1/* $NetBSD: ip_rpcb_pxy.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $ */ 2 3/* 4 * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org> 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8/* 9 * Overview: 10 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) 11 * protocol as defined in RFC1833. It is far from complete, mostly 12 * lacking in less-likely corner cases, but it's definitely functional. 13 * 14 * Invocation: 15 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu 16 * 17 * If the host running IP Filter is the same as the RPC server, it's 18 * perfectly legal for both the internal and external addresses and ports 19 * to match. 20 * 21 * When triggered by appropriate IP NAT rules, this proxy works by 22 * examining data contained in received packets. Requests and replies are 23 * modified, NAT and state table entries created, etc., as necessary. 24 */ 25/* 26 * TODO / NOTES 27 * 28 * o Must implement locking to protect proxy session data. 29 * o Fragmentation isn't supported. 30 * o Only supports UDP. 31 * o Doesn't support multiple RPC records in a single request. 32 * o Errors should be more fine-grained. (e.g., malloc failure vs. 33 * illegal RPCB request / reply) 34 * o Even with the limit on the total amount of recorded transactions, 35 * should there be a timeout on transaction removal? 36 * o There is a potential collision between cloning, wildcard NAT and 37 * state entries. There should be an appr_getport routine for 38 * to avoid this. 39 * o The enclosed hack of STREAMS support is pretty sick and most likely 40 * broken. 41 * 42 * Id: ip_rpcb_pxy.c,v 1.1.1.2 2012/07/22 13:45:34 darrenr Exp 43 */ 44 45#include <sys/cdefs.h> 46__KERNEL_RCSID(1, "$NetBSD: ip_rpcb_pxy.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $"); 47 48#define IPF_RPCB_PROXY 49 50/* 51 * Function prototypes 52 */ 53void ipf_p_rpcb_main_load(void); 54void ipf_p_rpcb_main_unload(void); 55int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *); 56void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *); 57int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *); 58int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *); 59 60static void ipf_p_rpcb_flush(rpcb_session_t *); 61static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *, 62 rpcb_session_t *, rpc_msg_t *); 63static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **); 64static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *); 65static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *); 66static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *, 67 u_32_t **); 68static u_int ipf_p_rpcb_atoi(char *); 69static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *, 70 mb_t *, u_int); 71static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *, 72 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **); 73static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t); 74static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *); 75static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *, 76 u_32_t **); 77static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int); 78static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *, 79 mb_t *, u_int); 80static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *, 81 mb_t *, u_int); 82static void ipf_p_rpcb_fixlen(fr_info_t *, int); 83 84/* 85 * Global variables 86 */ 87static frentry_t rpcbfr; /* Skeleton rule for reference by entities 88 this proxy creates. */ 89static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ 90 /* XXX rpcbcnt still requires locking. */ 91 92static int rpcb_proxy_init = 0; 93 94 95/* 96 * Since rpc_msg contains only pointers, one should use this macro as a 97 * handy way to get to the goods. (In case you're wondering about the name, 98 * this started as BYTEREF -> BREF -> B.) 99 */ 100#define B(r) (u_32_t)ntohl(*(r)) 101 102/* 103 * Public subroutines 104 */ 105 106/* -------------------------------------------------------------------- */ 107/* Function: ipf_p_rpcb_main_load */ 108/* Returns: void */ 109/* Parameters: (void) */ 110/* */ 111/* Initialize the filter rule entry and session limiter. */ 112/* -------------------------------------------------------------------- */ 113void 114ipf_p_rpcb_main_load(void) 115{ 116 rpcbcnt = 0; 117 118 bzero((char *)&rpcbfr, sizeof(rpcbfr)); 119 rpcbfr.fr_ref = 1; 120 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; 121 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock"); 122 rpcb_proxy_init = 1; 123} 124 125/* -------------------------------------------------------------------- */ 126/* Function: ipf_p_rpcb_main_unload */ 127/* Returns: void */ 128/* Parameters: (void) */ 129/* */ 130/* Destroy rpcbfr's mutex to avoid a lock leak. */ 131/* -------------------------------------------------------------------- */ 132void 133ipf_p_rpcb_main_unload(void) 134{ 135 if (rpcb_proxy_init == 1) { 136 MUTEX_DESTROY(&rpcbfr.fr_lock); 137 rpcb_proxy_init = 0; 138 } 139} 140 141/* -------------------------------------------------------------------- */ 142/* Function: ipf_p_rpcb_new */ 143/* Returns: int - -1 == failure, 0 == success */ 144/* Parameters: fin(I) - pointer to packet information */ 145/* aps(I) - pointer to proxy session structure */ 146/* nat(I) - pointer to NAT session structure */ 147/* */ 148/* Allocate resources for per-session proxy structures. */ 149/* -------------------------------------------------------------------- */ 150int 151ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 152{ 153 rpcb_session_t *rs; 154 155 nat = nat; /* LINT */ 156 157 if (fin->fin_v != 4) 158 return -1; 159 160 KMALLOC(rs, rpcb_session_t *); 161 if (rs == NULL) 162 return(-1); 163 164 bzero((char *)rs, sizeof(*rs)); 165 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock"); 166 167 aps->aps_data = rs; 168 169 return(0); 170} 171 172/* -------------------------------------------------------------------- */ 173/* Function: ipf_p_rpcb_del */ 174/* Returns: void */ 175/* Parameters: aps(I) - pointer to proxy session structure */ 176/* */ 177/* Free up a session's list of RPCB requests. */ 178/* -------------------------------------------------------------------- */ 179void 180ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps) 181{ 182 rpcb_session_t *rs; 183 rs = (rpcb_session_t *)aps->aps_data; 184 185 MUTEX_ENTER(&rs->rs_rxlock); 186 ipf_p_rpcb_flush(rs); 187 MUTEX_EXIT(&rs->rs_rxlock); 188 MUTEX_DESTROY(&rs->rs_rxlock); 189} 190 191/* -------------------------------------------------------------------- */ 192/* Function: ipf_p_rpcb_in */ 193/* Returns: int - APR_ERR(1) == drop the packet, */ 194/* APR_ERR(2) == kill the proxy session, */ 195/* else change in packet length (in bytes) */ 196/* Parameters: fin(I) - pointer to packet information */ 197/* ip(I) - pointer to packet header */ 198/* aps(I) - pointer to proxy session structure */ 199/* nat(I) - pointer to NAT session structure */ 200/* */ 201/* Given a presumed RPCB request, perform some minor tests and pass off */ 202/* for decoding. Also pass packet off for a rewrite if necessary. */ 203/* -------------------------------------------------------------------- */ 204int 205ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 206{ 207 rpc_msg_t rpcmsg, *rm; 208 rpcb_session_t *rs; 209 u_int off, dlen; 210 mb_t *m; 211 int rv; 212 213 /* Disallow fragmented or illegally short packets. */ 214 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 215 return(APR_ERR(1)); 216 217 /* Perform basic variable initialization. */ 218 rs = (rpcb_session_t *)aps->aps_data; 219 220 m = fin->fin_m; 221 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 222 off += sizeof(udphdr_t) + fin->fin_ipoff; 223 dlen = fin->fin_dlen - sizeof(udphdr_t); 224 225 /* Disallow packets outside legal range for supported requests. */ 226 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) 227 return(APR_ERR(1)); 228 229 /* Copy packet over to convenience buffer. */ 230 rm = &rpcmsg; 231 bzero((char *)rm, sizeof(*rm)); 232 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); 233 rm->rm_buflen = dlen; 234 235 /* Send off to decode request. */ 236 rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); 237 238 switch(rv) 239 { 240 case -1: 241 return(APR_ERR(1)); 242 /*NOTREACHED*/ 243 break; 244 case 0: 245 break; 246 case 1: 247 rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); 248 break; 249 default: 250 /*CONSTANTCONDITION*/ 251 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv)); 252 } 253 254 return(rv); 255} 256 257/* -------------------------------------------------------------------- */ 258/* Function: ipf_p_rpcb_out */ 259/* Returns: int - APR_ERR(1) == drop the packet, */ 260/* APR_ERR(2) == kill the proxy session, */ 261/* else change in packet length (in bytes) */ 262/* Parameters: fin(I) - pointer to packet information */ 263/* ip(I) - pointer to packet header */ 264/* aps(I) - pointer to proxy session structure */ 265/* nat(I) - pointer to NAT session structure */ 266/* */ 267/* Given a presumed RPCB reply, perform some minor tests and pass off */ 268/* for decoding. If the message indicates a successful request with */ 269/* valid addressing information, create NAT and state structures to */ 270/* allow direct communication between RPC client and server. */ 271/* -------------------------------------------------------------------- */ 272int 273ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) 274{ 275 rpc_msg_t rpcmsg, *rm; 276 rpcb_session_t *rs; 277 rpcb_xact_t *rx; 278 u_int off, dlen; 279 int rv, diff; 280 mb_t *m; 281 282 rx = NULL; /* XXX gcc */ 283 284 /* Disallow fragmented or illegally short packets. */ 285 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) 286 return(APR_ERR(1)); 287 288 /* Perform basic variable initialization. */ 289 rs = (rpcb_session_t *)aps->aps_data; 290 rx = NULL; 291 292 m = fin->fin_m; 293 off = (char *)fin->fin_dp - (char *)fin->fin_ip; 294 off += sizeof(udphdr_t) + fin->fin_ipoff; 295 dlen = fin->fin_dlen - sizeof(udphdr_t); 296 diff = 0; 297 298 /* Disallow packets outside legal range for supported requests. */ 299 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) 300 return(APR_ERR(1)); 301 302 /* Copy packet over to convenience buffer. */ 303 rm = &rpcmsg; 304 bzero((char *)rm, sizeof(*rm)); 305 COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); 306 rm->rm_buflen = dlen; 307 308 rx = NULL; /* XXX gcc */ 309 310 /* Send off to decode reply. */ 311 rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); 312 313 switch(rv) 314 { 315 case -1: /* Bad packet */ 316 if (rx != NULL) { 317 MUTEX_ENTER(&rs->rs_rxlock); 318 ipf_p_rpcb_deref(rs, rx); 319 MUTEX_EXIT(&rs->rs_rxlock); 320 } 321 return(APR_ERR(1)); 322 /*NOTREACHED*/ 323 break; 324 case 0: /* Negative reply / request rejected */ 325 break; 326 case 1: /* Positive reply */ 327 /* 328 * With the IP address embedded in a GETADDR(LIST) reply, 329 * we'll need to rewrite the packet in the very possible 330 * event that the internal & external addresses aren't the 331 * same. (i.e., this box is either a router or rpcbind 332 * only listens on loopback.) 333 */ 334 if (nat->nat_odstaddr != nat->nat_ndstaddr) { 335 if (rx->rx_type == RPCB_RES_STRING) 336 diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); 337 else if (rx->rx_type == RPCB_RES_LIST) 338 diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); 339 } 340 break; 341 default: 342 /*CONSTANTCONDITION*/ 343 IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv)); 344 } 345 346 if (rx != NULL) { 347 MUTEX_ENTER(&rs->rs_rxlock); 348 /* XXX Gross hack - I'm overloading the reference 349 * counter to deal with both threads and retransmitted 350 * requests. One deref signals that this thread is 351 * finished with rx, and the other signals that we've 352 * processed its reply. 353 */ 354 ipf_p_rpcb_deref(rs, rx); 355 ipf_p_rpcb_deref(rs, rx); 356 MUTEX_EXIT(&rs->rs_rxlock); 357 } 358 359 return(diff); 360} 361 362/* 363 * Private support subroutines 364 */ 365 366/* -------------------------------------------------------------------- */ 367/* Function: ipf_p_rpcb_flush */ 368/* Returns: void */ 369/* Parameters: rs(I) - pointer to RPCB session structure */ 370/* */ 371/* Simply flushes the list of outstanding transactions, if any. */ 372/* -------------------------------------------------------------------- */ 373static void 374ipf_p_rpcb_flush(rpcb_session_t *rs) 375{ 376 rpcb_xact_t *r1, *r2; 377 378 r1 = rs->rs_rxlist; 379 if (r1 == NULL) 380 return; 381 382 while (r1 != NULL) { 383 r2 = r1; 384 r1 = r1->rx_next; 385 KFREE(r2); 386 } 387} 388 389/* -------------------------------------------------------------------- */ 390/* Function: ipf_p_rpcb_decodereq */ 391/* Returns: int - -1 == bad request or critical failure, */ 392/* 0 == request successfully decoded, */ 393/* 1 == request successfully decoded; requires */ 394/* address rewrite/modification */ 395/* Parameters: fin(I) - pointer to packet information */ 396/* nat(I) - pointer to NAT session structure */ 397/* rs(I) - pointer to RPCB session structure */ 398/* rm(I) - pointer to RPC message structure */ 399/* */ 400/* Take a presumed RPCB request, decode it, and store the results in */ 401/* the transaction list. If the internal target address needs to be */ 402/* modified, store its location in ptr. */ 403/* WARNING: It's the responsibility of the caller to make sure there */ 404/* is enough room in rs_buf for the basic RPC message "preamble". */ 405/* -------------------------------------------------------------------- */ 406static int 407ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, 408 rpc_msg_t *rm) 409{ 410 rpcb_args_t *ra; 411 u_32_t xdr, *p; 412 rpc_call_t *rc; 413 rpcb_xact_t rx; 414 int mod; 415 416 p = (u_32_t *)rm->rm_msgbuf; 417 mod = 0; 418 419 bzero((char *)&rx, sizeof(rx)); 420 rc = &rm->rm_call; 421 422 rm->rm_xid = p; 423 rx.rx_xid = B(p++); /* Record this message's XID. */ 424 425 /* Parse out and test the RPC header. */ 426 if ((B(p++) != RPCB_CALL) || 427 (B(p++) != RPCB_MSG_VERSION) || 428 (B(p++) != RPCB_PROG)) 429 return(-1); 430 431 /* Record the RPCB version and procedure. */ 432 rc->rc_vers = p++; 433 rc->rc_proc = p++; 434 435 /* Bypass RPC authentication stuff. */ 436 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) 437 return(-1); 438 if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) 439 return(-1); 440 441 /* Compare RPCB version and procedure numbers. */ 442 switch(B(rc->rc_vers)) 443 { 444 case 2: 445 /* This proxy only supports PMAP_GETPORT. */ 446 if (B(rc->rc_proc) != RPCB_GETPORT) 447 return(-1); 448 449 /* Portmap requests contain four 4 byte parameters. */ 450 if (RPCB_BUF_EQ(rm, p, 16) == 0) 451 return(-1); 452 453 p += 2; /* Skip requested program and version numbers. */ 454 455 /* Sanity check the requested protocol. */ 456 xdr = B(p); 457 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) 458 return(-1); 459 460 rx.rx_type = RPCB_RES_PMAP; 461 rx.rx_proto = xdr; 462 break; 463 case 3: 464 case 4: 465 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ 466 switch(B(rc->rc_proc)) 467 { 468 case RPCB_GETADDR: 469 rx.rx_type = RPCB_RES_STRING; 470 rx.rx_proto = (u_int)fin->fin_p; 471 break; 472 case RPCB_GETADDRLIST: 473 if (B(rc->rc_vers) != 4) 474 return(-1); 475 rx.rx_type = RPCB_RES_LIST; 476 break; 477 default: 478 return(-1); 479 } 480 481 ra = &rc->rc_rpcbargs; 482 483 /* Decode the 'struct rpcb' request. */ 484 if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) 485 return(-1); 486 487 /* Are the target address & port valid? */ 488 if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || 489 (ra->ra_maddr.xu_port != nat->nat_ndport)) 490 return(-1); 491 492 /* Do we need to rewrite this packet? */ 493 if ((nat->nat_ndstaddr != nat->nat_odstaddr) || 494 (nat->nat_ndport != nat->nat_odport)) 495 mod = 1; 496 break; 497 default: 498 return(-1); 499 } 500 501 MUTEX_ENTER(&rs->rs_rxlock); 502 if (ipf_p_rpcb_insert(rs, &rx) != 0) { 503 MUTEX_EXIT(&rs->rs_rxlock); 504 return(-1); 505 } 506 MUTEX_EXIT(&rs->rs_rxlock); 507 508 return(mod); 509} 510 511/* -------------------------------------------------------------------- */ 512/* Function: ipf_p_rpcb_skipauth */ 513/* Returns: int -- -1 == illegal auth parameters (lengths) */ 514/* 0 == valid parameters, pointer advanced */ 515/* Parameters: rm(I) - pointer to RPC message structure */ 516/* auth(I) - pointer to RPC auth structure */ 517/* buf(IO) - pointer to location within convenience buffer */ 518/* */ 519/* Record auth data length & location of auth data, then advance past */ 520/* it. */ 521/* -------------------------------------------------------------------- */ 522static int 523ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf) 524{ 525 u_32_t *p, xdr; 526 527 p = *buf; 528 529 /* Make sure we have enough space for expected fixed auth parms. */ 530 if (RPCB_BUF_GEQ(rm, p, 8) == 0) 531 return(-1); 532 533 p++; /* We don't care about auth_flavor. */ 534 535 auth->xa_string.xs_len = p; 536 xdr = B(p++); /* Length of auth_data */ 537 538 /* Test for absurdity / illegality of auth_data length. */ 539 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) 540 return(-1); 541 542 auth->xa_string.xs_str = (char *)p; 543 544 p += XDRALIGN(xdr); /* Advance our location. */ 545 546 *buf = (u_32_t *)p; 547 548 return(0); 549} 550 551/* -------------------------------------------------------------------- */ 552/* Function: ipf_p_rpcb_insert */ 553/* Returns: int -- -1 == list insertion failed, */ 554/* 0 == item successfully added */ 555/* Parameters: rs(I) - pointer to RPCB session structure */ 556/* rx(I) - pointer to RPCB transaction structure */ 557/* -------------------------------------------------------------------- */ 558static int 559ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx) 560{ 561 rpcb_xact_t *rxp; 562 563 rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); 564 if (rxp != NULL) { 565 ++rxp->rx_ref; 566 return(0); 567 } 568 569 if (rpcbcnt == RPCB_MAXREQS) 570 return(-1); 571 572 KMALLOC(rxp, rpcb_xact_t *); 573 if (rxp == NULL) 574 return(-1); 575 576 bcopy((char *)rx, (char *)rxp, sizeof(*rx)); 577 578 if (rs->rs_rxlist != NULL) 579 rs->rs_rxlist->rx_pnext = &rxp->rx_next; 580 581 rxp->rx_pnext = &rs->rs_rxlist; 582 rxp->rx_next = rs->rs_rxlist; 583 rs->rs_rxlist = rxp; 584 585 rxp->rx_ref = 1; 586 587 ++rpcbcnt; 588 589 return(0); 590} 591 592/* -------------------------------------------------------------------- */ 593/* Function: ipf_p_rpcb_xdrrpcb */ 594/* Returns: int -- -1 == failure to properly decode the request */ 595/* 0 == rpcb successfully decoded */ 596/* Parameters: rs(I) - pointer to RPCB session structure */ 597/* p(I) - pointer to location within session buffer */ 598/* rpcb(O) - pointer to rpcb (xdr type) structure */ 599/* */ 600/* Decode a XDR encoded rpcb structure and record its contents in rpcb */ 601/* within only the context of TCP/UDP over IP networks. */ 602/* -------------------------------------------------------------------- */ 603static int 604ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra) 605{ 606 if (!RPCB_BUF_GEQ(rm, p, 20)) 607 return(-1); 608 609 /* Bypass target program & version. */ 610 p += 2; 611 612 /* Decode r_netid. Must be "tcp" or "udp". */ 613 if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) 614 return(-1); 615 616 /* Decode r_maddr. */ 617 if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) 618 return(-1); 619 620 /* Advance to r_owner and make sure it's empty. */ 621 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) 622 return(-1); 623 624 return(0); 625} 626 627/* -------------------------------------------------------------------- */ 628/* Function: ipf_p_rpcb_getuaddr */ 629/* Returns: int -- -1 == illegal string, */ 630/* 0 == string parsed; contents recorded */ 631/* Parameters: rm(I) - pointer to RPC message structure */ 632/* xu(I) - pointer to universal address structure */ 633/* p(IO) - pointer to location within message buffer */ 634/* */ 635/* Decode the IP address / port at p and record them in xu. */ 636/* -------------------------------------------------------------------- */ 637static int 638ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p) 639{ 640 char *c, *i, *b, *pp; 641 u_int d, dd, l, t; 642 char uastr[24]; 643 644 /* Test for string length. */ 645 if (!RPCB_BUF_GEQ(rm, *p, 4)) 646 return(-1); 647 648 xu->xu_xslen = (*p)++; 649 xu->xu_xsstr = (char *)*p; 650 651 /* Length check */ 652 l = B(xu->xu_xslen); 653 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) 654 return(-1); 655 656 /* Advance p */ 657 *(char **)p += XDRALIGN(l); 658 659 /* Copy string to local buffer & terminate C style */ 660 bcopy(xu->xu_xsstr, uastr, l); 661 uastr[l] = '\0'; 662 663 i = (char *)&xu->xu_ip; 664 pp = (char *)&xu->xu_port; 665 666 /* 667 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of 668 * an IP address and [ef] are the bytes of a L4 port. 669 */ 670 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) 671 return(-1); 672 b = uastr; 673 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { 674 if (ISDIGIT(*c)) { 675 dd = 0; 676 continue; 677 } 678 if (*c == '.') { 679 if (dd != 0) 680 return(-1); 681 682 /* Check for ASCII byte. */ 683 *c = '\0'; 684 t = ipf_p_rpcb_atoi(b); 685 if (t > 255) 686 return(-1); 687 688 /* Aim b at beginning of the next byte. */ 689 b = c + 1; 690 691 /* Switch off IP addr vs port parsing. */ 692 if (d < 4) 693 i[d++] = t & 0xff; 694 else 695 pp[d++ - 4] = t & 0xff; 696 697 dd = 1; 698 continue; 699 } 700 return(-1); 701 } 702 if (d != 5) /* String must contain exactly 5 periods. */ 703 return(-1); 704 705 /* Handle the last byte (port low byte) */ 706 t = ipf_p_rpcb_atoi(b); 707 if (t > 255) 708 return(-1); 709 pp[d - 4] = t & 0xff; 710 711 return(0); 712} 713 714/* -------------------------------------------------------------------- */ 715/* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ 716/* Returns: int -- integer representation of supplied string */ 717/* Parameters: ptr(I) - input string */ 718/* */ 719/* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ 720/* -------------------------------------------------------------------- */ 721static u_int 722ipf_p_rpcb_atoi(char *ptr) 723{ 724 char *s = ptr, c; 725 u_int i = 0; 726 727 while (((c = *s++) != '\0') && ISDIGIT(c)) { 728 i *= 10; 729 i += c - '0'; 730 } 731 return i; 732} 733 734/* -------------------------------------------------------------------- */ 735/* Function: ipf_p_rpcb_modreq */ 736/* Returns: int -- change in datagram length */ 737/* APR_ERR(2) - critical failure */ 738/* Parameters: fin(I) - pointer to packet information */ 739/* nat(I) - pointer to NAT session */ 740/* rm(I) - pointer to RPC message structure */ 741/* m(I) - pointer to mbuf chain */ 742/* off(I) - current offset within mbuf chain */ 743/* */ 744/* When external and internal addresses differ, we rewrite the former */ 745/* with the latter. (This is exclusive to protocol versions 3 & 4). */ 746/* -------------------------------------------------------------------- */ 747static int 748ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 749{ 750 u_int len, xlen, pos, bogo; 751 rpcb_args_t *ra; 752 char uaddr[24]; 753 udphdr_t *udp; 754 char *i, *p; 755 int diff; 756 757 ra = &rm->rm_call.rc_rpcbargs; 758 i = (char *)&nat->nat_odstaddr; 759 p = (char *)&nat->nat_odport; 760 761 /* Form new string. */ 762 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 763 snprintf(uaddr, sizeof(uaddr), 764 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 765 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 766 len = strlen(uaddr); 767 xlen = XDRALIGN(len); 768 769 /* Determine mbuf offset to start writing to. */ 770 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; 771 off += pos; 772 773 /* Write new string length. */ 774 bogo = htonl(len); 775 COPYBACK(m, off, 4, (void *)&bogo); 776 off += 4; 777 778 /* Write new string. */ 779 COPYBACK(m, off, xlen, uaddr); 780 off += xlen; 781 782 /* Write in zero r_owner. */ 783 bogo = 0; 784 COPYBACK(m, off, 4, (void *)&bogo); 785 786 /* Determine difference in data lengths. */ 787 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); 788 789 /* 790 * If our new string has a different length, make necessary 791 * adjustments. 792 */ 793 if (diff != 0) { 794 udp = fin->fin_dp; 795 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); 796 fin->fin_plen += diff; 797 fin->fin_ip->ip_len = htons(fin->fin_plen); 798 fin->fin_dlen += diff; 799 /* XXX Storage lengths. */ 800 } 801 802 return(diff); 803} 804 805/* -------------------------------------------------------------------- */ 806/* Function: ipf_p_rpcb_decoderep */ 807/* Returns: int - -1 == bad request or critical failure, */ 808/* 0 == valid, negative reply */ 809/* 1 == vaddlid, positive reply; needs no changes */ 810/* Parameters: fin(I) - pointer to packet information */ 811/* nat(I) - pointer to NAT session structure */ 812/* rs(I) - pointer to RPCB session structure */ 813/* rm(I) - pointer to RPC message structure */ 814/* rxp(O) - pointer to RPCB transaction structure */ 815/* */ 816/* Take a presumed RPCB reply, extract the XID, search for the original */ 817/* request information, and determine whether the request was accepted */ 818/* or rejected. With a valid accepted reply, go ahead and create NAT */ 819/* and state entries, and finish up by rewriting the packet as */ 820/* required. */ 821/* */ 822/* WARNING: It's the responsibility of the caller to make sure there */ 823/* is enough room in rs_buf for the basic RPC message "preamble". */ 824/* -------------------------------------------------------------------- */ 825static int 826ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, 827 rpc_msg_t *rm, rpcb_xact_t **rxp) 828{ 829 rpcb_listp_t *rl; 830 rpcb_entry_t *re; 831 rpcb_xact_t *rx; 832 u_32_t xdr, *p; 833 rpc_resp_t *rr; 834 int rv, cnt; 835 836 p = (u_32_t *)rm->rm_msgbuf; 837 838 bzero((char *)&rx, sizeof(rx)); 839 rr = &rm->rm_resp; 840 841 rm->rm_xid = p; 842 xdr = B(p++); /* Record this message's XID. */ 843 844 /* Lookup XID */ 845 MUTEX_ENTER(&rs->rs_rxlock); 846 if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { 847 MUTEX_EXIT(&rs->rs_rxlock); 848 return(-1); 849 } 850 ++rx->rx_ref; /* per thread reference */ 851 MUTEX_EXIT(&rs->rs_rxlock); 852 853 *rxp = rx; 854 855 /* Test call vs reply */ 856 if (B(p++) != RPCB_REPLY) 857 return(-1); 858 859 /* Test reply_stat */ 860 switch(B(p++)) 861 { 862 case RPCB_MSG_DENIED: 863 return(0); 864 case RPCB_MSG_ACCEPTED: 865 break; 866 default: 867 return(-1); 868 } 869 870 /* Bypass RPC authentication stuff. */ 871 if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) 872 return(-1); 873 874 /* Test accept status */ 875 if (!RPCB_BUF_GEQ(rm, p, 4)) 876 return(-1); 877 if (B(p++) != 0) 878 return(0); 879 880 /* Parse out the expected reply */ 881 switch(rx->rx_type) 882 { 883 case RPCB_RES_PMAP: 884 /* There must be only one 4 byte argument. */ 885 if (!RPCB_BUF_EQ(rm, p, 4)) 886 return(-1); 887 888 rr->rr_v2 = p; 889 xdr = B(rr->rr_v2); 890 891 /* Reply w/ a 0 port indicates service isn't registered */ 892 if (xdr == 0) 893 return(0); 894 895 /* Is the value sane? */ 896 if (xdr > 65535) 897 return(-1); 898 899 /* Create NAT & state table entries. */ 900 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) 901 return(-1); 902 break; 903 case RPCB_RES_STRING: 904 /* Expecting a XDR string; need 4 bytes for length */ 905 if (!RPCB_BUF_GEQ(rm, p, 4)) 906 return(-1); 907 908 rr->rr_v3.xu_str.xs_len = p++; 909 rr->rr_v3.xu_str.xs_str = (char *)p; 910 911 xdr = B(rr->rr_v3.xu_xslen); 912 913 /* A null string indicates an unregistered service */ 914 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) 915 return(0); 916 917 /* Decode the target IP address / port. */ 918 if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) 919 return(-1); 920 921 /* Validate the IP address and port contained. */ 922 if (nat->nat_odstaddr != rr->rr_v3.xu_ip) 923 return(-1); 924 925 /* Create NAT & state table entries. */ 926 if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, 927 (u_int)rr->rr_v3.xu_port) != 0) 928 return(-1); 929 break; 930 case RPCB_RES_LIST: 931 if (!RPCB_BUF_GEQ(rm, p, 4)) 932 return(-1); 933 /* rpcb_entry_list_ptr */ 934 switch(B(p)) 935 { 936 case 0: 937 return(0); 938 /*NOTREACHED*/ 939 break; 940 case 1: 941 break; 942 default: 943 return(-1); 944 } 945 rl = &rr->rr_v4; 946 rl->rl_list = p++; 947 cnt = 0; 948 949 for(;;) { 950 re = &rl->rl_entries[rl->rl_cnt]; 951 if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) 952 return(-1); 953 if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) 954 return(-1); 955 /* re_semantics & re_pfamily length */ 956 if (!RPCB_BUF_GEQ(rm, p, 12)) 957 return(-1); 958 p++; /* Skipping re_semantics. */ 959 xdr = B(p++); 960 if ((xdr != 4) || strncmp((char *)p, "inet", 4)) 961 return(-1); 962 p++; 963 if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) 964 return(-1); 965 if (!RPCB_BUF_GEQ(rm, p, 4)) 966 return(-1); 967 re->re_more = p; 968 if (B(re->re_more) > 1) /* 0,1 only legal values */ 969 return(-1); 970 ++rl->rl_cnt; 971 ++cnt; 972 if (B(re->re_more) == 0) 973 break; 974 /* Replies in max out at 2; TCP and/or UDP */ 975 if (cnt > 2) 976 return(-1); 977 p++; 978 } 979 980 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { 981 re = &rl->rl_entries[rl->rl_cnt]; 982 rv = ipf_p_rpcb_getnat(fin, nat, 983 re->re_proto.xp_proto, 984 (u_int)re->re_maddr.xu_port); 985 if (rv != 0) 986 return(-1); 987 } 988 break; 989 default: 990 /*CONSTANTCONDITION*/ 991 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type)); 992 } 993 994 return(1); 995} 996 997/* -------------------------------------------------------------------- */ 998/* Function: ipf_p_rpcb_lookup */ 999/* Returns: rpcb_xact_t * - NULL == no matching record, */ 1000/* else pointer to relevant entry */ 1001/* Parameters: rs(I) - pointer to RPCB session */ 1002/* xid(I) - XID to look for */ 1003/* -------------------------------------------------------------------- */ 1004static rpcb_xact_t * 1005ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid) 1006{ 1007 rpcb_xact_t *rx; 1008 1009 if (rs->rs_rxlist == NULL) 1010 return(NULL); 1011 1012 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) 1013 if (rx->rx_xid == xid) 1014 break; 1015 1016 return(rx); 1017} 1018 1019/* -------------------------------------------------------------------- */ 1020/* Function: ipf_p_rpcb_deref */ 1021/* Returns: (void) */ 1022/* Parameters: rs(I) - pointer to RPCB session */ 1023/* rx(I) - pointer to RPC transaction struct to remove */ 1024/* force(I) - indicates to delete entry regardless of */ 1025/* reference count */ 1026/* Locking: rs->rs_rxlock must be held write only */ 1027/* */ 1028/* Free the RPCB transaction record rx from the chain of entries. */ 1029/* -------------------------------------------------------------------- */ 1030static void 1031ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx) 1032{ 1033 rs = rs; /* LINT */ 1034 1035 if (rx == NULL) 1036 return; 1037 1038 if (--rx->rx_ref != 0) 1039 return; 1040 1041 if (rx->rx_next != NULL) 1042 rx->rx_next->rx_pnext = rx->rx_pnext; 1043 1044 *rx->rx_pnext = rx->rx_next; 1045 1046 KFREE(rx); 1047 1048 --rpcbcnt; 1049} 1050 1051/* -------------------------------------------------------------------- */ 1052/* Function: ipf_p_rpcb_getproto */ 1053/* Returns: int - -1 == illegal protocol/netid, */ 1054/* 0 == legal protocol/netid */ 1055/* Parameters: rm(I) - pointer to RPC message structure */ 1056/* xp(I) - pointer to netid structure */ 1057/* p(IO) - pointer to location within packet buffer */ 1058/* */ 1059/* Decode netid/proto stored at p and record its numeric value. */ 1060/* -------------------------------------------------------------------- */ 1061static int 1062ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p) 1063{ 1064 u_int len; 1065 1066 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ 1067 if (!RPCB_BUF_GEQ(rm, p, 8)) 1068 return(-1); 1069 1070 xp->xp_xslen = (*p)++; 1071 xp->xp_xsstr = (char *)*p; 1072 1073 /* Test the string length. */ 1074 len = B(xp->xp_xslen); 1075 if (len != 3) 1076 return(-1); 1077 1078 /* Test the actual string & record the protocol accordingly. */ 1079 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4)) 1080 xp->xp_proto = IPPROTO_TCP; 1081 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4)) 1082 xp->xp_proto = IPPROTO_UDP; 1083 else { 1084 return(-1); 1085 } 1086 1087 /* Advance past the string. */ 1088 (*p)++; 1089 1090 return(0); 1091} 1092 1093/* -------------------------------------------------------------------- */ 1094/* Function: ipf_p_rpcb_getnat */ 1095/* Returns: int -- -1 == failed to create table entries, */ 1096/* 0 == success */ 1097/* Parameters: fin(I) - pointer to packet information */ 1098/* nat(I) - pointer to NAT table entry */ 1099/* proto(I) - transport protocol for new entries */ 1100/* port(I) - new port to use w/ wildcard table entries */ 1101/* */ 1102/* Create state and NAT entries to handle an anticipated connection */ 1103/* attempt between RPC client and server. */ 1104/* -------------------------------------------------------------------- */ 1105static int 1106ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port) 1107{ 1108 ipf_main_softc_t *softc = fin->fin_main_soft; 1109 ipnat_t *ipn, ipnat; 1110 tcphdr_t tcp; 1111 ipstate_t *is; 1112 fr_info_t fi; 1113 nat_t *natl; 1114 int nflags; 1115 1116 ipn = nat->nat_ptr; 1117 1118 /* Generate dummy fr_info */ 1119 bcopy((char *)fin, (char *)&fi, sizeof(fi)); 1120 fi.fin_out = 0; 1121 fi.fin_p = proto; 1122 fi.fin_sport = 0; 1123 fi.fin_dport = port & 0xffff; 1124 fi.fin_flx |= FI_IGNORE; 1125 fi.fin_saddr = nat->nat_osrcaddr; 1126 fi.fin_daddr = nat->nat_odstaddr; 1127 1128 bzero((char *)&tcp, sizeof(tcp)); 1129 tcp.th_dport = htons(port); 1130 1131 if (proto == IPPROTO_TCP) { 1132 tcp.th_win = htons(8192); 1133 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); 1134 fi.fin_dlen = sizeof(tcphdr_t); 1135 tcp.th_flags = TH_SYN; 1136 nflags = NAT_TCP; 1137 } else { 1138 fi.fin_dlen = sizeof(udphdr_t); 1139 nflags = NAT_UDP; 1140 } 1141 1142 nflags |= SI_W_SPORT|NAT_SEARCH; 1143 fi.fin_dp = &tcp; 1144 fi.fin_plen = fi.fin_hlen + fi.fin_dlen; 1145 1146 /* 1147 * Search for existing NAT & state entries. Pay close attention to 1148 * mutexes / locks grabbed from lookup routines, as not doing so could 1149 * lead to bad things. 1150 * 1151 * If successful, fr_stlookup returns with ipf_state locked. We have 1152 * no use for this lock, so simply unlock it if necessary. 1153 */ 1154 is = ipf_state_lookup(&fi, &tcp, NULL); 1155 if (is != NULL) { 1156 RWLOCK_EXIT(&softc->ipf_state); 1157 } 1158 1159 RWLOCK_EXIT(&softc->ipf_nat); 1160 1161 WRITE_ENTER(&softc->ipf_nat); 1162 natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); 1163 1164 if ((natl != NULL) && (is != NULL)) { 1165 MUTEX_DOWNGRADE(&softc->ipf_nat); 1166 return(0); 1167 } 1168 1169 /* Slightly modify the following structures for actual use in creating 1170 * NAT and/or state entries. We're primarily concerned with stripping 1171 * flags that may be detrimental to the creation process or simply 1172 * shouldn't be associated with a table entry. 1173 */ 1174 fi.fin_fr = &rpcbfr; 1175 fi.fin_flx &= ~FI_IGNORE; 1176 nflags &= ~NAT_SEARCH; 1177 1178 if (natl == NULL) { 1179#ifdef USE_MUTEXES 1180 ipf_nat_softc_t *softn = softc->ipf_nat_soft; 1181#endif 1182 1183 /* XXX Since we're just copying the original ipn contents 1184 * back, would we be better off just sending a pointer to 1185 * the 'temp' copy off to nat_new instead? 1186 */ 1187 /* Generate template/bogus NAT rule. */ 1188 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); 1189 ipn->in_flags = nflags & IPN_TCPUDP; 1190 ipn->in_apr = NULL; 1191 ipn->in_pr[0] = proto; 1192 ipn->in_pr[1] = proto; 1193 ipn->in_dpmin = fi.fin_dport; 1194 ipn->in_dpmax = fi.fin_dport; 1195 ipn->in_dpnext = fi.fin_dport; 1196 ipn->in_space = 1; 1197 ipn->in_ippip = 1; 1198 if (ipn->in_flags & IPN_FILTER) { 1199 ipn->in_scmp = 0; 1200 ipn->in_dcmp = 0; 1201 } 1202 ipn->in_plabel = -1; 1203 1204 /* Create NAT entry. return NULL if this fails. */ 1205 MUTEX_ENTER(&softn->ipf_nat_new); 1206 natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, 1207 NAT_INBOUND); 1208 MUTEX_EXIT(&softn->ipf_nat_new); 1209 1210 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); 1211 1212 if (natl == NULL) { 1213 MUTEX_DOWNGRADE(&softc->ipf_nat); 1214 return(-1); 1215 } 1216 1217 natl->nat_ptr = ipn; 1218 fi.fin_saddr = natl->nat_nsrcaddr; 1219 fi.fin_daddr = natl->nat_ndstaddr; 1220 ipn->in_use++; 1221 (void) ipf_nat_proto(&fi, natl, nflags); 1222 MUTEX_ENTER(&natl->nat_lock); 1223 ipf_nat_update(&fi, natl); 1224 MUTEX_EXIT(&natl->nat_lock); 1225 } 1226 MUTEX_DOWNGRADE(&softc->ipf_nat); 1227 1228 if (is == NULL) { 1229 /* Create state entry. Return NULL if this fails. */ 1230 fi.fin_flx |= FI_NATED; 1231 fi.fin_flx &= ~FI_STATE; 1232 nflags &= NAT_TCPUDP; 1233 nflags |= SI_W_SPORT|SI_CLONE; 1234 1235 if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { 1236 /* 1237 * XXX nat_delete is private to ip_nat.c. Should 1238 * check w/ Darren about this one. 1239 * 1240 * nat_delete(natl, NL_EXPIRE); 1241 */ 1242 return(-1); 1243 } 1244 } 1245 1246 return(0); 1247} 1248 1249/* -------------------------------------------------------------------- */ 1250/* Function: ipf_p_rpcb_modv3 */ 1251/* Returns: int -- change in packet length */ 1252/* Parameters: fin(I) - pointer to packet information */ 1253/* nat(I) - pointer to NAT session */ 1254/* rm(I) - pointer to RPC message structure */ 1255/* m(I) - pointer to mbuf chain */ 1256/* off(I) - offset within mbuf chain */ 1257/* */ 1258/* Write a new universal address string to this packet, adjusting */ 1259/* lengths as necessary. */ 1260/* -------------------------------------------------------------------- */ 1261static int 1262ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 1263{ 1264 u_int len, xlen, pos, bogo; 1265 rpc_resp_t *rr; 1266 char uaddr[24]; 1267 char *i, *p; 1268 int diff; 1269 1270 rr = &rm->rm_resp; 1271 i = (char *)&nat->nat_ndstaddr; 1272 p = (char *)&rr->rr_v3.xu_port; 1273 1274 /* Form new string. */ 1275 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ 1276 snprintf(uaddr, sizeof(uaddr), 1277 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff, 1278 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); 1279 len = strlen(uaddr); 1280 xlen = XDRALIGN(len); 1281 1282 /* Determine mbuf offset to write to. */ 1283 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; 1284 off += pos; 1285 1286 /* Write new string length. */ 1287 bogo = htonl(len); 1288 COPYBACK(m, off, 4, (void *)&bogo); 1289 off += 4; 1290 1291 /* Write new string. */ 1292 COPYBACK(m, off, xlen, uaddr); 1293 1294 /* Determine difference in data lengths. */ 1295 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); 1296 1297 /* 1298 * If our new string has a different length, make necessary 1299 * adjustments. 1300 */ 1301 if (diff != 0) 1302 ipf_p_rpcb_fixlen(fin, diff); 1303 1304 return(diff); 1305} 1306 1307/* -------------------------------------------------------------------- */ 1308/* Function: ipf_p_rpcb_modv4 */ 1309/* Returns: int -- change in packet length */ 1310/* Parameters: fin(I) - pointer to packet information */ 1311/* nat(I) - pointer to NAT session */ 1312/* rm(I) - pointer to RPC message structure */ 1313/* m(I) - pointer to mbuf chain */ 1314/* off(I) - offset within mbuf chain */ 1315/* */ 1316/* Write new rpcb_entry list, adjusting lengths as necessary. */ 1317/* -------------------------------------------------------------------- */ 1318static int 1319ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) 1320{ 1321 u_int len, xlen, pos, bogo; 1322 rpcb_listp_t *rl; 1323 rpcb_entry_t *re; 1324 rpc_resp_t *rr; 1325 char uaddr[24]; 1326 int diff, cnt; 1327 char *i, *p; 1328 1329 diff = 0; 1330 rr = &rm->rm_resp; 1331 rl = &rr->rr_v4; 1332 1333 i = (char *)&nat->nat_ndstaddr; 1334 1335 /* Determine mbuf offset to write to. */ 1336 re = &rl->rl_entries[0]; 1337 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; 1338 off += pos; 1339 1340 for (cnt = 0; cnt < rl->rl_cnt; cnt++) { 1341 re = &rl->rl_entries[cnt]; 1342 p = (char *)&re->re_maddr.xu_port; 1343 1344 /* Form new string. */ 1345 bzero(uaddr, sizeof(uaddr)); /* Just in case we need 1346 padding. */ 1347 snprintf(uaddr, sizeof(uaddr), 1348 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, 1349 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, 1350 p[0] & 0xff, p[1] & 0xff); 1351 len = strlen(uaddr); 1352 xlen = XDRALIGN(len); 1353 1354 /* Write new string length. */ 1355 bogo = htonl(len); 1356 COPYBACK(m, off, 4, (void *)&bogo); 1357 off += 4; 1358 1359 /* Write new string. */ 1360 COPYBACK(m, off, xlen, uaddr); 1361 off += xlen; 1362 1363 /* Record any change in length. */ 1364 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); 1365 1366 /* If the length changed, copy back the rest of this entry. */ 1367 len = ((char *)re->re_more + 4) - 1368 (char *)re->re_netid.xp_xslen; 1369 if (diff != 0) { 1370 COPYBACK(m, off, len, (void *)re->re_netid.xp_xslen); 1371 } 1372 off += len; 1373 } 1374 1375 /* 1376 * If our new string has a different length, make necessary 1377 * adjustments. 1378 */ 1379 if (diff != 0) 1380 ipf_p_rpcb_fixlen(fin, diff); 1381 1382 return(diff); 1383} 1384 1385 1386/* -------------------------------------------------------------------- */ 1387/* Function: ipf_p_rpcb_fixlen */ 1388/* Returns: (void) */ 1389/* Parameters: fin(I) - pointer to packet information */ 1390/* len(I) - change in packet length */ 1391/* */ 1392/* Adjust various packet related lengths held in structure and packet */ 1393/* header fields. */ 1394/* -------------------------------------------------------------------- */ 1395static void 1396ipf_p_rpcb_fixlen(fr_info_t *fin, int len) 1397{ 1398 udphdr_t *udp; 1399 1400 udp = fin->fin_dp; 1401 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); 1402 fin->fin_plen += len; 1403 fin->fin_ip->ip_len = htons(fin->fin_plen); 1404 fin->fin_dlen += len; 1405} 1406 1407#undef B 1408