| 1 | /* $NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $ */ |
| 2 | |
| 3 | /* |
| 4 | * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org> |
| 5 | * |
| 6 | * See the IPFILTER.LICENCE file for details on licencing. |
| 7 | */ |
| 8 | /* |
| 9 | * Overview: |
| 10 | * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) |
| 11 | * protocol as defined in RFC1833. It is far from complete, mostly |
| 12 | * lacking in less-likely corner cases, but it's definitely functional. |
| 13 | * |
| 14 | * Invocation: |
| 15 | * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu |
| 16 | * |
| 17 | * If the host running IP Filter is the same as the RPC server, it's |
| 18 | * perfectly legal for both the internal and external addresses and ports |
| 19 | * to match. |
| 20 | * |
| 21 | * When triggered by appropriate IP NAT rules, this proxy works by |
| 22 | * examining data contained in received packets. Requests and replies are |
| 23 | * modified, NAT and state table entries created, etc., as necessary. |
| 24 | */ |
| 25 | /* |
| 26 | * TODO / NOTES |
| 27 | * |
| 28 | * o Must implement locking to protect proxy session data. |
| 29 | * o Fragmentation isn't supported. |
| 30 | * o Only supports UDP. |
| 31 | * o Doesn't support multiple RPC records in a single request. |
| 32 | * o Errors should be more fine-grained. (e.g., malloc failure vs. |
| 33 | * illegal RPCB request / reply) |
| 34 | * o Even with the limit on the total amount of recorded transactions, |
| 35 | * should there be a timeout on transaction removal? |
| 36 | * o There is a potential collision between cloning, wildcard NAT and |
| 37 | * state entries. There should be an appr_getport routine for |
| 38 | * to avoid this. |
| 39 | * o The enclosed hack of STREAMS support is pretty sick and most likely |
| 40 | * broken. |
| 41 | * |
| 42 | * Id: ip_rpcb_pxy.c,v 1.1.1.2 2012/07/22 13:45:34 darrenr Exp |
| 43 | */ |
| 44 | |
| 45 | #include <sys/cdefs.h> |
| 46 | __KERNEL_RCSID(1, "$NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $" ); |
| 47 | |
| 48 | #define IPF_RPCB_PROXY |
| 49 | |
| 50 | /* |
| 51 | * Function prototypes |
| 52 | */ |
| 53 | void ipf_p_rpcb_main_load(void); |
| 54 | void ipf_p_rpcb_main_unload(void); |
| 55 | int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *); |
| 56 | void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *); |
| 57 | int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *); |
| 58 | int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *); |
| 59 | |
| 60 | static void ipf_p_rpcb_flush(rpcb_session_t *); |
| 61 | static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *, |
| 62 | rpcb_session_t *, rpc_msg_t *); |
| 63 | static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **); |
| 64 | static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *); |
| 65 | static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *); |
| 66 | static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *, |
| 67 | u_32_t **); |
| 68 | static u_int ipf_p_rpcb_atoi(char *); |
| 69 | static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *, |
| 70 | mb_t *, u_int); |
| 71 | static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *, |
| 72 | rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **); |
| 73 | static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t); |
| 74 | static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *); |
| 75 | static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *, |
| 76 | u_32_t **); |
| 77 | static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int); |
| 78 | static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *, |
| 79 | mb_t *, u_int); |
| 80 | static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *, |
| 81 | mb_t *, u_int); |
| 82 | static void ipf_p_rpcb_fixlen(fr_info_t *, int); |
| 83 | |
| 84 | /* |
| 85 | * Global variables |
| 86 | */ |
| 87 | static frentry_t rpcbfr; /* Skeleton rule for reference by entities |
| 88 | this proxy creates. */ |
| 89 | static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ |
| 90 | /* XXX rpcbcnt still requires locking. */ |
| 91 | |
| 92 | static int rpcb_proxy_init = 0; |
| 93 | |
| 94 | |
| 95 | /* |
| 96 | * Since rpc_msg contains only pointers, one should use this macro as a |
| 97 | * handy way to get to the goods. (In case you're wondering about the name, |
| 98 | * this started as BYTEREF -> BREF -> B.) |
| 99 | */ |
| 100 | #define B(r) (u_32_t)ntohl(*(r)) |
| 101 | |
| 102 | /* |
| 103 | * Public subroutines |
| 104 | */ |
| 105 | |
| 106 | /* -------------------------------------------------------------------- */ |
| 107 | /* Function: ipf_p_rpcb_main_load */ |
| 108 | /* Returns: void */ |
| 109 | /* Parameters: (void) */ |
| 110 | /* */ |
| 111 | /* Initialize the filter rule entry and session limiter. */ |
| 112 | /* -------------------------------------------------------------------- */ |
| 113 | void |
| 114 | ipf_p_rpcb_main_load(void) |
| 115 | { |
| 116 | rpcbcnt = 0; |
| 117 | |
| 118 | bzero((char *)&rpcbfr, sizeof(rpcbfr)); |
| 119 | rpcbfr.fr_ref = 1; |
| 120 | rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; |
| 121 | MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock" ); |
| 122 | rpcb_proxy_init = 1; |
| 123 | } |
| 124 | |
| 125 | /* -------------------------------------------------------------------- */ |
| 126 | /* Function: ipf_p_rpcb_main_unload */ |
| 127 | /* Returns: void */ |
| 128 | /* Parameters: (void) */ |
| 129 | /* */ |
| 130 | /* Destroy rpcbfr's mutex to avoid a lock leak. */ |
| 131 | /* -------------------------------------------------------------------- */ |
| 132 | void |
| 133 | ipf_p_rpcb_main_unload(void) |
| 134 | { |
| 135 | if (rpcb_proxy_init == 1) { |
| 136 | MUTEX_DESTROY(&rpcbfr.fr_lock); |
| 137 | rpcb_proxy_init = 0; |
| 138 | } |
| 139 | } |
| 140 | |
| 141 | /* -------------------------------------------------------------------- */ |
| 142 | /* Function: ipf_p_rpcb_new */ |
| 143 | /* Returns: int - -1 == failure, 0 == success */ |
| 144 | /* Parameters: fin(I) - pointer to packet information */ |
| 145 | /* aps(I) - pointer to proxy session structure */ |
| 146 | /* nat(I) - pointer to NAT session structure */ |
| 147 | /* */ |
| 148 | /* Allocate resources for per-session proxy structures. */ |
| 149 | /* -------------------------------------------------------------------- */ |
| 150 | int |
| 151 | ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
| 152 | { |
| 153 | rpcb_session_t *rs; |
| 154 | |
| 155 | nat = nat; /* LINT */ |
| 156 | |
| 157 | if (fin->fin_v != 4) |
| 158 | return -1; |
| 159 | |
| 160 | KMALLOC(rs, rpcb_session_t *); |
| 161 | if (rs == NULL) |
| 162 | return(-1); |
| 163 | |
| 164 | bzero((char *)rs, sizeof(*rs)); |
| 165 | MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock" ); |
| 166 | |
| 167 | aps->aps_data = rs; |
| 168 | |
| 169 | return(0); |
| 170 | } |
| 171 | |
| 172 | /* -------------------------------------------------------------------- */ |
| 173 | /* Function: ipf_p_rpcb_del */ |
| 174 | /* Returns: void */ |
| 175 | /* Parameters: aps(I) - pointer to proxy session structure */ |
| 176 | /* */ |
| 177 | /* Free up a session's list of RPCB requests. */ |
| 178 | /* -------------------------------------------------------------------- */ |
| 179 | void |
| 180 | ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps) |
| 181 | { |
| 182 | rpcb_session_t *rs; |
| 183 | rs = (rpcb_session_t *)aps->aps_data; |
| 184 | |
| 185 | MUTEX_ENTER(&rs->rs_rxlock); |
| 186 | ipf_p_rpcb_flush(rs); |
| 187 | MUTEX_EXIT(&rs->rs_rxlock); |
| 188 | MUTEX_DESTROY(&rs->rs_rxlock); |
| 189 | } |
| 190 | |
| 191 | /* -------------------------------------------------------------------- */ |
| 192 | /* Function: ipf_p_rpcb_in */ |
| 193 | /* Returns: int - APR_ERR(1) == drop the packet, */ |
| 194 | /* APR_ERR(2) == kill the proxy session, */ |
| 195 | /* else change in packet length (in bytes) */ |
| 196 | /* Parameters: fin(I) - pointer to packet information */ |
| 197 | /* ip(I) - pointer to packet header */ |
| 198 | /* aps(I) - pointer to proxy session structure */ |
| 199 | /* nat(I) - pointer to NAT session structure */ |
| 200 | /* */ |
| 201 | /* Given a presumed RPCB request, perform some minor tests and pass off */ |
| 202 | /* for decoding. Also pass packet off for a rewrite if necessary. */ |
| 203 | /* -------------------------------------------------------------------- */ |
| 204 | int |
| 205 | ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
| 206 | { |
| 207 | rpc_msg_t rpcmsg, *rm; |
| 208 | rpcb_session_t *rs; |
| 209 | u_int off, dlen; |
| 210 | mb_t *m; |
| 211 | int rv; |
| 212 | |
| 213 | /* Disallow fragmented or illegally short packets. */ |
| 214 | if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) |
| 215 | return(APR_ERR(1)); |
| 216 | |
| 217 | /* Perform basic variable initialization. */ |
| 218 | rs = (rpcb_session_t *)aps->aps_data; |
| 219 | |
| 220 | m = fin->fin_m; |
| 221 | off = (char *)fin->fin_dp - (char *)fin->fin_ip; |
| 222 | off += sizeof(udphdr_t) + fin->fin_ipoff; |
| 223 | dlen = fin->fin_dlen - sizeof(udphdr_t); |
| 224 | |
| 225 | /* Disallow packets outside legal range for supported requests. */ |
| 226 | if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) |
| 227 | return(APR_ERR(1)); |
| 228 | |
| 229 | /* Copy packet over to convenience buffer. */ |
| 230 | rm = &rpcmsg; |
| 231 | bzero((char *)rm, sizeof(*rm)); |
| 232 | COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); |
| 233 | rm->rm_buflen = dlen; |
| 234 | |
| 235 | /* Send off to decode request. */ |
| 236 | rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); |
| 237 | |
| 238 | switch(rv) |
| 239 | { |
| 240 | case -1: |
| 241 | return(APR_ERR(1)); |
| 242 | /*NOTREACHED*/ |
| 243 | break; |
| 244 | case 0: |
| 245 | break; |
| 246 | case 1: |
| 247 | rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); |
| 248 | break; |
| 249 | default: |
| 250 | /*CONSTANTCONDITION*/ |
| 251 | IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)" , rv)); |
| 252 | } |
| 253 | |
| 254 | return(rv); |
| 255 | } |
| 256 | |
| 257 | /* -------------------------------------------------------------------- */ |
| 258 | /* Function: ipf_p_rpcb_out */ |
| 259 | /* Returns: int - APR_ERR(1) == drop the packet, */ |
| 260 | /* APR_ERR(2) == kill the proxy session, */ |
| 261 | /* else change in packet length (in bytes) */ |
| 262 | /* Parameters: fin(I) - pointer to packet information */ |
| 263 | /* ip(I) - pointer to packet header */ |
| 264 | /* aps(I) - pointer to proxy session structure */ |
| 265 | /* nat(I) - pointer to NAT session structure */ |
| 266 | /* */ |
| 267 | /* Given a presumed RPCB reply, perform some minor tests and pass off */ |
| 268 | /* for decoding. If the message indicates a successful request with */ |
| 269 | /* valid addressing information, create NAT and state structures to */ |
| 270 | /* allow direct communication between RPC client and server. */ |
| 271 | /* -------------------------------------------------------------------- */ |
| 272 | int |
| 273 | ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
| 274 | { |
| 275 | rpc_msg_t rpcmsg, *rm; |
| 276 | rpcb_session_t *rs; |
| 277 | rpcb_xact_t *rx; |
| 278 | u_int off, dlen; |
| 279 | int rv, diff; |
| 280 | mb_t *m; |
| 281 | |
| 282 | rx = NULL; /* XXX gcc */ |
| 283 | |
| 284 | /* Disallow fragmented or illegally short packets. */ |
| 285 | if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) |
| 286 | return(APR_ERR(1)); |
| 287 | |
| 288 | /* Perform basic variable initialization. */ |
| 289 | rs = (rpcb_session_t *)aps->aps_data; |
| 290 | rx = NULL; |
| 291 | |
| 292 | m = fin->fin_m; |
| 293 | off = (char *)fin->fin_dp - (char *)fin->fin_ip; |
| 294 | off += sizeof(udphdr_t) + fin->fin_ipoff; |
| 295 | dlen = fin->fin_dlen - sizeof(udphdr_t); |
| 296 | diff = 0; |
| 297 | |
| 298 | /* Disallow packets outside legal range for supported requests. */ |
| 299 | if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) |
| 300 | return(APR_ERR(1)); |
| 301 | |
| 302 | /* Copy packet over to convenience buffer. */ |
| 303 | rm = &rpcmsg; |
| 304 | bzero((char *)rm, sizeof(*rm)); |
| 305 | COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); |
| 306 | rm->rm_buflen = dlen; |
| 307 | |
| 308 | rx = NULL; /* XXX gcc */ |
| 309 | |
| 310 | /* Send off to decode reply. */ |
| 311 | rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); |
| 312 | |
| 313 | switch(rv) |
| 314 | { |
| 315 | case -1: /* Bad packet */ |
| 316 | if (rx != NULL) { |
| 317 | MUTEX_ENTER(&rs->rs_rxlock); |
| 318 | ipf_p_rpcb_deref(rs, rx); |
| 319 | MUTEX_EXIT(&rs->rs_rxlock); |
| 320 | } |
| 321 | return(APR_ERR(1)); |
| 322 | /*NOTREACHED*/ |
| 323 | break; |
| 324 | case 0: /* Negative reply / request rejected */ |
| 325 | break; |
| 326 | case 1: /* Positive reply */ |
| 327 | /* |
| 328 | * With the IP address embedded in a GETADDR(LIST) reply, |
| 329 | * we'll need to rewrite the packet in the very possible |
| 330 | * event that the internal & external addresses aren't the |
| 331 | * same. (i.e., this box is either a router or rpcbind |
| 332 | * only listens on loopback.) |
| 333 | */ |
| 334 | if (nat->nat_odstaddr != nat->nat_ndstaddr) { |
| 335 | if (rx->rx_type == RPCB_RES_STRING) |
| 336 | diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); |
| 337 | else if (rx->rx_type == RPCB_RES_LIST) |
| 338 | diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); |
| 339 | } |
| 340 | break; |
| 341 | default: |
| 342 | /*CONSTANTCONDITION*/ |
| 343 | IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)" , rv)); |
| 344 | } |
| 345 | |
| 346 | if (rx != NULL) { |
| 347 | MUTEX_ENTER(&rs->rs_rxlock); |
| 348 | /* XXX Gross hack - I'm overloading the reference |
| 349 | * counter to deal with both threads and retransmitted |
| 350 | * requests. One deref signals that this thread is |
| 351 | * finished with rx, and the other signals that we've |
| 352 | * processed its reply. |
| 353 | */ |
| 354 | ipf_p_rpcb_deref(rs, rx); |
| 355 | ipf_p_rpcb_deref(rs, rx); |
| 356 | MUTEX_EXIT(&rs->rs_rxlock); |
| 357 | } |
| 358 | |
| 359 | return(diff); |
| 360 | } |
| 361 | |
| 362 | /* |
| 363 | * Private support subroutines |
| 364 | */ |
| 365 | |
| 366 | /* -------------------------------------------------------------------- */ |
| 367 | /* Function: ipf_p_rpcb_flush */ |
| 368 | /* Returns: void */ |
| 369 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
| 370 | /* */ |
| 371 | /* Simply flushes the list of outstanding transactions, if any. */ |
| 372 | /* -------------------------------------------------------------------- */ |
| 373 | static void |
| 374 | ipf_p_rpcb_flush(rpcb_session_t *rs) |
| 375 | { |
| 376 | rpcb_xact_t *r1, *r2; |
| 377 | |
| 378 | r1 = rs->rs_rxlist; |
| 379 | if (r1 == NULL) |
| 380 | return; |
| 381 | |
| 382 | while (r1 != NULL) { |
| 383 | r2 = r1; |
| 384 | r1 = r1->rx_next; |
| 385 | KFREE(r2); |
| 386 | } |
| 387 | } |
| 388 | |
| 389 | /* -------------------------------------------------------------------- */ |
| 390 | /* Function: ipf_p_rpcb_decodereq */ |
| 391 | /* Returns: int - -1 == bad request or critical failure, */ |
| 392 | /* 0 == request successfully decoded, */ |
| 393 | /* 1 == request successfully decoded; requires */ |
| 394 | /* address rewrite/modification */ |
| 395 | /* Parameters: fin(I) - pointer to packet information */ |
| 396 | /* nat(I) - pointer to NAT session structure */ |
| 397 | /* rs(I) - pointer to RPCB session structure */ |
| 398 | /* rm(I) - pointer to RPC message structure */ |
| 399 | /* */ |
| 400 | /* Take a presumed RPCB request, decode it, and store the results in */ |
| 401 | /* the transaction list. If the internal target address needs to be */ |
| 402 | /* modified, store its location in ptr. */ |
| 403 | /* WARNING: It's the responsibility of the caller to make sure there */ |
| 404 | /* is enough room in rs_buf for the basic RPC message "preamble". */ |
| 405 | /* -------------------------------------------------------------------- */ |
| 406 | static int |
| 407 | ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, |
| 408 | rpc_msg_t *rm) |
| 409 | { |
| 410 | rpcb_args_t *ra; |
| 411 | u_32_t xdr, *p; |
| 412 | rpc_call_t *rc; |
| 413 | rpcb_xact_t rx; |
| 414 | int mod; |
| 415 | |
| 416 | p = (u_32_t *)rm->rm_msgbuf; |
| 417 | mod = 0; |
| 418 | |
| 419 | bzero((char *)&rx, sizeof(rx)); |
| 420 | rc = &rm->rm_call; |
| 421 | |
| 422 | rm->rm_xid = p; |
| 423 | rx.rx_xid = B(p++); /* Record this message's XID. */ |
| 424 | |
| 425 | /* Parse out and test the RPC header. */ |
| 426 | if ((B(p++) != RPCB_CALL) || |
| 427 | (B(p++) != RPCB_MSG_VERSION) || |
| 428 | (B(p++) != RPCB_PROG)) |
| 429 | return(-1); |
| 430 | |
| 431 | /* Record the RPCB version and procedure. */ |
| 432 | rc->rc_vers = p++; |
| 433 | rc->rc_proc = p++; |
| 434 | |
| 435 | /* Bypass RPC authentication stuff. */ |
| 436 | if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) |
| 437 | return(-1); |
| 438 | if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) |
| 439 | return(-1); |
| 440 | |
| 441 | /* Compare RPCB version and procedure numbers. */ |
| 442 | switch(B(rc->rc_vers)) |
| 443 | { |
| 444 | case 2: |
| 445 | /* This proxy only supports PMAP_GETPORT. */ |
| 446 | if (B(rc->rc_proc) != RPCB_GETPORT) |
| 447 | return(-1); |
| 448 | |
| 449 | /* Portmap requests contain four 4 byte parameters. */ |
| 450 | if (RPCB_BUF_EQ(rm, p, 16) == 0) |
| 451 | return(-1); |
| 452 | |
| 453 | p += 2; /* Skip requested program and version numbers. */ |
| 454 | |
| 455 | /* Sanity check the requested protocol. */ |
| 456 | xdr = B(p); |
| 457 | if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) |
| 458 | return(-1); |
| 459 | |
| 460 | rx.rx_type = RPCB_RES_PMAP; |
| 461 | rx.rx_proto = xdr; |
| 462 | break; |
| 463 | case 3: |
| 464 | case 4: |
| 465 | /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ |
| 466 | switch(B(rc->rc_proc)) |
| 467 | { |
| 468 | case RPCB_GETADDR: |
| 469 | rx.rx_type = RPCB_RES_STRING; |
| 470 | rx.rx_proto = (u_int)fin->fin_p; |
| 471 | break; |
| 472 | case RPCB_GETADDRLIST: |
| 473 | if (B(rc->rc_vers) != 4) |
| 474 | return(-1); |
| 475 | rx.rx_type = RPCB_RES_LIST; |
| 476 | break; |
| 477 | default: |
| 478 | return(-1); |
| 479 | } |
| 480 | |
| 481 | ra = &rc->rc_rpcbargs; |
| 482 | |
| 483 | /* Decode the 'struct rpcb' request. */ |
| 484 | if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) |
| 485 | return(-1); |
| 486 | |
| 487 | /* Are the target address & port valid? */ |
| 488 | if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || |
| 489 | (ra->ra_maddr.xu_port != nat->nat_ndport)) |
| 490 | return(-1); |
| 491 | |
| 492 | /* Do we need to rewrite this packet? */ |
| 493 | if ((nat->nat_ndstaddr != nat->nat_odstaddr) || |
| 494 | (nat->nat_ndport != nat->nat_odport)) |
| 495 | mod = 1; |
| 496 | break; |
| 497 | default: |
| 498 | return(-1); |
| 499 | } |
| 500 | |
| 501 | MUTEX_ENTER(&rs->rs_rxlock); |
| 502 | if (ipf_p_rpcb_insert(rs, &rx) != 0) { |
| 503 | MUTEX_EXIT(&rs->rs_rxlock); |
| 504 | return(-1); |
| 505 | } |
| 506 | MUTEX_EXIT(&rs->rs_rxlock); |
| 507 | |
| 508 | return(mod); |
| 509 | } |
| 510 | |
| 511 | /* -------------------------------------------------------------------- */ |
| 512 | /* Function: ipf_p_rpcb_skipauth */ |
| 513 | /* Returns: int -- -1 == illegal auth parameters (lengths) */ |
| 514 | /* 0 == valid parameters, pointer advanced */ |
| 515 | /* Parameters: rm(I) - pointer to RPC message structure */ |
| 516 | /* auth(I) - pointer to RPC auth structure */ |
| 517 | /* buf(IO) - pointer to location within convenience buffer */ |
| 518 | /* */ |
| 519 | /* Record auth data length & location of auth data, then advance past */ |
| 520 | /* it. */ |
| 521 | /* -------------------------------------------------------------------- */ |
| 522 | static int |
| 523 | ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf) |
| 524 | { |
| 525 | u_32_t *p, xdr; |
| 526 | |
| 527 | p = *buf; |
| 528 | |
| 529 | /* Make sure we have enough space for expected fixed auth parms. */ |
| 530 | if (RPCB_BUF_GEQ(rm, p, 8) == 0) |
| 531 | return(-1); |
| 532 | |
| 533 | p++; /* We don't care about auth_flavor. */ |
| 534 | |
| 535 | auth->xa_string.xs_len = p; |
| 536 | xdr = B(p++); /* Length of auth_data */ |
| 537 | |
| 538 | /* Test for absurdity / illegality of auth_data length. */ |
| 539 | if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) |
| 540 | return(-1); |
| 541 | |
| 542 | auth->xa_string.xs_str = (char *)p; |
| 543 | |
| 544 | p += XDRALIGN(xdr); /* Advance our location. */ |
| 545 | |
| 546 | *buf = (u_32_t *)p; |
| 547 | |
| 548 | return(0); |
| 549 | } |
| 550 | |
| 551 | /* -------------------------------------------------------------------- */ |
| 552 | /* Function: ipf_p_rpcb_insert */ |
| 553 | /* Returns: int -- -1 == list insertion failed, */ |
| 554 | /* 0 == item successfully added */ |
| 555 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
| 556 | /* rx(I) - pointer to RPCB transaction structure */ |
| 557 | /* -------------------------------------------------------------------- */ |
| 558 | static int |
| 559 | ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx) |
| 560 | { |
| 561 | rpcb_xact_t *rxp; |
| 562 | |
| 563 | rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); |
| 564 | if (rxp != NULL) { |
| 565 | ++rxp->rx_ref; |
| 566 | return(0); |
| 567 | } |
| 568 | |
| 569 | if (rpcbcnt == RPCB_MAXREQS) |
| 570 | return(-1); |
| 571 | |
| 572 | KMALLOC(rxp, rpcb_xact_t *); |
| 573 | if (rxp == NULL) |
| 574 | return(-1); |
| 575 | |
| 576 | bcopy((char *)rx, (char *)rxp, sizeof(*rx)); |
| 577 | |
| 578 | if (rs->rs_rxlist != NULL) |
| 579 | rs->rs_rxlist->rx_pnext = &rxp->rx_next; |
| 580 | |
| 581 | rxp->rx_pnext = &rs->rs_rxlist; |
| 582 | rxp->rx_next = rs->rs_rxlist; |
| 583 | rs->rs_rxlist = rxp; |
| 584 | |
| 585 | rxp->rx_ref = 1; |
| 586 | |
| 587 | ++rpcbcnt; |
| 588 | |
| 589 | return(0); |
| 590 | } |
| 591 | |
| 592 | /* -------------------------------------------------------------------- */ |
| 593 | /* Function: ipf_p_rpcb_xdrrpcb */ |
| 594 | /* Returns: int -- -1 == failure to properly decode the request */ |
| 595 | /* 0 == rpcb successfully decoded */ |
| 596 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
| 597 | /* p(I) - pointer to location within session buffer */ |
| 598 | /* rpcb(O) - pointer to rpcb (xdr type) structure */ |
| 599 | /* */ |
| 600 | /* Decode a XDR encoded rpcb structure and record its contents in rpcb */ |
| 601 | /* within only the context of TCP/UDP over IP networks. */ |
| 602 | /* -------------------------------------------------------------------- */ |
| 603 | static int |
| 604 | ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra) |
| 605 | { |
| 606 | if (!RPCB_BUF_GEQ(rm, p, 20)) |
| 607 | return(-1); |
| 608 | |
| 609 | /* Bypass target program & version. */ |
| 610 | p += 2; |
| 611 | |
| 612 | /* Decode r_netid. Must be "tcp" or "udp". */ |
| 613 | if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) |
| 614 | return(-1); |
| 615 | |
| 616 | /* Decode r_maddr. */ |
| 617 | if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) |
| 618 | return(-1); |
| 619 | |
| 620 | /* Advance to r_owner and make sure it's empty. */ |
| 621 | if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) |
| 622 | return(-1); |
| 623 | |
| 624 | return(0); |
| 625 | } |
| 626 | |
| 627 | /* -------------------------------------------------------------------- */ |
| 628 | /* Function: ipf_p_rpcb_getuaddr */ |
| 629 | /* Returns: int -- -1 == illegal string, */ |
| 630 | /* 0 == string parsed; contents recorded */ |
| 631 | /* Parameters: rm(I) - pointer to RPC message structure */ |
| 632 | /* xu(I) - pointer to universal address structure */ |
| 633 | /* p(IO) - pointer to location within message buffer */ |
| 634 | /* */ |
| 635 | /* Decode the IP address / port at p and record them in xu. */ |
| 636 | /* -------------------------------------------------------------------- */ |
| 637 | static int |
| 638 | ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p) |
| 639 | { |
| 640 | char *c, *i, *b, *pp; |
| 641 | u_int d, dd, l, t; |
| 642 | char uastr[24]; |
| 643 | |
| 644 | /* Test for string length. */ |
| 645 | if (!RPCB_BUF_GEQ(rm, *p, 4)) |
| 646 | return(-1); |
| 647 | |
| 648 | xu->xu_xslen = (*p)++; |
| 649 | xu->xu_xsstr = (char *)*p; |
| 650 | |
| 651 | /* Length check */ |
| 652 | l = B(xu->xu_xslen); |
| 653 | if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) |
| 654 | return(-1); |
| 655 | |
| 656 | /* Advance p */ |
| 657 | *(char **)p += XDRALIGN(l); |
| 658 | |
| 659 | /* Copy string to local buffer & terminate C style */ |
| 660 | bcopy(xu->xu_xsstr, uastr, l); |
| 661 | uastr[l] = '\0'; |
| 662 | |
| 663 | i = (char *)&xu->xu_ip; |
| 664 | pp = (char *)&xu->xu_port; |
| 665 | |
| 666 | /* |
| 667 | * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of |
| 668 | * an IP address and [ef] are the bytes of a L4 port. |
| 669 | */ |
| 670 | if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) |
| 671 | return(-1); |
| 672 | b = uastr; |
| 673 | for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { |
| 674 | if (ISDIGIT(*c)) { |
| 675 | dd = 0; |
| 676 | continue; |
| 677 | } |
| 678 | if (*c == '.') { |
| 679 | if (dd != 0) |
| 680 | return(-1); |
| 681 | |
| 682 | /* Check for ASCII byte. */ |
| 683 | *c = '\0'; |
| 684 | t = ipf_p_rpcb_atoi(b); |
| 685 | if (t > 255) |
| 686 | return(-1); |
| 687 | |
| 688 | /* Aim b at beginning of the next byte. */ |
| 689 | b = c + 1; |
| 690 | |
| 691 | /* Switch off IP addr vs port parsing. */ |
| 692 | if (d < 4) |
| 693 | i[d++] = t & 0xff; |
| 694 | else |
| 695 | pp[d++ - 4] = t & 0xff; |
| 696 | |
| 697 | dd = 1; |
| 698 | continue; |
| 699 | } |
| 700 | return(-1); |
| 701 | } |
| 702 | if (d != 5) /* String must contain exactly 5 periods. */ |
| 703 | return(-1); |
| 704 | |
| 705 | /* Handle the last byte (port low byte) */ |
| 706 | t = ipf_p_rpcb_atoi(b); |
| 707 | if (t > 255) |
| 708 | return(-1); |
| 709 | pp[d - 4] = t & 0xff; |
| 710 | |
| 711 | return(0); |
| 712 | } |
| 713 | |
| 714 | /* -------------------------------------------------------------------- */ |
| 715 | /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ |
| 716 | /* Returns: int -- integer representation of supplied string */ |
| 717 | /* Parameters: ptr(I) - input string */ |
| 718 | /* */ |
| 719 | /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ |
| 720 | /* -------------------------------------------------------------------- */ |
| 721 | static u_int |
| 722 | ipf_p_rpcb_atoi(char *ptr) |
| 723 | { |
| 724 | char *s = ptr, c; |
| 725 | u_int i = 0; |
| 726 | |
| 727 | while (((c = *s++) != '\0') && ISDIGIT(c)) { |
| 728 | i *= 10; |
| 729 | i += c - '0'; |
| 730 | } |
| 731 | return i; |
| 732 | } |
| 733 | |
| 734 | /* -------------------------------------------------------------------- */ |
| 735 | /* Function: ipf_p_rpcb_modreq */ |
| 736 | /* Returns: int -- change in datagram length */ |
| 737 | /* APR_ERR(2) - critical failure */ |
| 738 | /* Parameters: fin(I) - pointer to packet information */ |
| 739 | /* nat(I) - pointer to NAT session */ |
| 740 | /* rm(I) - pointer to RPC message structure */ |
| 741 | /* m(I) - pointer to mbuf chain */ |
| 742 | /* off(I) - current offset within mbuf chain */ |
| 743 | /* */ |
| 744 | /* When external and internal addresses differ, we rewrite the former */ |
| 745 | /* with the latter. (This is exclusive to protocol versions 3 & 4). */ |
| 746 | /* -------------------------------------------------------------------- */ |
| 747 | static int |
| 748 | ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
| 749 | { |
| 750 | u_int len, xlen, pos, bogo; |
| 751 | rpcb_args_t *ra; |
| 752 | char uaddr[24]; |
| 753 | udphdr_t *udp; |
| 754 | char *i, *p; |
| 755 | int diff; |
| 756 | |
| 757 | ra = &rm->rm_call.rc_rpcbargs; |
| 758 | i = (char *)&nat->nat_odstaddr; |
| 759 | p = (char *)&nat->nat_odport; |
| 760 | |
| 761 | /* Form new string. */ |
| 762 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ |
| 763 | snprintf(uaddr, sizeof(uaddr), |
| 764 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, i[1] & 0xff, |
| 765 | i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); |
| 766 | len = strlen(uaddr); |
| 767 | xlen = XDRALIGN(len); |
| 768 | |
| 769 | /* Determine mbuf offset to start writing to. */ |
| 770 | pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; |
| 771 | off += pos; |
| 772 | |
| 773 | /* Write new string length. */ |
| 774 | bogo = htonl(len); |
| 775 | COPYBACK(m, off, 4, (void *)&bogo); |
| 776 | off += 4; |
| 777 | |
| 778 | /* Write new string. */ |
| 779 | COPYBACK(m, off, xlen, uaddr); |
| 780 | off += xlen; |
| 781 | |
| 782 | /* Write in zero r_owner. */ |
| 783 | bogo = 0; |
| 784 | COPYBACK(m, off, 4, (void *)&bogo); |
| 785 | |
| 786 | /* Determine difference in data lengths. */ |
| 787 | diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); |
| 788 | |
| 789 | /* |
| 790 | * If our new string has a different length, make necessary |
| 791 | * adjustments. |
| 792 | */ |
| 793 | if (diff != 0) { |
| 794 | udp = fin->fin_dp; |
| 795 | udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); |
| 796 | fin->fin_plen += diff; |
| 797 | fin->fin_ip->ip_len = htons(fin->fin_plen); |
| 798 | fin->fin_dlen += diff; |
| 799 | /* XXX Storage lengths. */ |
| 800 | } |
| 801 | |
| 802 | return(diff); |
| 803 | } |
| 804 | |
| 805 | /* -------------------------------------------------------------------- */ |
| 806 | /* Function: ipf_p_rpcb_decoderep */ |
| 807 | /* Returns: int - -1 == bad request or critical failure, */ |
| 808 | /* 0 == valid, negative reply */ |
| 809 | /* 1 == vaddlid, positive reply; needs no changes */ |
| 810 | /* Parameters: fin(I) - pointer to packet information */ |
| 811 | /* nat(I) - pointer to NAT session structure */ |
| 812 | /* rs(I) - pointer to RPCB session structure */ |
| 813 | /* rm(I) - pointer to RPC message structure */ |
| 814 | /* rxp(O) - pointer to RPCB transaction structure */ |
| 815 | /* */ |
| 816 | /* Take a presumed RPCB reply, extract the XID, search for the original */ |
| 817 | /* request information, and determine whether the request was accepted */ |
| 818 | /* or rejected. With a valid accepted reply, go ahead and create NAT */ |
| 819 | /* and state entries, and finish up by rewriting the packet as */ |
| 820 | /* required. */ |
| 821 | /* */ |
| 822 | /* WARNING: It's the responsibility of the caller to make sure there */ |
| 823 | /* is enough room in rs_buf for the basic RPC message "preamble". */ |
| 824 | /* -------------------------------------------------------------------- */ |
| 825 | static int |
| 826 | ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, |
| 827 | rpc_msg_t *rm, rpcb_xact_t **rxp) |
| 828 | { |
| 829 | rpcb_listp_t *rl; |
| 830 | rpcb_entry_t *re; |
| 831 | rpcb_xact_t *rx; |
| 832 | u_32_t xdr, *p; |
| 833 | rpc_resp_t *rr; |
| 834 | int rv, cnt; |
| 835 | |
| 836 | p = (u_32_t *)rm->rm_msgbuf; |
| 837 | |
| 838 | bzero((char *)&rx, sizeof(rx)); |
| 839 | rr = &rm->rm_resp; |
| 840 | |
| 841 | rm->rm_xid = p; |
| 842 | xdr = B(p++); /* Record this message's XID. */ |
| 843 | |
| 844 | /* Lookup XID */ |
| 845 | MUTEX_ENTER(&rs->rs_rxlock); |
| 846 | if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { |
| 847 | MUTEX_EXIT(&rs->rs_rxlock); |
| 848 | return(-1); |
| 849 | } |
| 850 | ++rx->rx_ref; /* per thread reference */ |
| 851 | MUTEX_EXIT(&rs->rs_rxlock); |
| 852 | |
| 853 | *rxp = rx; |
| 854 | |
| 855 | /* Test call vs reply */ |
| 856 | if (B(p++) != RPCB_REPLY) |
| 857 | return(-1); |
| 858 | |
| 859 | /* Test reply_stat */ |
| 860 | switch(B(p++)) |
| 861 | { |
| 862 | case RPCB_MSG_DENIED: |
| 863 | return(0); |
| 864 | case RPCB_MSG_ACCEPTED: |
| 865 | break; |
| 866 | default: |
| 867 | return(-1); |
| 868 | } |
| 869 | |
| 870 | /* Bypass RPC authentication stuff. */ |
| 871 | if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) |
| 872 | return(-1); |
| 873 | |
| 874 | /* Test accept status */ |
| 875 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
| 876 | return(-1); |
| 877 | if (B(p++) != 0) |
| 878 | return(0); |
| 879 | |
| 880 | /* Parse out the expected reply */ |
| 881 | switch(rx->rx_type) |
| 882 | { |
| 883 | case RPCB_RES_PMAP: |
| 884 | /* There must be only one 4 byte argument. */ |
| 885 | if (!RPCB_BUF_EQ(rm, p, 4)) |
| 886 | return(-1); |
| 887 | |
| 888 | rr->rr_v2 = p; |
| 889 | xdr = B(rr->rr_v2); |
| 890 | |
| 891 | /* Reply w/ a 0 port indicates service isn't registered */ |
| 892 | if (xdr == 0) |
| 893 | return(0); |
| 894 | |
| 895 | /* Is the value sane? */ |
| 896 | if (xdr > 65535) |
| 897 | return(-1); |
| 898 | |
| 899 | /* Create NAT & state table entries. */ |
| 900 | if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) |
| 901 | return(-1); |
| 902 | break; |
| 903 | case RPCB_RES_STRING: |
| 904 | /* Expecting a XDR string; need 4 bytes for length */ |
| 905 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
| 906 | return(-1); |
| 907 | |
| 908 | rr->rr_v3.xu_str.xs_len = p++; |
| 909 | rr->rr_v3.xu_str.xs_str = (char *)p; |
| 910 | |
| 911 | xdr = B(rr->rr_v3.xu_xslen); |
| 912 | |
| 913 | /* A null string indicates an unregistered service */ |
| 914 | if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) |
| 915 | return(0); |
| 916 | |
| 917 | /* Decode the target IP address / port. */ |
| 918 | if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) |
| 919 | return(-1); |
| 920 | |
| 921 | /* Validate the IP address and port contained. */ |
| 922 | if (nat->nat_odstaddr != rr->rr_v3.xu_ip) |
| 923 | return(-1); |
| 924 | |
| 925 | /* Create NAT & state table entries. */ |
| 926 | if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, |
| 927 | (u_int)rr->rr_v3.xu_port) != 0) |
| 928 | return(-1); |
| 929 | break; |
| 930 | case RPCB_RES_LIST: |
| 931 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
| 932 | return(-1); |
| 933 | /* rpcb_entry_list_ptr */ |
| 934 | switch(B(p)) |
| 935 | { |
| 936 | case 0: |
| 937 | return(0); |
| 938 | /*NOTREACHED*/ |
| 939 | break; |
| 940 | case 1: |
| 941 | break; |
| 942 | default: |
| 943 | return(-1); |
| 944 | } |
| 945 | rl = &rr->rr_v4; |
| 946 | rl->rl_list = p++; |
| 947 | cnt = 0; |
| 948 | |
| 949 | for(;;) { |
| 950 | re = &rl->rl_entries[rl->rl_cnt]; |
| 951 | if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) |
| 952 | return(-1); |
| 953 | if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) |
| 954 | return(-1); |
| 955 | /* re_semantics & re_pfamily length */ |
| 956 | if (!RPCB_BUF_GEQ(rm, p, 12)) |
| 957 | return(-1); |
| 958 | p++; /* Skipping re_semantics. */ |
| 959 | xdr = B(p++); |
| 960 | if ((xdr != 4) || strncmp((char *)p, "inet" , 4)) |
| 961 | return(-1); |
| 962 | p++; |
| 963 | if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) |
| 964 | return(-1); |
| 965 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
| 966 | return(-1); |
| 967 | re->re_more = p; |
| 968 | if (B(re->re_more) > 1) /* 0,1 only legal values */ |
| 969 | return(-1); |
| 970 | ++rl->rl_cnt; |
| 971 | ++cnt; |
| 972 | if (B(re->re_more) == 0) |
| 973 | break; |
| 974 | /* Replies in max out at 2; TCP and/or UDP */ |
| 975 | if (cnt > 2) |
| 976 | return(-1); |
| 977 | p++; |
| 978 | } |
| 979 | |
| 980 | for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { |
| 981 | re = &rl->rl_entries[rl->rl_cnt]; |
| 982 | rv = ipf_p_rpcb_getnat(fin, nat, |
| 983 | re->re_proto.xp_proto, |
| 984 | (u_int)re->re_maddr.xu_port); |
| 985 | if (rv != 0) |
| 986 | return(-1); |
| 987 | } |
| 988 | break; |
| 989 | default: |
| 990 | /*CONSTANTCONDITION*/ |
| 991 | IPF_PANIC(1, ("illegal rx_type %d" , rx->rx_type)); |
| 992 | } |
| 993 | |
| 994 | return(1); |
| 995 | } |
| 996 | |
| 997 | /* -------------------------------------------------------------------- */ |
| 998 | /* Function: ipf_p_rpcb_lookup */ |
| 999 | /* Returns: rpcb_xact_t * - NULL == no matching record, */ |
| 1000 | /* else pointer to relevant entry */ |
| 1001 | /* Parameters: rs(I) - pointer to RPCB session */ |
| 1002 | /* xid(I) - XID to look for */ |
| 1003 | /* -------------------------------------------------------------------- */ |
| 1004 | static rpcb_xact_t * |
| 1005 | ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid) |
| 1006 | { |
| 1007 | rpcb_xact_t *rx; |
| 1008 | |
| 1009 | if (rs->rs_rxlist == NULL) |
| 1010 | return(NULL); |
| 1011 | |
| 1012 | for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) |
| 1013 | if (rx->rx_xid == xid) |
| 1014 | break; |
| 1015 | |
| 1016 | return(rx); |
| 1017 | } |
| 1018 | |
| 1019 | /* -------------------------------------------------------------------- */ |
| 1020 | /* Function: ipf_p_rpcb_deref */ |
| 1021 | /* Returns: (void) */ |
| 1022 | /* Parameters: rs(I) - pointer to RPCB session */ |
| 1023 | /* rx(I) - pointer to RPC transaction struct to remove */ |
| 1024 | /* force(I) - indicates to delete entry regardless of */ |
| 1025 | /* reference count */ |
| 1026 | /* Locking: rs->rs_rxlock must be held write only */ |
| 1027 | /* */ |
| 1028 | /* Free the RPCB transaction record rx from the chain of entries. */ |
| 1029 | /* -------------------------------------------------------------------- */ |
| 1030 | static void |
| 1031 | ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx) |
| 1032 | { |
| 1033 | rs = rs; /* LINT */ |
| 1034 | |
| 1035 | if (rx == NULL) |
| 1036 | return; |
| 1037 | |
| 1038 | if (--rx->rx_ref != 0) |
| 1039 | return; |
| 1040 | |
| 1041 | if (rx->rx_next != NULL) |
| 1042 | rx->rx_next->rx_pnext = rx->rx_pnext; |
| 1043 | |
| 1044 | *rx->rx_pnext = rx->rx_next; |
| 1045 | |
| 1046 | KFREE(rx); |
| 1047 | |
| 1048 | --rpcbcnt; |
| 1049 | } |
| 1050 | |
| 1051 | /* -------------------------------------------------------------------- */ |
| 1052 | /* Function: ipf_p_rpcb_getproto */ |
| 1053 | /* Returns: int - -1 == illegal protocol/netid, */ |
| 1054 | /* 0 == legal protocol/netid */ |
| 1055 | /* Parameters: rm(I) - pointer to RPC message structure */ |
| 1056 | /* xp(I) - pointer to netid structure */ |
| 1057 | /* p(IO) - pointer to location within packet buffer */ |
| 1058 | /* */ |
| 1059 | /* Decode netid/proto stored at p and record its numeric value. */ |
| 1060 | /* -------------------------------------------------------------------- */ |
| 1061 | static int |
| 1062 | ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p) |
| 1063 | { |
| 1064 | u_int len; |
| 1065 | |
| 1066 | /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ |
| 1067 | if (!RPCB_BUF_GEQ(rm, p, 8)) |
| 1068 | return(-1); |
| 1069 | |
| 1070 | xp->xp_xslen = (*p)++; |
| 1071 | xp->xp_xsstr = (char *)*p; |
| 1072 | |
| 1073 | /* Test the string length. */ |
| 1074 | len = B(xp->xp_xslen); |
| 1075 | if (len != 3) |
| 1076 | return(-1); |
| 1077 | |
| 1078 | /* Test the actual string & record the protocol accordingly. */ |
| 1079 | if (!strncmp((char *)xp->xp_xsstr, "tcp\0" , 4)) |
| 1080 | xp->xp_proto = IPPROTO_TCP; |
| 1081 | else if (!strncmp((char *)xp->xp_xsstr, "udp\0" , 4)) |
| 1082 | xp->xp_proto = IPPROTO_UDP; |
| 1083 | else { |
| 1084 | return(-1); |
| 1085 | } |
| 1086 | |
| 1087 | /* Advance past the string. */ |
| 1088 | (*p)++; |
| 1089 | |
| 1090 | return(0); |
| 1091 | } |
| 1092 | |
| 1093 | /* -------------------------------------------------------------------- */ |
| 1094 | /* Function: ipf_p_rpcb_getnat */ |
| 1095 | /* Returns: int -- -1 == failed to create table entries, */ |
| 1096 | /* 0 == success */ |
| 1097 | /* Parameters: fin(I) - pointer to packet information */ |
| 1098 | /* nat(I) - pointer to NAT table entry */ |
| 1099 | /* proto(I) - transport protocol for new entries */ |
| 1100 | /* port(I) - new port to use w/ wildcard table entries */ |
| 1101 | /* */ |
| 1102 | /* Create state and NAT entries to handle an anticipated connection */ |
| 1103 | /* attempt between RPC client and server. */ |
| 1104 | /* -------------------------------------------------------------------- */ |
| 1105 | static int |
| 1106 | ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port) |
| 1107 | { |
| 1108 | ipf_main_softc_t *softc = fin->fin_main_soft; |
| 1109 | ipnat_t *ipn, ipnat; |
| 1110 | tcphdr_t tcp; |
| 1111 | ipstate_t *is; |
| 1112 | fr_info_t fi; |
| 1113 | nat_t *natl; |
| 1114 | int nflags; |
| 1115 | |
| 1116 | ipn = nat->nat_ptr; |
| 1117 | |
| 1118 | /* Generate dummy fr_info */ |
| 1119 | bcopy((char *)fin, (char *)&fi, sizeof(fi)); |
| 1120 | fi.fin_out = 0; |
| 1121 | fi.fin_p = proto; |
| 1122 | fi.fin_sport = 0; |
| 1123 | fi.fin_dport = port & 0xffff; |
| 1124 | fi.fin_flx |= FI_IGNORE; |
| 1125 | fi.fin_saddr = nat->nat_osrcaddr; |
| 1126 | fi.fin_daddr = nat->nat_odstaddr; |
| 1127 | |
| 1128 | bzero((char *)&tcp, sizeof(tcp)); |
| 1129 | tcp.th_dport = htons(port); |
| 1130 | |
| 1131 | if (proto == IPPROTO_TCP) { |
| 1132 | tcp.th_win = htons(8192); |
| 1133 | TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); |
| 1134 | fi.fin_dlen = sizeof(tcphdr_t); |
| 1135 | tcp.th_flags = TH_SYN; |
| 1136 | nflags = NAT_TCP; |
| 1137 | } else { |
| 1138 | fi.fin_dlen = sizeof(udphdr_t); |
| 1139 | nflags = NAT_UDP; |
| 1140 | } |
| 1141 | |
| 1142 | nflags |= SI_W_SPORT|NAT_SEARCH; |
| 1143 | fi.fin_dp = &tcp; |
| 1144 | fi.fin_plen = fi.fin_hlen + fi.fin_dlen; |
| 1145 | |
| 1146 | /* |
| 1147 | * Search for existing NAT & state entries. Pay close attention to |
| 1148 | * mutexes / locks grabbed from lookup routines, as not doing so could |
| 1149 | * lead to bad things. |
| 1150 | * |
| 1151 | * If successful, fr_stlookup returns with ipf_state locked. We have |
| 1152 | * no use for this lock, so simply unlock it if necessary. |
| 1153 | */ |
| 1154 | is = ipf_state_lookup(&fi, &tcp, NULL); |
| 1155 | if (is != NULL) { |
| 1156 | RWLOCK_EXIT(&softc->ipf_state); |
| 1157 | } |
| 1158 | |
| 1159 | RWLOCK_EXIT(&softc->ipf_nat); |
| 1160 | |
| 1161 | WRITE_ENTER(&softc->ipf_nat); |
| 1162 | natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); |
| 1163 | |
| 1164 | if ((natl != NULL) && (is != NULL)) { |
| 1165 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
| 1166 | return(0); |
| 1167 | } |
| 1168 | |
| 1169 | /* Slightly modify the following structures for actual use in creating |
| 1170 | * NAT and/or state entries. We're primarily concerned with stripping |
| 1171 | * flags that may be detrimental to the creation process or simply |
| 1172 | * shouldn't be associated with a table entry. |
| 1173 | */ |
| 1174 | fi.fin_fr = &rpcbfr; |
| 1175 | fi.fin_flx &= ~FI_IGNORE; |
| 1176 | nflags &= ~NAT_SEARCH; |
| 1177 | |
| 1178 | if (natl == NULL) { |
| 1179 | #ifdef USE_MUTEXES |
| 1180 | ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
| 1181 | #endif |
| 1182 | |
| 1183 | /* XXX Since we're just copying the original ipn contents |
| 1184 | * back, would we be better off just sending a pointer to |
| 1185 | * the 'temp' copy off to nat_new instead? |
| 1186 | */ |
| 1187 | /* Generate template/bogus NAT rule. */ |
| 1188 | bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); |
| 1189 | ipn->in_flags = nflags & IPN_TCPUDP; |
| 1190 | ipn->in_apr = NULL; |
| 1191 | ipn->in_pr[0] = proto; |
| 1192 | ipn->in_pr[1] = proto; |
| 1193 | ipn->in_dpmin = fi.fin_dport; |
| 1194 | ipn->in_dpmax = fi.fin_dport; |
| 1195 | ipn->in_dpnext = fi.fin_dport; |
| 1196 | ipn->in_space = 1; |
| 1197 | ipn->in_ippip = 1; |
| 1198 | if (ipn->in_flags & IPN_FILTER) { |
| 1199 | ipn->in_scmp = 0; |
| 1200 | ipn->in_dcmp = 0; |
| 1201 | } |
| 1202 | ipn->in_plabel = -1; |
| 1203 | |
| 1204 | /* Create NAT entry. return NULL if this fails. */ |
| 1205 | MUTEX_ENTER(&softn->ipf_nat_new); |
| 1206 | natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, |
| 1207 | NAT_INBOUND); |
| 1208 | MUTEX_EXIT(&softn->ipf_nat_new); |
| 1209 | |
| 1210 | bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); |
| 1211 | |
| 1212 | if (natl == NULL) { |
| 1213 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
| 1214 | return(-1); |
| 1215 | } |
| 1216 | |
| 1217 | natl->nat_ptr = ipn; |
| 1218 | fi.fin_saddr = natl->nat_nsrcaddr; |
| 1219 | fi.fin_daddr = natl->nat_ndstaddr; |
| 1220 | ipn->in_use++; |
| 1221 | (void) ipf_nat_proto(&fi, natl, nflags); |
| 1222 | MUTEX_ENTER(&natl->nat_lock); |
| 1223 | ipf_nat_update(&fi, natl); |
| 1224 | MUTEX_EXIT(&natl->nat_lock); |
| 1225 | } |
| 1226 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
| 1227 | |
| 1228 | if (is == NULL) { |
| 1229 | /* Create state entry. Return NULL if this fails. */ |
| 1230 | fi.fin_flx |= FI_NATED; |
| 1231 | fi.fin_flx &= ~FI_STATE; |
| 1232 | nflags &= NAT_TCPUDP; |
| 1233 | nflags |= SI_W_SPORT|SI_CLONE; |
| 1234 | |
| 1235 | if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { |
| 1236 | /* |
| 1237 | * XXX nat_delete is private to ip_nat.c. Should |
| 1238 | * check w/ Darren about this one. |
| 1239 | * |
| 1240 | * nat_delete(natl, NL_EXPIRE); |
| 1241 | */ |
| 1242 | return(-1); |
| 1243 | } |
| 1244 | } |
| 1245 | |
| 1246 | return(0); |
| 1247 | } |
| 1248 | |
| 1249 | /* -------------------------------------------------------------------- */ |
| 1250 | /* Function: ipf_p_rpcb_modv3 */ |
| 1251 | /* Returns: int -- change in packet length */ |
| 1252 | /* Parameters: fin(I) - pointer to packet information */ |
| 1253 | /* nat(I) - pointer to NAT session */ |
| 1254 | /* rm(I) - pointer to RPC message structure */ |
| 1255 | /* m(I) - pointer to mbuf chain */ |
| 1256 | /* off(I) - offset within mbuf chain */ |
| 1257 | /* */ |
| 1258 | /* Write a new universal address string to this packet, adjusting */ |
| 1259 | /* lengths as necessary. */ |
| 1260 | /* -------------------------------------------------------------------- */ |
| 1261 | static int |
| 1262 | ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
| 1263 | { |
| 1264 | u_int len, xlen, pos, bogo; |
| 1265 | rpc_resp_t *rr; |
| 1266 | char uaddr[24]; |
| 1267 | char *i, *p; |
| 1268 | int diff; |
| 1269 | |
| 1270 | rr = &rm->rm_resp; |
| 1271 | i = (char *)&nat->nat_ndstaddr; |
| 1272 | p = (char *)&rr->rr_v3.xu_port; |
| 1273 | |
| 1274 | /* Form new string. */ |
| 1275 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ |
| 1276 | snprintf(uaddr, sizeof(uaddr), |
| 1277 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, i[1] & 0xff, |
| 1278 | i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); |
| 1279 | len = strlen(uaddr); |
| 1280 | xlen = XDRALIGN(len); |
| 1281 | |
| 1282 | /* Determine mbuf offset to write to. */ |
| 1283 | pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; |
| 1284 | off += pos; |
| 1285 | |
| 1286 | /* Write new string length. */ |
| 1287 | bogo = htonl(len); |
| 1288 | COPYBACK(m, off, 4, (void *)&bogo); |
| 1289 | off += 4; |
| 1290 | |
| 1291 | /* Write new string. */ |
| 1292 | COPYBACK(m, off, xlen, uaddr); |
| 1293 | |
| 1294 | /* Determine difference in data lengths. */ |
| 1295 | diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); |
| 1296 | |
| 1297 | /* |
| 1298 | * If our new string has a different length, make necessary |
| 1299 | * adjustments. |
| 1300 | */ |
| 1301 | if (diff != 0) |
| 1302 | ipf_p_rpcb_fixlen(fin, diff); |
| 1303 | |
| 1304 | return(diff); |
| 1305 | } |
| 1306 | |
| 1307 | /* -------------------------------------------------------------------- */ |
| 1308 | /* Function: ipf_p_rpcb_modv4 */ |
| 1309 | /* Returns: int -- change in packet length */ |
| 1310 | /* Parameters: fin(I) - pointer to packet information */ |
| 1311 | /* nat(I) - pointer to NAT session */ |
| 1312 | /* rm(I) - pointer to RPC message structure */ |
| 1313 | /* m(I) - pointer to mbuf chain */ |
| 1314 | /* off(I) - offset within mbuf chain */ |
| 1315 | /* */ |
| 1316 | /* Write new rpcb_entry list, adjusting lengths as necessary. */ |
| 1317 | /* -------------------------------------------------------------------- */ |
| 1318 | static int |
| 1319 | ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
| 1320 | { |
| 1321 | u_int len, xlen, pos, bogo; |
| 1322 | rpcb_listp_t *rl; |
| 1323 | rpcb_entry_t *re; |
| 1324 | rpc_resp_t *rr; |
| 1325 | char uaddr[24]; |
| 1326 | int diff, cnt; |
| 1327 | char *i, *p; |
| 1328 | |
| 1329 | diff = 0; |
| 1330 | rr = &rm->rm_resp; |
| 1331 | rl = &rr->rr_v4; |
| 1332 | |
| 1333 | i = (char *)&nat->nat_ndstaddr; |
| 1334 | |
| 1335 | /* Determine mbuf offset to write to. */ |
| 1336 | re = &rl->rl_entries[0]; |
| 1337 | pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; |
| 1338 | off += pos; |
| 1339 | |
| 1340 | for (cnt = 0; cnt < rl->rl_cnt; cnt++) { |
| 1341 | re = &rl->rl_entries[cnt]; |
| 1342 | p = (char *)&re->re_maddr.xu_port; |
| 1343 | |
| 1344 | /* Form new string. */ |
| 1345 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need |
| 1346 | padding. */ |
| 1347 | snprintf(uaddr, sizeof(uaddr), |
| 1348 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, |
| 1349 | i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, |
| 1350 | p[0] & 0xff, p[1] & 0xff); |
| 1351 | len = strlen(uaddr); |
| 1352 | xlen = XDRALIGN(len); |
| 1353 | |
| 1354 | /* Write new string length. */ |
| 1355 | bogo = htonl(len); |
| 1356 | COPYBACK(m, off, 4, (void *)&bogo); |
| 1357 | off += 4; |
| 1358 | |
| 1359 | /* Write new string. */ |
| 1360 | COPYBACK(m, off, xlen, uaddr); |
| 1361 | off += xlen; |
| 1362 | |
| 1363 | /* Record any change in length. */ |
| 1364 | diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); |
| 1365 | |
| 1366 | /* If the length changed, copy back the rest of this entry. */ |
| 1367 | len = ((char *)re->re_more + 4) - |
| 1368 | (char *)re->re_netid.xp_xslen; |
| 1369 | if (diff != 0) { |
| 1370 | COPYBACK(m, off, len, (void *)re->re_netid.xp_xslen); |
| 1371 | } |
| 1372 | off += len; |
| 1373 | } |
| 1374 | |
| 1375 | /* |
| 1376 | * If our new string has a different length, make necessary |
| 1377 | * adjustments. |
| 1378 | */ |
| 1379 | if (diff != 0) |
| 1380 | ipf_p_rpcb_fixlen(fin, diff); |
| 1381 | |
| 1382 | return(diff); |
| 1383 | } |
| 1384 | |
| 1385 | |
| 1386 | /* -------------------------------------------------------------------- */ |
| 1387 | /* Function: ipf_p_rpcb_fixlen */ |
| 1388 | /* Returns: (void) */ |
| 1389 | /* Parameters: fin(I) - pointer to packet information */ |
| 1390 | /* len(I) - change in packet length */ |
| 1391 | /* */ |
| 1392 | /* Adjust various packet related lengths held in structure and packet */ |
| 1393 | /* header fields. */ |
| 1394 | /* -------------------------------------------------------------------- */ |
| 1395 | static void |
| 1396 | ipf_p_rpcb_fixlen(fr_info_t *fin, int len) |
| 1397 | { |
| 1398 | udphdr_t *udp; |
| 1399 | |
| 1400 | udp = fin->fin_dp; |
| 1401 | udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); |
| 1402 | fin->fin_plen += len; |
| 1403 | fin->fin_ip->ip_len = htons(fin->fin_plen); |
| 1404 | fin->fin_dlen += len; |
| 1405 | } |
| 1406 | |
| 1407 | #undef B |
| 1408 | |