1/* 2 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org> 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 */ 6/* 7 * Overview: 8 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) 9 * protocol as defined in RFC1833. It is far from complete, mostly 10 * lacking in less-likely corner cases, but it's definitely functional. 11 * 12 * Invocation: 13 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu 14 * 15 * If the host running IP Filter is the same as the RPC server, it's 16 * perfectly legal for both the internal and external addresses and ports 17 * to match. 18 * 19 * When triggered by appropriate IP NAT rules, this proxy works by 20 * examining data contained in received packets. Requests and replies are 21 * modified, NAT and state table entries created, etc., as necessary. 22 */ 23/* 24 * TODO / NOTES 25 * 26 * o Must implement locking to protect proxy session data. 27 * o Fragmentation isn't supported. 28 * o Only supports UDP. 29 * o Doesn't support multiple RPC records in a single request. 30 * o Errors should be more fine-grained. (e.g., malloc failure vs. 31 * illegal RPCB request / reply) 32 * o Even with the limit on the total amount of recorded transactions, 33 * should there be a timeout on transaction removal? 34 * o There is a potential collision between cloning, wildcard NAT and 35 * state entries. There should be an appr_getport routine for 36 * to avoid this. 37 * o The enclosed hack of STREAMS support is pretty sick and most likely 38 * broken. 39 * 40 * $Id$ 41 */ 42#define IPF_RPCB_PROXY 43 44/* 45 * Function prototypes 46 */ 47void ipf_p_rpcb_main_load __P((void)); 48void ipf_p_rpcb_main_unload __P((void)); 49int ipf_p_rpcb_new __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 50void ipf_p_rpcb_del __P((ipf_main_softc_t *, ap_session_t *)); 51int ipf_p_rpcb_in __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 52int ipf_p_rpcb_out __P((void *, fr_info_t *, ap_session_t *, nat_t *)); 53 54static void ipf_p_rpcb_flush __P((rpcb_session_t *)); 55static int ipf_p_rpcb_decodereq __P((fr_info_t *, nat_t *, 56 rpcb_session_t *, rpc_msg_t *)); 57static int ipf_p_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **)); 58static int ipf_p_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *)); 59static int ipf_p_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *)); 60static int ipf_p_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *, 61 u_32_t **)); 62static u_int ipf_p_rpcb_atoi __P((char *)); 63static int ipf_p_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *, 64 mb_t *, u_int)); 65static int ipf_p_rpcb_decoderep __P((fr_info_t *, nat_t *, 66 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **)); 67static rpcb_xact_t * ipf_p_rpcb_lookup __P((rpcb_session_t *, u_32_t)); 68static void ipf_p_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *)); 69static int ipf_p_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *, 70 u_32_t **)); 71static int ipf_p_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int)); 72static int ipf_p_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *, 73 mb_t *, u_int)); 74static int ipf_p_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *, 75 mb_t *, u_int)); 76static void ipf_p_rpcb_fixlen __P((fr_info_t *, int)); 77 78/* 79 * Global variables 80 */ 81static frentry_t rpcbfr; /* Skeleton rule for reference by entities 82 this proxy creates. */ 83static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ 84 /* XXX rpcbcnt still requires locking. */ 85 86static int rpcb_proxy_init = 0; 87 88 89/* 90 * Since rpc_msg contains only pointers, one should use this macro as a 91 * handy way to get to the goods. (In case you're wondering about the name, 92 * this started as BYTEREF -> BREF -> B.) 93 */ 94#define B(r) (u_32_t)ntohl(*(r)) 95 96/* 97 * Public subroutines 98 */ 99 100/* -------------------------------------------------------------------- */ 101/* Function: ipf_p_rpcb_main_load */ 102/* Returns: void */ 103/* Parameters: (void) */ 104/* */ 105/* Initialize the filter rule entry and session limiter. */ 106/* -------------------------------------------------------------------- */ 107void 108ipf_p_rpcb_main_load() 109{ 110 rpcbcnt = 0; 111 112 bzero((char *)&rpcbfr, sizeof(rpcbfr)); 113 rpcbfr.fr_ref = 1; 114 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; 115 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock"); 116 rpcb_proxy_init = 1; 117} 118 119/* -------------------------------------------------------------------- */ 120/* Function: ipf_p_rpcb_main_unload */ 121/* Returns: void */ 122/* Parameters: (void) */ 123/* */ 124/* Destroy rpcbfr's mutex to avoid a lock leak. */ 125/* -------------------------------------------------------------------- */ 126void 127ipf_p_rpcb_main_unload() 128{ 129 if (rpcb_proxy_init == 1) { 130 MUTEX_DESTROY(&rpcbfr.fr_lock); 131 rpcb_proxy_init = 0; 132 } 133} 134 135/* -------------------------------------------------------------------- */ 136/* Function: ipf_p_rpcb_new */ 137/* Returns: int - -1 == failure, 0 == success */ 138/* Parameters: fin(I) - pointer to packet information */ 139/* aps(I) - pointer to proxy session structure */ 140/* nat(I) - pointer to NAT session structure */ 141/* */ 142/* Allocate resources for per-session proxy structures. */ 143/* -------------------------------------------------------------------- */ 144int 145ipf_p_rpcb_new(arg, fin, aps, nat) 146 void *arg; 147 fr_info_t *fin; 148 ap_session_t *aps; 149 nat_t *nat; 150{ 151 rpcb_session_t *rs; 152 153 nat = nat; /* LINT */ 154 155 if (fin->fin_v != 4) 156 return -1; 157 158 KMALLOC(rs, rpcb_session_t *); 159 if (rs == NULL) 160 return(-1); 161 162 bzero((char *)rs, sizeof(*rs)); 163 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock"); 164 165 aps->aps_data = rs; 166 167 return(0); 168} 169 170/* -------------------------------------------------------------------- */ 171/* Function: ipf_p_rpcb_del */ 172/* Returns: void */ 173/* Parameters: aps(I) - pointer to proxy session structure */ 174/* */ 175/* Free up a session's list of RPCB requests. */ 176/* -------------------------------------------------------------------- */ 177void 178ipf_p_rpcb_del(softc, aps) 179 ipf_main_softc_t *softc; 180 ap_session_t *aps; 181{ 182 rpcb_session_t *rs; 183 rs = (rpcb_session_t *)aps->aps_data; 184 185 MUTEX_ENTER(&rs->rs_rxlock); 186 ipf_p_rpcb_flush(rs); 187 MUTEX_EXIT(&rs->rs_rxlock); 188 MUTEX_DESTROY(&rs->rs_rxlock); 189} 190 191/* -------------------------------------------------------------------- */ 192/* Function: ipf_p_rpcb_in */ 193/* Returns: int - APR_ERR(1) == drop the packet, */ 194/* APR_ERR(2) == kill the proxy session, */ 195/* else change in packet length (in bytes) */ 196/* Parameters: fin(I) - pointer to packet information */ 197/* ip(I) - pointer to packet header */ 198/* aps(I) - pointer to proxy session structure */ 199/* nat(I) - pointer to NAT session structure */ 200/* */ 201/* Given a presumed RPCB request, perform some minor tests and pass off */ 202/* for decoding. Also pass packet off for a rewrite if necessary. */ 203/* -------------------------------------------------------------------- */ 204int 205ipf_p_rpcb_in(arg, fin, aps, nat) 206 void *arg; 207 fr_info_t *fin; 208 ap_session_t *aps; 209 nat_t *nat; 210{ 211 rpc_msg_t rpcmsg, *rm; 212 rpcb_session_t *rs; 213 u_int off, dlen; 214 mb_t *m; 215 int rv; 216 217 /* Disallow fragmented or illegally short packets. */ 218 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 219 return(APR_ERR(1)); 220 221 /* Perform basic variable initialization. */ 222 rs = (rpcb_session_t *)aps->aps_data; 223 224 m = fin->fin_m; 225 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 226 off += sizeof(udphdr_t) + fin->fin_ipoff; 227 dlen = fin->fin_dlen - sizeof(udphdr_t); 228 229 /* Disallow packets outside legal range for supported requests. */ 230 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) 231 return(APR_ERR(1)); 232 233 /* Copy packet over to convenience buffer. */ 234 rm = &rpcmsg; 235 bzero((char *)rm, sizeof(*rm)); 236 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf); 237 rm->rm_buflen = dlen; 238 239 /* Send off to decode request. */ 240 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); 241 242 switch(rv) 243 { 244 case -1: 245 return(APR_ERR(1)); 246 /*NOTREACHED*/ 247 break; 248 case 0: 249 break; 250 case 1: 251 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); 252 break; 253 default: 254 /*CONSTANTCONDITION*/ 255 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv)); 256 } 257 258 return(rv); 259} 260 261/* -------------------------------------------------------------------- */ 262/* Function: ipf_p_rpcb_out */ 263/* Returns: int - APR_ERR(1) == drop the packet, */ 264/* APR_ERR(2) == kill the proxy session, */ 265/* else change in packet length (in bytes) */ 266/* Parameters: fin(I) - pointer to packet information */ 267/* ip(I) - pointer to packet header */ 268/* aps(I) - pointer to proxy session structure */ 269/* nat(I) - pointer to NAT session structure */ 270/* */ 271/* Given a presumed RPCB reply, perform some minor tests and pass off */ 272/* for decoding. If the message indicates a successful request with */ 273/* valid addressing information, create NAT and state structures to */ 274/* allow direct communication between RPC client and server. */ 275/* -------------------------------------------------------------------- */ 276int 277ipf_p_rpcb_out(arg, fin, aps, nat) 278 void *arg; 279 fr_info_t *fin; 280 ap_session_t *aps; 281 nat_t *nat; 282{ 283 rpc_msg_t rpcmsg, *rm; 284 rpcb_session_t *rs; 285 rpcb_xact_t *rx; 286 u_int off, dlen; 287 int rv, diff; 288 mb_t *m; 289 290 /* Disallow fragmented or illegally short packets. */ 291 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 292 return(APR_ERR(1)); 293 294 /* Perform basic variable initialization. */ 295 rs = (rpcb_session_t *)aps->aps_data; 296 rx = NULL; 297 298 m = fin->fin_m; 299 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 300 off += sizeof(udphdr_t) + fin->fin_ipoff; 301 dlen = fin->fin_dlen - sizeof(udphdr_t); 302 diff = 0; 303 304 /* Disallow packets outside legal range for supported requests. */ 305 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) 306 return(APR_ERR(1)); 307 308 /* Copy packet over to convenience buffer. */ 309 rm = &rpcmsg; 310 bzero((char *)rm, sizeof(*rm)); 311 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf); 312 rm->rm_buflen = dlen; 313 314 rx = NULL; /* XXX gcc */ 315 316 /* Send off to decode reply. */ 317 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); 318 319 switch(rv) 320 { 321 case -1: /* Bad packet */ 322 if (rx != NULL) { 323 MUTEX_ENTER(&rs->rs_rxlock); 324 ipf_p_rpcb_deref(rs, rx); 325 MUTEX_EXIT(&rs->rs_rxlock); 326 } 327 return(APR_ERR(1)); 328 /*NOTREACHED*/ 329 break; 330 case 0: /* Negative reply / request rejected */ 331 break; 332 case 1: /* Positive reply */ 333 /* 334 * With the IP address embedded in a GETADDR(LIST) reply, 335 * we'll need to rewrite the packet in the very possible 336 * event that the internal & external addresses aren't the 337 * same. (i.e., this box is either a router or rpcbind 338 * only listens on loopback.) 339 */ 340 if (nat->nat_odstaddr != nat->nat_ndstaddr) { 341 if (rx->rx_type == RPCB_RES_STRING) 342 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); 343 else if (rx->rx_type == RPCB_RES_LIST) 344 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); 345 } 346 break; 347 default: 348 /*CONSTANTCONDITION*/ 349 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv)); 350 } 351 352 if (rx != NULL) { 353 MUTEX_ENTER(&rs->rs_rxlock); 354 /* XXX Gross hack - I'm overloading the reference 355 * counter to deal with both threads and retransmitted 356 * requests. One deref signals that this thread is 357 * finished with rx, and the other signals that we've 358 * processed its reply. 359 */ 360 ipf_p_rpcb_deref(rs, rx); 361 ipf_p_rpcb_deref(rs, rx); 362 MUTEX_EXIT(&rs->rs_rxlock); 363 } 364 365 return(diff); 366} 367 368/* 369 * Private support subroutines 370 */ 371 372/* -------------------------------------------------------------------- */ 373/* Function: ipf_p_rpcb_flush */ 374/* Returns: void */ 375/* Parameters: rs(I) - pointer to RPCB session structure */ 376/* */ 377/* Simply flushes the list of outstanding transactions, if any. */ 378/* -------------------------------------------------------------------- */ 379static void 380ipf_p_rpcb_flush(rs) 381 rpcb_session_t *rs; 382{ 383 rpcb_xact_t *r1, *r2; 384 385 r1 = rs->rs_rxlist; 386 if (r1 == NULL) 387 return; 388 389 while (r1 != NULL) { 390 r2 = r1; 391 r1 = r1->rx_next; 392 KFREE(r2); 393 } 394} 395 396/* -------------------------------------------------------------------- */ 397/* Function: ipf_p_rpcb_decodereq */ 398/* Returns: int - -1 == bad request or critical failure, */ 399/* 0 == request successfully decoded, */ 400/* 1 == request successfully decoded; requires */ 401/* address rewrite/modification */ 402/* Parameters: fin(I) - pointer to packet information */ 403/* nat(I) - pointer to NAT session structure */ 404/* rs(I) - pointer to RPCB session structure */ 405/* rm(I) - pointer to RPC message structure */ 406/* */ 407/* Take a presumed RPCB request, decode it, and store the results in */ 408/* the transaction list. If the internal target address needs to be */ 409/* modified, store its location in ptr. */ 410/* WARNING: It's the responsibility of the caller to make sure there */ 411/* is enough room in rs_buf for the basic RPC message "preamble". */ 412/* -------------------------------------------------------------------- */ 413static int 414ipf_p_rpcb_decodereq(fin, nat, rs, rm) 415 fr_info_t *fin; 416 nat_t *nat; 417 rpcb_session_t *rs; 418 rpc_msg_t *rm; 419{ 420 rpcb_args_t *ra; 421 u_32_t xdr, *p; 422 rpc_call_t *rc; 423 rpcb_xact_t rx; 424 int mod; 425 426 p = (u_32_t *)rm->rm_msgbuf; 427 mod = 0; 428 429 bzero((char *)&rx, sizeof(rx)); 430 rc = &rm->rm_call; 431 432 rm->rm_xid = p; 433 rx.rx_xid = B(p++); /* Record this message's XID. */ 434 435 /* Parse out and test the RPC header. */ 436 if ((B(p++) != RPCB_CALL) || 437 (B(p++) != RPCB_MSG_VERSION) || 438 (B(p++) != RPCB_PROG)) 439 return(-1); 440 441 /* Record the RPCB version and procedure. */ 442 rc->rc_vers = p++; 443 rc->rc_proc = p++; 444 445 /* Bypass RPC authentication stuff. */ 446 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) 447 return(-1); 448 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) 449 return(-1); 450 451 /* Compare RPCB version and procedure numbers. */ 452 switch(B(rc->rc_vers)) 453 { 454 case 2: 455 /* This proxy only supports PMAP_GETPORT. */ 456 if (B(rc->rc_proc) != RPCB_GETPORT) 457 return(-1); 458 459 /* Portmap requests contain four 4 byte parameters. */ 460 if (RPCB_BUF_EQ(rm, p, 16) == 0) 461 return(-1); 462 463 p += 2; /* Skip requested program and version numbers. */ 464 465 /* Sanity check the requested protocol. */ 466 xdr = B(p); 467 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) 468 return(-1); 469 470 rx.rx_type = RPCB_RES_PMAP; 471 rx.rx_proto = xdr; 472 break; 473 case 3: 474 case 4: 475 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ 476 switch(B(rc->rc_proc)) 477 { 478 case RPCB_GETADDR: 479 rx.rx_type = RPCB_RES_STRING; 480 rx.rx_proto = (u_int)fin->fin_p; 481 break; 482 case RPCB_GETADDRLIST: 483 if (B(rc->rc_vers) != 4) 484 return(-1); 485 rx.rx_type = RPCB_RES_LIST; 486 break; 487 default: 488 return(-1); 489 } 490 491 ra = &rc->rc_rpcbargs; 492 493 /* Decode the 'struct rpcb' request. */ 494 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) 495 return(-1); 496 497 /* Are the target address & port valid? */ 498 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || 499 (ra->ra_maddr.xu_port != nat->nat_ndport)) 500 return(-1); 501 502 /* Do we need to rewrite this packet? */ 503 if ((nat->nat_ndstaddr != nat->nat_odstaddr) || 504 (nat->nat_ndport != nat->nat_odport)) 505 mod = 1; 506 break; 507 default: 508 return(-1); 509 } 510 511 MUTEX_ENTER(&rs->rs_rxlock); 512 if (ipf_p_rpcb_insert(rs, &rx) != 0) { 513 MUTEX_EXIT(&rs->rs_rxlock); 514 return(-1); 515 } 516 MUTEX_EXIT(&rs->rs_rxlock); 517 518 return(mod); 519} 520 521/* -------------------------------------------------------------------- */ 522/* Function: ipf_p_rpcb_skipauth */ 523/* Returns: int -- -1 == illegal auth parameters (lengths) */ 524/* 0 == valid parameters, pointer advanced */ 525/* Parameters: rm(I) - pointer to RPC message structure */ 526/* auth(I) - pointer to RPC auth structure */ 527/* buf(IO) - pointer to location within convenience buffer */ 528/* */ 529/* Record auth data length & location of auth data, then advance past */ 530/* it. */ 531/* -------------------------------------------------------------------- */ 532static int 533ipf_p_rpcb_skipauth(rm, auth, buf) 534 rpc_msg_t *rm; 535 xdr_auth_t *auth; 536 u_32_t **buf; 537{ 538 u_32_t *p, xdr; 539 540 p = *buf; 541 542 /* Make sure we have enough space for expected fixed auth parms. */ 543 if (RPCB_BUF_GEQ(rm, p, 8) == 0) 544 return(-1); 545 546 p++; /* We don't care about auth_flavor. */ 547 548 auth->xa_string.xs_len = p; 549 xdr = B(p++); /* Length of auth_data */ 550 551 /* Test for absurdity / illegality of auth_data length. */ 552 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) 553 return(-1); 554 555 auth->xa_string.xs_str = (char *)p; 556 557 p += XDRALIGN(xdr); /* Advance our location. */ 558 559 *buf = (u_32_t *)p; 560 561 return(0); 562} 563 564/* -------------------------------------------------------------------- */ 565/* Function: ipf_p_rpcb_insert */ 566/* Returns: int -- -1 == list insertion failed, */ 567/* 0 == item successfully added */ 568/* Parameters: rs(I) - pointer to RPCB session structure */ 569/* rx(I) - pointer to RPCB transaction structure */ 570/* -------------------------------------------------------------------- */ 571static int 572ipf_p_rpcb_insert(rs, rx) 573 rpcb_session_t *rs; 574 rpcb_xact_t *rx; 575{ 576 rpcb_xact_t *rxp; 577 578 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); 579 if (rxp != NULL) { 580 ++rxp->rx_ref; 581 return(0); 582 } 583 584 if (rpcbcnt == RPCB_MAXREQS) 585 return(-1); 586 587 KMALLOC(rxp, rpcb_xact_t *); 588 if (rxp == NULL) 589 return(-1); 590 591 bcopy((char *)rx, (char *)rxp, sizeof(*rx)); 592 593 if (rs->rs_rxlist != NULL) 594 rs->rs_rxlist->rx_pnext = &rxp->rx_next; 595 596 rxp->rx_pnext = &rs->rs_rxlist; 597 rxp->rx_next = rs->rs_rxlist; 598 rs->rs_rxlist = rxp; 599 600 rxp->rx_ref = 1; 601 602 ++rpcbcnt; 603 604 return(0); 605} 606 607/* -------------------------------------------------------------------- */ 608/* Function: ipf_p_rpcb_xdrrpcb */ 609/* Returns: int -- -1 == failure to properly decode the request */ 610/* 0 == rpcb successfully decoded */ 611/* Parameters: rs(I) - pointer to RPCB session structure */ 612/* p(I) - pointer to location within session buffer */ 613/* rpcb(O) - pointer to rpcb (xdr type) structure */ 614/* */ 615/* Decode a XDR encoded rpcb structure and record its contents in rpcb */ 616/* within only the context of TCP/UDP over IP networks. */ 617/* -------------------------------------------------------------------- */ 618static int 619ipf_p_rpcb_xdrrpcb(rm, p, ra) 620 rpc_msg_t *rm; 621 u_32_t *p; 622 rpcb_args_t *ra; 623{ 624 if (!RPCB_BUF_GEQ(rm, p, 20)) 625 return(-1); 626 627 /* Bypass target program & version. */ 628 p += 2; 629 630 /* Decode r_netid. Must be "tcp" or "udp". */ 631 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) 632 return(-1); 633 634 /* Decode r_maddr. */ 635 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) 636 return(-1); 637 638 /* Advance to r_owner and make sure it's empty. */ 639 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) 640 return(-1); 641 642 return(0); 643} 644 645/* -------------------------------------------------------------------- */ 646/* Function: ipf_p_rpcb_getuaddr */ 647/* Returns: int -- -1 == illegal string, */ 648/* 0 == string parsed; contents recorded */ 649/* Parameters: rm(I) - pointer to RPC message structure */ 650/* xu(I) - pointer to universal address structure */ 651/* p(IO) - pointer to location within message buffer */ 652/* */ 653/* Decode the IP address / port at p and record them in xu. */ 654/* -------------------------------------------------------------------- */ 655static int 656ipf_p_rpcb_getuaddr(rm, xu, p) 657 rpc_msg_t *rm; 658 xdr_uaddr_t *xu; 659 u_32_t **p; 660{ 661 char *c, *i, *b, *pp; 662 u_int d, dd, l, t; 663 char uastr[24]; 664 665 /* Test for string length. */ 666 if (!RPCB_BUF_GEQ(rm, *p, 4)) 667 return(-1); 668 669 xu->xu_xslen = (*p)++; 670 xu->xu_xsstr = (char *)*p; 671 672 /* Length check */ 673 l = B(xu->xu_xslen); 674 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) 675 return(-1); 676 677 /* Advance p */ 678 *(char **)p += XDRALIGN(l); 679 680 /* Copy string to local buffer & terminate C style */ 681 bcopy(xu->xu_xsstr, uastr, l); 682 uastr[l] = '\0'; 683 684 i = (char *)&xu->xu_ip; 685 pp = (char *)&xu->xu_port; 686 687 /* 688 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of 689 * an IP address and [ef] are the bytes of a L4 port. 690 */ 691 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) 692 return(-1); 693 b = uastr; 694 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { 695 if (ISDIGIT(*c)) { 696 dd = 0; 697 continue; 698 } 699 if (*c == '.') { 700 if (dd != 0) 701 return(-1); 702 703 /* Check for ASCII byte. */ 704 *c = '\0'; 705 t = ipf_p_rpcb_atoi(b); 706 if (t > 255) 707 return(-1); 708 709 /* Aim b at beginning of the next byte. */ 710 b = c + 1; 711 712 /* Switch off IP addr vs port parsing. */ 713 if (d < 4) 714 i[d++] = t & 0xff; 715 else 716 pp[d++ - 4] = t & 0xff; 717 718 dd = 1; 719 continue; 720 } 721 return(-1); 722 } 723 if (d != 5) /* String must contain exactly 5 periods. */ 724 return(-1); 725 726 /* Handle the last byte (port low byte) */ 727 t = ipf_p_rpcb_atoi(b); 728 if (t > 255) 729 return(-1); 730 pp[d - 4] = t & 0xff; 731 732 return(0); 733} 734 735/* -------------------------------------------------------------------- */ 736/* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ 737/* Returns: int -- integer representation of supplied string */ 738/* Parameters: ptr(I) - input string */ 739/* */ 740/* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ 741/* -------------------------------------------------------------------- */ 742static u_int 743ipf_p_rpcb_atoi(ptr) 744 char *ptr; 745{ 746 register char *s = ptr, c; 747 register u_int i = 0; 748 749 while (((c = *s++) != '\0') && ISDIGIT(c)) { 750 i *= 10; 751 i += c - '0'; 752 } 753 return i; 754} 755 756/* -------------------------------------------------------------------- */ 757/* Function: ipf_p_rpcb_modreq */ 758/* Returns: int -- change in datagram length */ 759/* APR_ERR(2) - critical failure */ 760/* Parameters: fin(I) - pointer to packet information */ 761/* nat(I) - pointer to NAT session */ 762/* rm(I) - pointer to RPC message structure */ 763/* m(I) - pointer to mbuf chain */ 764/* off(I) - current offset within mbuf chain */ 765/* */ 766/* When external and internal addresses differ, we rewrite the former */ 767/* with the latter. (This is exclusive to protocol versions 3 & 4). */ 768/* -------------------------------------------------------------------- */ 769static int 770ipf_p_rpcb_modreq(fin, nat, rm, m, off) 771 fr_info_t *fin; 772 nat_t *nat; 773 rpc_msg_t *rm; 774 mb_t *m; 775 u_int off; 776{ 777 u_int len, xlen, pos, bogo; 778 rpcb_args_t *ra; 779 char uaddr[24]; 780 udphdr_t *udp; 781 char *i, *p; 782 int diff; 783 784 ra = &rm->rm_call.rc_rpcbargs; 785 i = (char *)&nat->nat_odstaddr; 786 p = (char *)&nat->nat_odport; 787 788 /* Form new string. */ 789 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 790#if defined(SNPRINTF) && defined(_KERNEL) 791 SNPRINTF(uaddr, sizeof(uaddr), 792#else 793 (void) sprintf(uaddr, 794#endif 795 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 796 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 797 len = strlen(uaddr); 798 xlen = XDRALIGN(len); 799 800 /* Determine mbuf offset to start writing to. */ 801 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; 802 off += pos; 803 804 /* Write new string length. */ 805 bogo = htonl(len); 806 COPYBACK(m, off, 4, (caddr_t)&bogo); 807 off += 4; 808 809 /* Write new string. */ 810 COPYBACK(m, off, xlen, uaddr); 811 off += xlen; 812 813 /* Write in zero r_owner. */ 814 bogo = 0; 815 COPYBACK(m, off, 4, (caddr_t)&bogo); 816 817 /* Determine difference in data lengths. */ 818 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); 819 820 /* 821 * If our new string has a different length, make necessary 822 * adjustments. 823 */ 824 if (diff != 0) { 825 udp = fin->fin_dp; 826 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); 827 fin->fin_plen += diff; 828 fin->fin_ip->ip_len = htons(fin->fin_plen); 829 fin->fin_dlen += diff; 830 /* XXX Storage lengths. */ 831 } 832 833 return(diff); 834} 835 836/* -------------------------------------------------------------------- */ 837/* Function: ipf_p_rpcb_decoderep */ 838/* Returns: int - -1 == bad request or critical failure, */ 839/* 0 == valid, negative reply */ 840/* 1 == vaddlid, positive reply; needs no changes */ 841/* Parameters: fin(I) - pointer to packet information */ 842/* nat(I) - pointer to NAT session structure */ 843/* rs(I) - pointer to RPCB session structure */ 844/* rm(I) - pointer to RPC message structure */ 845/* rxp(O) - pointer to RPCB transaction structure */ 846/* */ 847/* Take a presumed RPCB reply, extract the XID, search for the original */ 848/* request information, and determine whether the request was accepted */ 849/* or rejected. With a valid accepted reply, go ahead and create NAT */ 850/* and state entries, and finish up by rewriting the packet as */ 851/* required. */ 852/* */ 853/* WARNING: It's the responsibility of the caller to make sure there */ 854/* is enough room in rs_buf for the basic RPC message "preamble". */ 855/* -------------------------------------------------------------------- */ 856static int 857ipf_p_rpcb_decoderep(fin, nat, rs, rm, rxp) 858 fr_info_t *fin; 859 nat_t *nat; 860 rpcb_session_t *rs; 861 rpc_msg_t *rm; 862 rpcb_xact_t **rxp; 863{ 864 rpcb_listp_t *rl; 865 rpcb_entry_t *re; 866 rpcb_xact_t *rx; 867 u_32_t xdr, *p; 868 rpc_resp_t *rr; 869 int rv, cnt; 870 871 p = (u_32_t *)rm->rm_msgbuf; 872 873 bzero((char *)&rx, sizeof(rx)); 874 rr = &rm->rm_resp; 875 876 rm->rm_xid = p; 877 xdr = B(p++); /* Record this message's XID. */ 878 879 /* Lookup XID */ 880 MUTEX_ENTER(&rs->rs_rxlock); 881 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { 882 MUTEX_EXIT(&rs->rs_rxlock); 883 return(-1); 884 } 885 ++rx->rx_ref; /* per thread reference */ 886 MUTEX_EXIT(&rs->rs_rxlock); 887 888 *rxp = rx; 889 890 /* Test call vs reply */ 891 if (B(p++) != RPCB_REPLY) 892 return(-1); 893 894 /* Test reply_stat */ 895 switch(B(p++)) 896 { 897 case RPCB_MSG_DENIED: 898 return(0); 899 case RPCB_MSG_ACCEPTED: 900 break; 901 default: 902 return(-1); 903 } 904 905 /* Bypass RPC authentication stuff. */ 906 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) 907 return(-1); 908 909 /* Test accept status */ 910 if (!RPCB_BUF_GEQ(rm, p, 4)) 911 return(-1); 912 if (B(p++) != 0) 913 return(0); 914 915 /* Parse out the expected reply */ 916 switch(rx->rx_type) 917 { 918 case RPCB_RES_PMAP: 919 /* There must be only one 4 byte argument. */ 920 if (!RPCB_BUF_EQ(rm, p, 4)) 921 return(-1); 922 923 rr->rr_v2 = p; 924 xdr = B(rr->rr_v2); 925 926 /* Reply w/ a 0 port indicates service isn't registered */ 927 if (xdr == 0) 928 return(0); 929 930 /* Is the value sane? */ 931 if (xdr > 65535) 932 return(-1); 933 934 /* Create NAT & state table entries. */ 935 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) 936 return(-1); 937 break; 938 case RPCB_RES_STRING: 939 /* Expecting a XDR string; need 4 bytes for length */ 940 if (!RPCB_BUF_GEQ(rm, p, 4)) 941 return(-1); 942 943 rr->rr_v3.xu_str.xs_len = p++; 944 rr->rr_v3.xu_str.xs_str = (char *)p; 945 946 xdr = B(rr->rr_v3.xu_xslen); 947 948 /* A null string indicates an unregistered service */ 949 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) 950 return(0); 951 952 /* Decode the target IP address / port. */ 953 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) 954 return(-1); 955 956 /* Validate the IP address and port contained. */ 957 if (nat->nat_odstaddr != rr->rr_v3.xu_ip) 958 return(-1); 959 960 /* Create NAT & state table entries. */ 961 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, 962 (u_int)rr->rr_v3.xu_port) != 0) 963 return(-1); 964 break; 965 case RPCB_RES_LIST: 966 if (!RPCB_BUF_GEQ(rm, p, 4)) 967 return(-1); 968 /* rpcb_entry_list_ptr */ 969 switch(B(p)) 970 { 971 case 0: 972 return(0); 973 /*NOTREACHED*/ 974 break; 975 case 1: 976 break; 977 default: 978 return(-1); 979 } 980 rl = &rr->rr_v4; 981 rl->rl_list = p++; 982 cnt = 0; 983 984 for(;;) { 985 re = &rl->rl_entries[rl->rl_cnt]; 986 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) 987 return(-1); 988 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) 989 return(-1); 990 /* re_semantics & re_pfamily length */ 991 if (!RPCB_BUF_GEQ(rm, p, 12)) 992 return(-1); 993 p++; /* Skipping re_semantics. */ 994 xdr = B(p++); 995 if ((xdr != 4) || strncmp((char *)p, "inet", 4)) 996 return(-1); 997 p++; 998 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) 999 return(-1); 1000 if (!RPCB_BUF_GEQ(rm, p, 4)) 1001 return(-1); 1002 re->re_more = p; 1003 if (B(re->re_more) > 1) /* 0,1 only legal values */ 1004 return(-1); 1005 ++rl->rl_cnt; 1006 ++cnt; 1007 if (B(re->re_more) == 0) 1008 break; 1009 /* Replies in max out at 2; TCP and/or UDP */ 1010 if (cnt > 2) 1011 return(-1); 1012 p++; 1013 } 1014 1015 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { 1016 re = &rl->rl_entries[rl->rl_cnt]; 1017 rv = ipf_p_rpcb_getnat(fin, nat, 1018 re->re_proto.xp_proto, 1019 (u_int)re->re_maddr.xu_port); 1020 if (rv != 0) 1021 return(-1); 1022 } 1023 break; 1024 default: 1025 /*CONSTANTCONDITION*/ 1026 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type)); 1027 } 1028 1029 return(1); 1030} 1031 1032/* -------------------------------------------------------------------- */ 1033/* Function: ipf_p_rpcb_lookup */ 1034/* Returns: rpcb_xact_t * - NULL == no matching record, */ 1035/* else pointer to relevant entry */ 1036/* Parameters: rs(I) - pointer to RPCB session */ 1037/* xid(I) - XID to look for */ 1038/* -------------------------------------------------------------------- */ 1039static rpcb_xact_t * 1040ipf_p_rpcb_lookup(rs, xid) 1041 rpcb_session_t *rs; 1042 u_32_t xid; 1043{ 1044 rpcb_xact_t *rx; 1045 1046 if (rs->rs_rxlist == NULL) 1047 return(NULL); 1048 1049 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) 1050 if (rx->rx_xid == xid) 1051 break; 1052 1053 return(rx); 1054} 1055 1056/* -------------------------------------------------------------------- */ 1057/* Function: ipf_p_rpcb_deref */ 1058/* Returns: (void) */ 1059/* Parameters: rs(I) - pointer to RPCB session */ 1060/* rx(I) - pointer to RPC transaction struct to remove */ 1061/* force(I) - indicates to delete entry regardless of */ 1062/* reference count */ 1063/* Locking: rs->rs_rxlock must be held write only */ 1064/* */ 1065/* Free the RPCB transaction record rx from the chain of entries. */ 1066/* -------------------------------------------------------------------- */ 1067static void 1068ipf_p_rpcb_deref(rs, rx) 1069 rpcb_session_t *rs; 1070 rpcb_xact_t *rx; 1071{ 1072 rs = rs; /* LINT */ 1073 1074 if (rx == NULL) 1075 return; 1076 1077 if (--rx->rx_ref != 0) 1078 return; 1079 1080 if (rx->rx_next != NULL) 1081 rx->rx_next->rx_pnext = rx->rx_pnext; 1082 1083 *rx->rx_pnext = rx->rx_next; 1084 1085 KFREE(rx); 1086 1087 --rpcbcnt; 1088} 1089 1090/* -------------------------------------------------------------------- */ 1091/* Function: ipf_p_rpcb_getproto */ 1092/* Returns: int - -1 == illegal protocol/netid, */ 1093/* 0 == legal protocol/netid */ 1094/* Parameters: rm(I) - pointer to RPC message structure */ 1095/* xp(I) - pointer to netid structure */ 1096/* p(IO) - pointer to location within packet buffer */ 1097/* */ 1098/* Decode netid/proto stored at p and record its numeric value. */ 1099/* -------------------------------------------------------------------- */ 1100static int 1101ipf_p_rpcb_getproto(rm, xp, p) 1102 rpc_msg_t *rm; 1103 xdr_proto_t *xp; 1104 u_32_t **p; 1105{ 1106 u_int len; 1107 1108 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ 1109 if (!RPCB_BUF_GEQ(rm, p, 8)) 1110 return(-1); 1111 1112 xp->xp_xslen = (*p)++; 1113 xp->xp_xsstr = (char *)*p; 1114 1115 /* Test the string length. */ 1116 len = B(xp->xp_xslen); 1117 if (len != 3) 1118 return(-1); 1119 1120 /* Test the actual string & record the protocol accordingly. */ 1121 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4)) 1122 xp->xp_proto = IPPROTO_TCP; 1123 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4)) 1124 xp->xp_proto = IPPROTO_UDP; 1125 else { 1126 return(-1); 1127 } 1128 1129 /* Advance past the string. */ 1130 (*p)++; 1131 1132 return(0); 1133} 1134 1135/* -------------------------------------------------------------------- */ 1136/* Function: ipf_p_rpcb_getnat */ 1137/* Returns: int -- -1 == failed to create table entries, */ 1138/* 0 == success */ 1139/* Parameters: fin(I) - pointer to packet information */ 1140/* nat(I) - pointer to NAT table entry */ 1141/* proto(I) - transport protocol for new entries */ 1142/* port(I) - new port to use w/ wildcard table entries */ 1143/* */ 1144/* Create state and NAT entries to handle an anticipated connection */ 1145/* attempt between RPC client and server. */ 1146/* -------------------------------------------------------------------- */ 1147static int 1148ipf_p_rpcb_getnat(fin, nat, proto, port) 1149 fr_info_t *fin; 1150 nat_t *nat; 1151 u_int proto; 1152 u_int port; 1153{ 1154 ipf_main_softc_t *softc = fin->fin_main_soft; 1155 ipnat_t *ipn, ipnat; 1156 tcphdr_t tcp; 1157 ipstate_t *is; 1158 fr_info_t fi; 1159 nat_t *natl; 1160 int nflags; 1161 1162 ipn = nat->nat_ptr; 1163 1164 /* Generate dummy fr_info */ 1165 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 1166 fi.fin_out = 0; 1167 fi.fin_p = proto; 1168 fi.fin_sport = 0; 1169 fi.fin_dport = port & 0xffff; 1170 fi.fin_flx |= FI_IGNORE; 1171 fi.fin_saddr = nat->nat_osrcaddr; 1172 fi.fin_daddr = nat->nat_odstaddr; 1173 1174 bzero((char *)&tcp, sizeof(tcp)); 1175 tcp.th_dport = htons(port); 1176 1177 if (proto == IPPROTO_TCP) { 1178 tcp.th_win = htons(8192); 1179 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); 1180 fi.fin_dlen = sizeof(tcphdr_t); 1181 tcp.th_flags = TH_SYN; 1182 nflags = NAT_TCP; 1183 } else { 1184 fi.fin_dlen = sizeof(udphdr_t); 1185 nflags = NAT_UDP; 1186 } 1187 1188 nflags |= SI_W_SPORT|NAT_SEARCH; 1189 fi.fin_dp = &tcp; 1190 fi.fin_plen = fi.fin_hlen + fi.fin_dlen; 1191 1192 /* 1193 * Search for existing NAT & state entries. Pay close attention to 1194 * mutexes / locks grabbed from lookup routines, as not doing so could 1195 * lead to bad things. 1196 * 1197 * If successful, fr_stlookup returns with ipf_state locked. We have 1198 * no use for this lock, so simply unlock it if necessary. 1199 */ 1200 is = ipf_state_lookup(&fi, &tcp, NULL); 1201 if (is != NULL) { 1202 RWLOCK_EXIT(&softc->ipf_state); 1203 } 1204 1205 RWLOCK_EXIT(&softc->ipf_nat); 1206 1207 WRITE_ENTER(&softc->ipf_nat); 1208 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); 1209 1210 if ((natl != NULL) && (is != NULL)) { 1211 MUTEX_DOWNGRADE(&softc->ipf_nat); 1212 return(0); 1213 } 1214 1215 /* Slightly modify the following structures for actual use in creating 1216 * NAT and/or state entries. We're primarily concerned with stripping 1217 * flags that may be detrimental to the creation process or simply 1218 * shouldn't be associated with a table entry. 1219 */ 1220 fi.fin_fr = &rpcbfr; 1221 fi.fin_flx &= ~FI_IGNORE; 1222 nflags &= ~NAT_SEARCH; 1223 1224 if (natl == NULL) { 1225#ifdef USE_MUTEXES 1226 ipf_nat_softc_t *softn = softc->ipf_nat_soft; 1227#endif 1228 1229 /* XXX Since we're just copying the original ipn contents 1230 * back, would we be better off just sending a pointer to 1231 * the 'temp' copy off to nat_new instead? 1232 */ 1233 /* Generate template/bogus NAT rule. */ 1234 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); 1235 ipn->in_flags = nflags & IPN_TCPUDP; 1236 ipn->in_apr = NULL; 1237 ipn->in_pr[0] = proto; 1238 ipn->in_pr[1] = proto; 1239 ipn->in_dpmin = fi.fin_dport; 1240 ipn->in_dpmax = fi.fin_dport; 1241 ipn->in_dpnext = fi.fin_dport; 1242 ipn->in_space = 1; 1243 ipn->in_ippip = 1; 1244 if (ipn->in_flags & IPN_FILTER) { 1245 ipn->in_scmp = 0; 1246 ipn->in_dcmp = 0; 1247 } 1248 ipn->in_plabel = -1; 1249 1250 /* Create NAT entry. return NULL if this fails. */ 1251 MUTEX_ENTER(&softn->ipf_nat_new); 1252 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, 1253 NAT_INBOUND); 1254 MUTEX_EXIT(&softn->ipf_nat_new); 1255 1256 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); 1257 1258 if (natl == NULL) { 1259 MUTEX_DOWNGRADE(&softc->ipf_nat); 1260 return(-1); 1261 } 1262 1263 natl->nat_ptr = ipn; 1264 fi.fin_saddr = natl->nat_nsrcaddr; 1265 fi.fin_daddr = natl->nat_ndstaddr; 1266 ipn->in_use++; 1267 (void) ipf_nat_proto(&fi, natl, nflags); 1268 MUTEX_ENTER(&natl->nat_lock); 1269 ipf_nat_update(&fi, natl); 1270 MUTEX_EXIT(&natl->nat_lock); 1271 } 1272 MUTEX_DOWNGRADE(&softc->ipf_nat); 1273 1274 if (is == NULL) { 1275 /* Create state entry. Return NULL if this fails. */ 1276 fi.fin_flx |= FI_NATED; 1277 fi.fin_flx &= ~FI_STATE; 1278 nflags &= NAT_TCPUDP; 1279 nflags |= SI_W_SPORT|SI_CLONE; 1280 1281 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { 1282 /* 1283 * XXX nat_delete is private to ip_nat.c. Should 1284 * check w/ Darren about this one. 1285 * 1286 * nat_delete(natl, NL_EXPIRE); 1287 */ 1288 return(-1); 1289 } 1290 } 1291 1292 return(0); 1293} 1294 1295/* -------------------------------------------------------------------- */ 1296/* Function: ipf_p_rpcb_modv3 */ 1297/* Returns: int -- change in packet length */ 1298/* Parameters: fin(I) - pointer to packet information */ 1299/* nat(I) - pointer to NAT session */ 1300/* rm(I) - pointer to RPC message structure */ 1301/* m(I) - pointer to mbuf chain */ 1302/* off(I) - offset within mbuf chain */ 1303/* */ 1304/* Write a new universal address string to this packet, adjusting */ 1305/* lengths as necessary. */ 1306/* -------------------------------------------------------------------- */ 1307static int 1308ipf_p_rpcb_modv3(fin, nat, rm, m, off) 1309 fr_info_t *fin; 1310 nat_t *nat; 1311 rpc_msg_t *rm; 1312 mb_t *m; 1313 u_int off; 1314{ 1315 u_int len, xlen, pos, bogo; 1316 rpc_resp_t *rr; 1317 char uaddr[24]; 1318 char *i, *p; 1319 int diff; 1320 1321 rr = &rm->rm_resp; 1322 i = (char *)&nat->nat_ndstaddr; 1323 p = (char *)&rr->rr_v3.xu_port; 1324 1325 /* Form new string. */ 1326 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 1327#if defined(SNPRINTF) && defined(_KERNEL) 1328 SNPRINTF(uaddr, sizeof(uaddr), 1329#else 1330 (void) sprintf(uaddr, 1331#endif 1332 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 1333 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 1334 len = strlen(uaddr); 1335 xlen = XDRALIGN(len); 1336 1337 /* Determine mbuf offset to write to. */ 1338 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; 1339 off += pos; 1340 1341 /* Write new string length. */ 1342 bogo = htonl(len); 1343 COPYBACK(m, off, 4, (caddr_t)&bogo); 1344 off += 4; 1345 1346 /* Write new string. */ 1347 COPYBACK(m, off, xlen, uaddr); 1348 1349 /* Determine difference in data lengths. */ 1350 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); 1351 1352 /* 1353 * If our new string has a different length, make necessary 1354 * adjustments. 1355 */ 1356 if (diff != 0) 1357 ipf_p_rpcb_fixlen(fin, diff); 1358 1359 return(diff); 1360} 1361 1362/* -------------------------------------------------------------------- */ 1363/* Function: ipf_p_rpcb_modv4 */ 1364/* Returns: int -- change in packet length */ 1365/* Parameters: fin(I) - pointer to packet information */ 1366/* nat(I) - pointer to NAT session */ 1367/* rm(I) - pointer to RPC message structure */ 1368/* m(I) - pointer to mbuf chain */ 1369/* off(I) - offset within mbuf chain */ 1370/* */ 1371/* Write new rpcb_entry list, adjusting lengths as necessary. */ 1372/* -------------------------------------------------------------------- */ 1373static int 1374ipf_p_rpcb_modv4(fin, nat, rm, m, off) 1375 fr_info_t *fin; 1376 nat_t *nat; 1377 rpc_msg_t *rm; 1378 mb_t *m; 1379 u_int off; 1380{ 1381 u_int len, xlen, pos, bogo; 1382 rpcb_listp_t *rl; 1383 rpcb_entry_t *re; 1384 rpc_resp_t *rr; 1385 char uaddr[24]; 1386 int diff, cnt; 1387 char *i, *p; 1388 1389 diff = 0; 1390 rr = &rm->rm_resp; 1391 rl = &rr->rr_v4; 1392 1393 i = (char *)&nat->nat_ndstaddr; 1394 1395 /* Determine mbuf offset to write to. */ 1396 re = &rl->rl_entries[0]; 1397 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; 1398 off += pos; 1399 1400 for (cnt = 0; cnt < rl->rl_cnt; cnt++) { 1401 re = &rl->rl_entries[cnt]; 1402 p = (char *)&re->re_maddr.xu_port; 1403 1404 /* Form new string. */ 1405 bzero(uaddr, sizeof(uaddr)); /* Just in case we need 1406 padding. */ 1407#if defined(SNPRINTF) && defined(_KERNEL) 1408 SNPRINTF(uaddr, sizeof(uaddr), 1409#else 1410 (void) sprintf(uaddr, 1411#endif 1412 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, 1413 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, 1414 p[0] & 0xff, p[1] & 0xff); 1415 len = strlen(uaddr); 1416 xlen = XDRALIGN(len); 1417 1418 /* Write new string length. */ 1419 bogo = htonl(len); 1420 COPYBACK(m, off, 4, (caddr_t)&bogo); 1421 off += 4; 1422 1423 /* Write new string. */ 1424 COPYBACK(m, off, xlen, uaddr); 1425 off += xlen; 1426 1427 /* Record any change in length. */ 1428 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); 1429 1430 /* If the length changed, copy back the rest of this entry. */ 1431 len = ((char *)re->re_more + 4) - 1432 (char *)re->re_netid.xp_xslen; 1433 if (diff != 0) { 1434 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen); 1435 } 1436 off += len; 1437 } 1438 1439 /* 1440 * If our new string has a different length, make necessary 1441 * adjustments. 1442 */ 1443 if (diff != 0) 1444 ipf_p_rpcb_fixlen(fin, diff); 1445 1446 return(diff); 1447} 1448 1449 1450/* -------------------------------------------------------------------- */ 1451/* Function: ipf_p_rpcb_fixlen */ 1452/* Returns: (void) */ 1453/* Parameters: fin(I) - pointer to packet information */ 1454/* len(I) - change in packet length */ 1455/* */ 1456/* Adjust various packet related lengths held in structure and packet */ 1457/* header fields. */ 1458/* -------------------------------------------------------------------- */ 1459static void 1460ipf_p_rpcb_fixlen(fin, len) 1461 fr_info_t *fin; 1462 int len; 1463{ 1464 udphdr_t *udp; 1465 1466 udp = fin->fin_dp; 1467 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); 1468 fin->fin_plen += len; 1469 fin->fin_ip->ip_len = htons(fin->fin_plen); 1470 fin->fin_dlen += len; 1471} 1472 1473#undef B 1474