf(IO) - pointer to location within convenience buffer */ 518 /* */ 519 /* Record auth data length & location of auth data, then advance past */ 520 /* it. */ 521 /* -------------------------------------------------------------------- */ 522 static int 523 ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf) 524 { 525 u_32_t *p, xdr; 526 527 p = *buf; 528 529 /* Make sure we have enough space for expected fixed auth parms. */ 530 if (RPCB_BUF_GEQ(rm, p, 8) == 0) 531 return(-1); 532 533 p++; /* We don't care about auth_flavor. */ 534 535 auth->xa_string.xs_len = p; 536 xdr = B(p++); /* Length of auth_data */ 537 538 /* Test for absurdity / illegality of auth_data length. */ 539 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) 540 return(-1); 541 542 auth->xa_string.xs_str = (char *)p; 543 544 p += XDRALIGN(xdr); /* Advance our location. */ 545 546 *buf = (u_32_t *)p; 547 548 return(0); 549 } 550 551 /* -------------------------------------------------------------------- */ 552 /* Function: ipf_p_rpcb_insert */ 553 /* Returns: int -- -1 == list insertion failed, */ 554 /* 0 == item successfully added */ 555 /* Parameters: rs(I) - pointer to RPCB session structure */ 556 /* rx(I) - pointer to RPCB transaction structure */ 557 /* -------------------------------------------------------------------- */ 558 static int 559 ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx) 560 { 561 rpcb_xact_t *rxp; 562 563 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); 564 if (rxp != NULL) { 565 ++rxp->rx_ref; 566 return(0); 567 } 568 569 if (rpcbcnt == RPCB_MAXREQS) 570 return(-1); 571 572 KMALLOC(rxp, rpcb_xact_t *); 573 if (rxp == NULL) 574 return(-1); 575 576 bcopy((char *)rx, (char *)rxp, sizeof(*rx)); 577 578 if (rs->rs_rxlist != NULL) 579 rs->rs_rxlist->rx_pnext = &rxp->rx_next; 580 581 rxp->rx_pnext = &rs->rs_rxlist; 582 rxp->rx_next = rs->rs_rxlist; 583 rs->rs_rxlist = rxp; 584 585 rxp->rx_ref = 1; 586 587 ++rpcbcnt; 588 589 return(0); 590 } 591 592 /* -------------------------------------------------------------------- */ 593 /* Function: ipf_p_rpcb_xdrrpcb */ 594 /* Returns: int -- -1 == failure to properly decode the request */ 595 /* 0 == rpcb successfully decoded */ 596 /* Parameters: rs(I) - pointer to RPCB session structure */ 597 /* p(I) - pointer to location within session buffer */ 598 /* rpcb(O) - pointer to rpcb (xdr type) structure */ 599 /* */ 600 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */ 601 /* within only the context of TCP/UDP over IP networks. */ 602 /* -------------------------------------------------------------------- */ 603 static int 604 ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra) 605 { 606 if (!RPCB_BUF_GEQ(rm, p, 20)) 607 return(-1); 608 609 /* Bypass target program & version. */ 610 p += 2; 611 612 /* Decode r_netid. Must be "tcp" or "udp". */ 613 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) 614 return(-1); 615 616 /* Decode r_maddr. */ 617 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) 618 return(-1); 619 620 /* Advance to r_owner and make sure it's empty. */ 621 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) 622 return(-1); 623 624 return(0); 625 } 626 627 /* -------------------------------------------------------------------- */ 628 /* Function: ipf_p_rpcb_getuaddr */ 629 /* Returns: int -- -1 == illegal string, */ 630 /* 0 == string parsed; contents recorded */ 631 /* Parameters: rm(I) - pointer to RPC message structure */ 632 /* xu(I) - pointer to universal address structure */ 633 /* p(IO) - pointer to location within message buffer */ 634 /* */ 635 /* Decode the IP address / port at p and record them in xu. */ 636 /* -------------------------------------------------------------------- */ 637 static int 638 ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p) 639 { 640 char *c, *i, *b, *pp; 641 u_int d, dd, l, t; 642 char uastr[24]; 643 644 /* Test for string length. */ 645 if (!RPCB_BUF_GEQ(rm, *p, 4)) 646 return(-1); 647 648 xu->xu_xslen = (*p)++; 649 xu->xu_xsstr = (char *)*p; 650 651 /* Length check */ 652 l = B(xu->xu_xslen); 653 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) 654 return(-1); 655 656 /* Advance p */ 657 *(char **)p += XDRALIGN(l); 658 659 /* Copy string to local buffer & terminate C style */ 660 bcopy(xu->xu_xsstr, uastr, l); 661 uastr[l] = '\0'; 662 663 i = (char *)&xu->xu_ip; 664 pp = (char *)&xu->xu_port; 665 666 /* 667 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of 668 * an IP address and [ef] are the bytes of a L4 port. 669 */ 670 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) 671 return(-1); 672 b = uastr; 673 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { 674 if (ISDIGIT(*c)) { 675 dd = 0; 676 continue; 677 } 678 if (*c == '.') { 679 if (dd != 0) 680 return(-1); 681 682 /* Check for ASCII byte. */ 683 *c = '\0'; 684 t = ipf_p_rpcb_atoi(b); 685 if (t > 255) 686 return(-1); 687 688 /* Aim b at beginning of the next byte. */ 689 b = c + 1; 690 691 /* Switch off IP addr vs port parsing. */ 692 if (d < 4) 693 i[d++] = t & 0xff; 694 else 695 pp[d++ - 4] = t & 0xff; 696 697 dd = 1; 698 continue; 699 } 700 return(-1); 701 } 702 if (d != 5) /* String must contain exactly 5 periods. */ 703 return(-1); 704 705 /* Handle the last byte (port low byte) */ 706 t = ipf_p_rpcb_atoi(b); 707 if (t > 255) 708 return(-1); 709 pp[d - 4] = t & 0xff; 710 711 return(0); 712 } 713 714 /* -------------------------------------------------------------------- */ 715 /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ 716 /* Returns: int -- integer representation of supplied string */ 717 /* Parameters: ptr(I) - input string */ 718 /* */ 719 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ 720 /* -------------------------------------------------------------------- */ 721 static u_int 722 ipf_p_rpcb_atoi(char *ptr) 723 { 724 char *s = ptr, c; 725 u_int i = 0; 726 727 while (((c = *s++) != '\0') && ISDIGIT(c)) { 728 i *= 10; 729 i += c - '0'; 730 } 731 return i; 732 } 733 734 /* -------------------------------------------------------------------- */ 735 /* Function: ipf_p_rpcb_modreq */ 736 /* Returns: int -- change in datagram length */ 737 /* APR_ERR(2) - critical failure */ 738 /* Parameters: fin(I) - pointer to packet information */ 739 /* nat(I) - pointer to NAT session */ 740 /* rm(I) - pointer to RPC message structure */ 741 /* m(I) - pointer to mbuf chain */ 742 /* off(I) - current offset within mbuf chain */ 743 /* */ 744 /* When external and internal addresses differ, we rewrite the former */ 745 /* with the latter. (This is exclusive to protocol versions 3 & 4). */ 746 /* -------------------------------------------------------------------- */ 747 static int 748 ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 749 { 750 u_int len, xlen, pos, bogo; 751 rpcb_args_t *ra; 752 char uaddr[24]; 753 udphdr_t *udp; 754 char *i, *p; 755 int diff; 756 757 ra = &rm->rm_call.rc_rpcbargs; 758 i = (char *)&nat->nat_odstaddr; 759 p = (char *)&nat->nat_odport; 760 761 /* Form new string. */ 762 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 763 #if defined(SNPRINTF) && defined(_KERNEL) 764 SNPRINTF(uaddr, sizeof(uaddr), 765 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 766 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 767 #else 768 (void) sprintf(uaddr, 769 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 770 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 771 #endif 772 len = strlen(uaddr); 773 xlen = XDRALIGN(len); 774 775 /* Determine mbuf offset to start writing to. */ 776 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; 777 off += pos; 778 779 /* Write new string length. */ 780 bogo = htonl(len); 781 COPYBACK(m, off, 4, (void *)&bogo); 782 off += 4; 783 784 /* Write new string. */ 785 COPYBACK(m, off, xlen, uaddr); 786 off += xlen; 787 788 /* Write in zero r_owner. */ 789 bogo = 0; 790 COPYBACK(m, off, 4, (void *)&bogo); 791 792 /* Determine difference in data lengths. */ 793 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); 794 795 /* 796 * If our new string has a different length, make necessary 797 * adjustments. 798 */ 799 if (diff != 0) { 800 udp = fin->fin_dp; 801 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); 802 fin->fin_plen += diff; 803 fin->fin_ip->ip_len = htons(fin->fin_plen); 804 fin->fin_dlen += diff; 805 /* XXX Storage lengths. */ 806 } 807 808 return(diff); 809 } 810 811 /* -------------------------------------------------------------------- */ 812 /* Function: ipf_p_rpcb_decoderep */ 813 /* Returns: int - -1 == bad request or critical failure, */ 814 /* 0 == valid, negative reply */ 815 /* 1 == vaddlid, positive reply; needs no changes */ 816 /* Parameters: fin(I) - pointer to packet information */ 817 /* nat(I) - pointer to NAT session structure */ 818 /* rs(I) - pointer to RPCB session structure */ 819 /* rm(I) - pointer to RPC message structure */ 820 /* rxp(O) - pointer to RPCB transaction structure */ 821 /* */ 822 /* Take a presumed RPCB reply, extract the XID, search for the original */ 823 /* request information, and determine whether the request was accepted */ 824 /* or rejected. With a valid accepted reply, go ahead and create NAT */ 825 /* and state entries, and finish up by rewriting the packet as */ 826 /* required. */ 827 /* */ 828 /* WARNING: It's the responsibility of the caller to make sure there */ 829 /* is enough room in rs_buf for the basic RPC message "preamble". */ 830 /* -------------------------------------------------------------------- */ 831 static int 832 ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, 833 rpc_msg_t *rm, rpcb_xact_t **rxp) 834 { 835 rpcb_listp_t *rl; 836 rpcb_entry_t *re; 837 rpcb_xact_t *rx; 838 u_32_t xdr, *p; 839 rpc_resp_t *rr; 840 int rv, cnt; 841 842 p = (u_32_t *)rm->rm_msgbuf; 843 844 bzero((char *)&rx, sizeof(rx)); 845 rr = &rm->rm_resp; 846 847 rm->rm_xid = p; 848 xdr = B(p++); /* Record this message's XID. */ 849 850 /* Lookup XID */ 851 MUTEX_ENTER(&rs->rs_rxlock); 852 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { 853 MUTEX_EXIT(&rs->rs_rxlock); 854 return(-1); 855 } 856 ++rx->rx_ref; /* per thread reference */ 857 MUTEX_EXIT(&rs->rs_rxlock); 858 859 *rxp = rx; 860 861 /* Test call vs reply */ 862 if (B(p++) != RPCB_REPLY) 863 return(-1); 864 865 /* Test reply_stat */ 866 switch(B(p++)) 867 { 868 case RPCB_MSG_DENIED: 869 return(0); 870 case RPCB_MSG_ACCEPTED: 871 break; 872 default: 873 return(-1); 874 } 875 876 /* Bypass RPC authentication stuff. */ 877 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) 878 return(-1); 879 880 /* Test accept status */ 881 if (!RPCB_BUF_GEQ(rm, p, 4)) 882 return(-1); 883 if (B(p++) != 0) 884 return(0); 885 886 /* Parse out the expected reply */ 887 switch(rx->rx_type) 888 { 889 case RPCB_RES_PMAP: 890 /* There must be only one 4 byte argument. */ 891 if (!RPCB_BUF_EQ(rm, p, 4)) 892 return(-1); 893 894 rr->rr_v2 = p; 895 xdr = B(rr->rr_v2); 896 897 /* Reply w/ a 0 port indicates service isn't registered */ 898 if (xdr == 0) 899 return(0); 900 901 /* Is the value sane? */ 902 if (xdr > 65535) 903 return(-1); 904 905 /* Create NAT & state table entries. */ 906 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) 907 return(-1); 908 break; 909 case RPCB_RES_STRING: 910 /* Expecting a XDR string; need 4 bytes for length */ 911 if (!RPCB_BUF_GEQ(rm, p, 4)) 912 return(-1); 913 914 rr->rr_v3.xu_str.xs_len = p++; 915 rr->rr_v3.xu_str.xs_str = (char *)p; 916 917 xdr = B(rr->rr_v3.xu_xslen); 918 919 /* A null string indicates an unregistered service */ 920 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) 921 return(0); 922 923 /* Decode the target IP address / port. */ 924 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) 925 return(-1); 926 927 /* Validate the IP address and port contained. */ 928 if (nat->nat_odstaddr != rr->rr_v3.xu_ip) 929 return(-1); 930 931 /* Create NAT & state table entries. */ 932 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, 933 (u_int)rr->rr_v3.xu_port) != 0) 934 return(-1); 935 break; 936 case RPCB_RES_LIST: 937 if (!RPCB_BUF_GEQ(rm, p, 4)) 938 return(-1); 939 /* rpcb_entry_list_ptr */ 940 switch(B(p)) 941 { 942 case 0: 943 return(0); 944 /*NOTREACHED*/ 945 break; 946 case 1: 947 break; 948 default: 949 return(-1); 950 } 951 rl = &rr->rr_v4; 952 rl->rl_list = p++; 953 cnt = 0; 954 955 for(;;) { 956 re = &rl->rl_entries[rl->rl_cnt]; 957 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) 958 return(-1); 959 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) 960 return(-1); 961 /* re_semantics & re_pfamily length */ 962 if (!RPCB_BUF_GEQ(rm, p, 12)) 963 return(-1); 964 p++; /* Skipping re_semantics. */ 965 xdr = B(p++); 966 if ((xdr != 4) || strncmp((char *)p, "inet", 4)) 967 return(-1); 968 p++; 969 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) 970 return(-1); 971 if (!RPCB_BUF_GEQ(rm, p, 4)) 972 return(-1); 973 re->re_more = p; 974 if (B(re->re_more) > 1) /* 0,1 only legal values */ 975 return(-1); 976 ++rl->rl_cnt; 977 ++cnt; 978 if (B(re->re_more) == 0) 979 break; 980 /* Replies in max out at 2; TCP and/or UDP */ 981 if (cnt > 2) 982 return(-1); 983 p++; 984 } 985 986 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { 987 re = &rl->rl_entries[rl->rl_cnt]; 988 rv = ipf_p_rpcb_getnat(fin, nat, 989 re->re_proto.xp_proto, 990 (u_int)re->re_maddr.xu_port); 991 if (rv != 0) 992 return(-1); 993 } 994 break; 995 default: 996 /*CONSTANTCONDITION*/ 997 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type)); 998 } 999 1000 return(1); 1001 } 1002 1003 /* -------------------------------------------------------------------- */ 1004 /* Function: ipf_p_rpcb_lookup */ 1005 /* Returns: rpcb_xact_t * - NULL == no matching record, */ 1006 /* else pointer to relevant entry */ 1007 /* Parameters: rs(I) - pointer to RPCB session */ 1008 /* xid(I) - XID to look for */ 1009 /* -------------------------------------------------------------------- */ 1010 static rpcb_xact_t * 1011 ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid) 1012 { 1013 rpcb_xact_t *rx; 1014 1015 if (rs->rs_rxlist == NULL) 1016 return(NULL); 1017 1018 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) 1019 if (rx->rx_xid == xid) 1020 break; 1021 1022 return(rx); 1023 } 1024 1025 /* -------------------------------------------------------------------- */ 1026 /* Function: ipf_p_rpcb_deref */ 1027 /* Returns: (void) */ 1028 /* Parameters: rs(I) - pointer to RPCB session */ 1029 /* rx(I) - pointer to RPC transaction struct to remove */ 1030 /* force(I) - indicates to delete entry regardless of */ 1031 /* reference count */ 1032 /* Locking: rs->rs_rxlock must be held write only */ 1033 /* */ 1034 /* Free the RPCB transaction record rx from the chain of entries. */ 1035 /* -------------------------------------------------------------------- */ 1036 static void 1037 ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx) 1038 { 1039 rs = rs; /* LINT */ 1040 1041 if (rx == NULL) 1042 return; 1043 1044 if (--rx->rx_ref != 0) 1045 return; 1046 1047 if (rx->rx_next != NULL) 1048 rx->rx_next->rx_pnext = rx->rx_pnext; 1049 1050 *rx->rx_pnext = rx->rx_next; 1051 1052 KFREE(rx); 1053 1054 --rpcbcnt; 1055 } 1056 1057 /* -------------------------------------------------------------------- */ 1058 /* Function: ipf_p_rpcb_getproto */ 1059 /* Returns: int - -1 == illegal protocol/netid, */ 1060 /* 0 == legal protocol/netid */ 1061 /* Parameters: rm(I) - pointer to RPC message structure */ 1062 /* xp(I) - pointer to netid structure */ 1063 /* p(IO) - pointer to location within packet buffer */ 1064 /* */ 1065 /* Decode netid/proto stored at p and record its numeric value. */ 1066 /* -------------------------------------------------------------------- */ 1067 static int 1068 ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p) 1069 { 1070 u_int len; 1071 1072 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ 1073 if (!RPCB_BUF_GEQ(rm, p, 8)) 1074 return(-1); 1075 1076 xp->xp_xslen = (*p)++; 1077 xp->xp_xsstr = (char *)*p; 1078 1079 /* Test the string length. */ 1080 len = B(xp->xp_xslen); 1081 if (len != 3) 1082 return(-1); 1083 1084 /* Test the actual string & record the protocol accordingly. */ 1085 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4)) 1086 xp->xp_proto = IPPROTO_TCP; 1087 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4)) 1088 xp->xp_proto = IPPROTO_UDP; 1089 else { 1090 return(-1); 1091 } 1092 1093 /* Advance past the string. */ 1094 (*p)++; 1095 1096 return(0); 1097 } 1098 1099 /* -------------------------------------------------------------------- */ 1100 /* Function: ipf_p_rpcb_getnat */ 1101 /* Returns: int -- -1 == failed to create table entries, */ 1102 /* 0 == success */ 1103 /* Parameters: fin(I) - pointer to packet information */ 1104 /* nat(I) - pointer to NAT table entry */ 1105 /* proto(I) - transport protocol for new entries */ 1106 /* port(I) - new port to use w/ wildcard table entries */ 1107 /* */ 1108 /* Create state and NAT entries to handle an anticipated connection */ 1109 /* attempt between RPC client and server. */ 1110 /* -------------------------------------------------------------------- */ 1111 static int 1112 ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port) 1113 { 1114 ipf_main_softc_t *softc = fin->fin_main_soft; 1115 ipnat_t *ipn, ipnat; 1116 tcphdr_t tcp; 1117 ipstate_t *is; 1118 fr_info_t fi; 1119 nat_t *natl; 1120 int nflags; 1121 1122 ipn = nat->nat_ptr; 1123 1124 /* Generate dummy fr_info */ 1125 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 1126 fi.fin_out = 0; 1127 fi.fin_p = proto; 1128 fi.fin_sport = 0; 1129 fi.fin_dport = port & 0xffff; 1130 fi.fin_flx |= FI_IGNORE; 1131 fi.fin_saddr = nat->nat_osrcaddr; 1132 fi.fin_daddr = nat->nat_odstaddr; 1133 1134 bzero((char *)&tcp, sizeof(tcp)); 1135 tcp.th_dport = htons(port); 1136 1137 if (proto == IPPROTO_TCP) { 1138 tcp.th_win = htons(8192); 1139 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); 1140 fi.fin_dlen = sizeof(tcphdr_t); 1141 tcp.th_flags = TH_SYN; 1142 nflags = NAT_TCP; 1143 } else { 1144 fi.fin_dlen = sizeof(udphdr_t); 1145 nflags = NAT_UDP; 1146 } 1147 1148 nflags |= SI_W_SPORT|NAT_SEARCH; 1149 fi.fin_dp = &tcp; 1150 fi.fin_plen = fi.fin_hlen + fi.fin_dlen; 1151 1152 /* 1153 * Search for existing NAT & state entries. Pay close attention to 1154 * mutexes / locks grabbed from lookup routines, as not doing so could 1155 * lead to bad things. 1156 * 1157 * If successful, fr_stlookup returns with ipf_state locked. We have 1158 * no use for this lock, so simply unlock it if necessary. 1159 */ 1160 is = ipf_state_lookup(&fi, &tcp, NULL); 1161 if (is != NULL) { 1162 RWLOCK_EXIT(&softc->ipf_state); 1163 } 1164 1165 RWLOCK_EXIT(&softc->ipf_nat); 1166 1167 WRITE_ENTER(&softc->ipf_nat); 1168 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); 1169 1170 if ((natl != NULL) && (is != NULL)) { 1171 MUTEX_DOWNGRADE(&softc->ipf_nat); 1172 return(0); 1173 } 1174 1175 /* Slightly modify the following structures for actual use in creating 1176 * NAT and/or state entries. We're primarily concerned with stripping 1177 * flags that may be detrimental to the creation process or simply 1178 * shouldn't be associated with a table entry. 1179 */ 1180 fi.fin_fr = &rpcbfr; 1181 fi.fin_flx &= ~FI_IGNORE; 1182 nflags &= ~NAT_SEARCH; 1183 1184 if (natl == NULL) { 1185 #ifdef USE_MUTEXES 1186 ipf_nat_softc_t *softn = softc->ipf_nat_soft; 1187 #endif 1188 1189 /* XXX Since we're just copying the original ipn contents 1190 * back, would we be better off just sending a pointer to 1191 * the 'temp' copy off to nat_new instead? 1192 */ 1193 /* Generate template/bogus NAT rule. */ 1194 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); 1195 ipn->in_flags = nflags & IPN_TCPUDP; 1196 ipn->in_apr = NULL; 1197 ipn->in_pr[0] = proto; 1198 ipn->in_pr[1] = proto; 1199 ipn->in_dpmin = fi.fin_dport; 1200 ipn->in_dpmax = fi.fin_dport; 1201 ipn->in_dpnext = fi.fin_dport; 1202 ipn->in_space = 1; 1203 ipn->in_ippip = 1; 1204 if (ipn->in_flags & IPN_FILTER) { 1205 ipn->in_scmp = 0; 1206 ipn->in_dcmp = 0; 1207 } 1208 ipn->in_plabel = -1; 1209 1210 /* Create NAT entry. return NULL if this fails. */ 1211 MUTEX_ENTER(&softn->ipf_nat_new); 1212 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, 1213 NAT_INBOUND); 1214 MUTEX_EXIT(&softn->ipf_nat_new); 1215 1216 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); 1217 1218 if (natl == NULL) { 1219 MUTEX_DOWNGRADE(&softc->ipf_nat); 1220 return(-1); 1221 } 1222 1223 natl->nat_ptr = ipn; 1224 fi.fin_saddr = natl->nat_nsrcaddr; 1225 fi.fin_daddr = natl->nat_ndstaddr; 1226 ipn->in_use++; 1227 (void) ipf_nat_proto(&fi, natl, nflags); 1228 MUTEX_ENTER(&natl->nat_lock); 1229 ipf_nat_update(&fi, natl); 1230 MUTEX_EXIT(&natl->nat_lock); 1231 } 1232 MUTEX_DOWNGRADE(&softc->ipf_nat); 1233 1234 if (is == NULL) { 1235 /* Create state entry. Return NULL if this fails. */ 1236 fi.fin_flx |= FI_NATED; 1237 fi.fin_flx &= ~FI_STATE; 1238 nflags &= NAT_TCPUDP; 1239 nflags |= SI_W_SPORT|SI_CLONE; 1240 1241 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { 1242 /* 1243 * XXX nat_delete is private to ip_nat.c. Should 1244 * check w/ Darren about this one. 1245 * 1246 * nat_delete(natl, NL_EXPIRE); 1247 */ 1248 return(-1); 1249 } 1250 } 1251 1252 return(0); 1253 } 1254 1255 /* -------------------------------------------------------------------- */ 1256 /* Function: ipf_p_rpcb_modv3 */ 1257 /* Returns: int -- change in packet length */ 1258 /* Parameters: fin(I) - pointer to packet information */ 1259 /* nat(I) - pointer to NAT session */ 1260 /* rm(I) - pointer to RPC message structure */ 1261 /* m(I) - pointer to mbuf chain */ 1262 /* off(I) - offset within mbuf chain */ 1263 /* */ 1264 /* Write a new universal address string to this packet, adjusting */ 1265 /* lengths as necessary. */ 1266 /* -------------------------------------------------------------------- */ 1267 static int 1268 ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 1269 { 1270 u_int len, xlen, pos, bogo; 1271 rpc_resp_t *rr; 1272 char uaddr[24]; 1273 char *i, *p; 1274 int diff; 1275 1276 rr = &rm->rm_resp; 1277 i = (char *)&nat->nat_ndstaddr; 1278 p = (char *)&rr->rr_v3.xu_port; 1279 1280 /* Form new string. */ 1281 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 1282 #if defined(SNPRINTF) && defined(_KERNEL) 1283 SNPRINTF(uaddr, sizeof(uaddr), 1284 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 1285 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 1286 #else 1287 (void) sprintf(uaddr, 1288 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 1289 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 1290 #endif 1291 len = strlen(uaddr); 1292 xlen = XDRALIGN(len); 1293 1294 /* Determine mbuf offset to write to. */ 1295 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; 1296 off += pos; 1297 1298 /* Write new string length. */ 1299 bogo = htonl(len); 1300 COPYBACK(m, off, 4, (void *)&bogo); 1301 off += 4; 1302 1303 /* Write new string. */ 1304 COPYBACK(m, off, xlen, uaddr); 1305 1306 /* Determine difference in data lengths. */ 1307 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); 1308 1309 /* 1310 * If our new string has a different length, make necessary 1311 * adjustments. 1312 */ 1313 if (diff != 0) 1314 ipf_p_rpcb_fixlen(fin, diff); 1315 1316 return(diff); 1317 } 1318 1319 /* -------------------------------------------------------------------- */ 1320 /* Function: ipf_p_rpcb_modv4 */ 1321 /* Returns: int -- change in packet length */ 1322 /* Parameters: fin(I) - pointer to packet information */ 1323 /* nat(I) - pointer to NAT session */ 1324 /* rm(I) - pointer to RPC message structure */ 1325 /* m(I) - pointer to mbuf chain */ 1326 /* off(I) - offset within mbuf chain */ 1327 /* */ 1328 /* Write new rpcb_entry list, adjusting lengths as necessary. */ 1329 /* -------------------------------------------------------------------- */ 1330 static int 1331 ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 1332 { 1333 u_int len, xlen, pos, bogo; 1334 rpcb_listp_t *rl; 1335 rpcb_entry_t *re; 1336 rpc_resp_t *rr; 1337 char uaddr[24]; 1338 int diff, cnt; 1339 char *i, *p; 1340 1341 diff = 0; 1342 rr = &rm->rm_resp; 1343 rl = &rr->rr_v4; 1344 1345 i = (char *)&nat->nat_ndstaddr; 1346 1347 /* Determine mbuf offset to write to. */ 1348 re = &rl->rl_entries[0]; 1349 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; 1350 off += pos; 1351 1352 for (cnt = 0; cnt < rl->rl_cnt; cnt++) { 1353 re = &rl->rl_entries[cnt]; 1354 p = (char *)&re->re_maddr.xu_port; 1355 1356 /* Form new string. */ 1357 bzero(uaddr, sizeof(uaddr)); /* Just in case we need 1358 padding. */ 1359 #if defined(SNPRINTF) && defined(_KERNEL) 1360 SNPRINTF(uaddr, sizeof(uaddr), 1361 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, 1362 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, 1363 p[0] & 0xff, p[1] & 0xff); 1364 #else 1365 (void) sprintf(uaddr, 1366 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, 1367 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, 1368 p[0] & 0xff, p[1] & 0xff); 1369 #endif 1370 len = strlen(uaddr); 1371 xlen = XDRALIGN(len); 1372 1373 /* Write new string length. */ 1374 bogo = htonl(len); 1375 COPYBACK(m, off, 4, (void *)&bogo); 1376 off += 4; 1377 1378 /* Write new string. */ 1379 COPYBACK(m, off, xlen, uaddr); 1380 off += xlen; 1381 1382 /* Record any change in length. */ 1383 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); 1384 1385 /* If the length changed, copy back the rest of this entry. */ 1386 len = ((char *)re->re_more + 4) - 1387 (char *)re->re_netid.xp_xslen; 1388 if (diff != 0) { 1389 COPYBACK(m, off, len, (void *)re->re_netid.xp_xslen); 1390 } 1391 off += len; 1392 } 1393 1394 /* 1395 * If our new string has a different length, make necessary 1396 * adjustments. 1397 */ 1398 if (diff != 0) 1399 ipf_p_rpcb_fixlen(fin, diff); 1400 1401 return(diff); 1402 } 1403 1404 1405 /* -------------------------------------------------------------------- */ 1406 /* Function: ipf_p_rpcb_fixlen */ 1407 /* Returns: (void) */ 1408 /* Parameters: fin(I) - pointer to packet information */ 1409 /* len(I) - change in packet length */ 1410 /* */ 1411 /* Adjust various packet related lengths held in structure and packet */ 1412 /* header fields. */ 1413 /* -------------------------------------------------------------------- */ 1414 static void 1415 ipf_p_rpcb_fixlen(fr_info_t *fin, int len) 1416 { 1417 udphdr_t *udp; 1418 1419 udp = fin->fin_dp; 1420 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); 1421 fin->fin_plen += len; 1422 fin->fin_ip->ip_len = htons(fin->fin_plen); 1423 fin->fin_dlen += len; 1424 } 1425 1426 #undef B 1427