1 | /* $NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org> |
5 | * |
6 | * See the IPFILTER.LICENCE file for details on licencing. |
7 | */ |
8 | /* |
9 | * Overview: |
10 | * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap) |
11 | * protocol as defined in RFC1833. It is far from complete, mostly |
12 | * lacking in less-likely corner cases, but it's definitely functional. |
13 | * |
14 | * Invocation: |
15 | * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu |
16 | * |
17 | * If the host running IP Filter is the same as the RPC server, it's |
18 | * perfectly legal for both the internal and external addresses and ports |
19 | * to match. |
20 | * |
21 | * When triggered by appropriate IP NAT rules, this proxy works by |
22 | * examining data contained in received packets. Requests and replies are |
23 | * modified, NAT and state table entries created, etc., as necessary. |
24 | */ |
25 | /* |
26 | * TODO / NOTES |
27 | * |
28 | * o Must implement locking to protect proxy session data. |
29 | * o Fragmentation isn't supported. |
30 | * o Only supports UDP. |
31 | * o Doesn't support multiple RPC records in a single request. |
32 | * o Errors should be more fine-grained. (e.g., malloc failure vs. |
33 | * illegal RPCB request / reply) |
34 | * o Even with the limit on the total amount of recorded transactions, |
35 | * should there be a timeout on transaction removal? |
36 | * o There is a potential collision between cloning, wildcard NAT and |
37 | * state entries. There should be an appr_getport routine for |
38 | * to avoid this. |
39 | * o The enclosed hack of STREAMS support is pretty sick and most likely |
40 | * broken. |
41 | * |
42 | * Id: ip_rpcb_pxy.c,v 1.1.1.2 2012/07/22 13:45:34 darrenr Exp |
43 | */ |
44 | |
45 | #include <sys/cdefs.h> |
46 | __KERNEL_RCSID(1, "$NetBSD: ip_rpcb_pxy.c,v 1.4 2014/03/20 20:43:12 christos Exp $" ); |
47 | |
48 | #define IPF_RPCB_PROXY |
49 | |
50 | /* |
51 | * Function prototypes |
52 | */ |
53 | void ipf_p_rpcb_main_load(void); |
54 | void ipf_p_rpcb_main_unload(void); |
55 | int ipf_p_rpcb_new(void *, fr_info_t *, ap_session_t *, nat_t *); |
56 | void ipf_p_rpcb_del(ipf_main_softc_t *, ap_session_t *); |
57 | int ipf_p_rpcb_in(void *, fr_info_t *, ap_session_t *, nat_t *); |
58 | int ipf_p_rpcb_out(void *, fr_info_t *, ap_session_t *, nat_t *); |
59 | |
60 | static void ipf_p_rpcb_flush(rpcb_session_t *); |
61 | static int ipf_p_rpcb_decodereq(fr_info_t *, nat_t *, |
62 | rpcb_session_t *, rpc_msg_t *); |
63 | static int ipf_p_rpcb_skipauth(rpc_msg_t *, xdr_auth_t *, u_32_t **); |
64 | static int ipf_p_rpcb_insert(rpcb_session_t *, rpcb_xact_t *); |
65 | static int ipf_p_rpcb_xdrrpcb(rpc_msg_t *, u_32_t *, rpcb_args_t *); |
66 | static int ipf_p_rpcb_getuaddr(rpc_msg_t *, xdr_uaddr_t *, |
67 | u_32_t **); |
68 | static u_int ipf_p_rpcb_atoi(char *); |
69 | static int ipf_p_rpcb_modreq(fr_info_t *, nat_t *, rpc_msg_t *, |
70 | mb_t *, u_int); |
71 | static int ipf_p_rpcb_decoderep(fr_info_t *, nat_t *, |
72 | rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **); |
73 | static rpcb_xact_t * ipf_p_rpcb_lookup(rpcb_session_t *, u_32_t); |
74 | static void ipf_p_rpcb_deref(rpcb_session_t *, rpcb_xact_t *); |
75 | static int ipf_p_rpcb_getproto(rpc_msg_t *, xdr_proto_t *, |
76 | u_32_t **); |
77 | static int ipf_p_rpcb_getnat(fr_info_t *, nat_t *, u_int, u_int); |
78 | static int ipf_p_rpcb_modv3(fr_info_t *, nat_t *, rpc_msg_t *, |
79 | mb_t *, u_int); |
80 | static int ipf_p_rpcb_modv4(fr_info_t *, nat_t *, rpc_msg_t *, |
81 | mb_t *, u_int); |
82 | static void ipf_p_rpcb_fixlen(fr_info_t *, int); |
83 | |
84 | /* |
85 | * Global variables |
86 | */ |
87 | static frentry_t rpcbfr; /* Skeleton rule for reference by entities |
88 | this proxy creates. */ |
89 | static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ |
90 | /* XXX rpcbcnt still requires locking. */ |
91 | |
92 | static int rpcb_proxy_init = 0; |
93 | |
94 | |
95 | /* |
96 | * Since rpc_msg contains only pointers, one should use this macro as a |
97 | * handy way to get to the goods. (In case you're wondering about the name, |
98 | * this started as BYTEREF -> BREF -> B.) |
99 | */ |
100 | #define B(r) (u_32_t)ntohl(*(r)) |
101 | |
102 | /* |
103 | * Public subroutines |
104 | */ |
105 | |
106 | /* -------------------------------------------------------------------- */ |
107 | /* Function: ipf_p_rpcb_main_load */ |
108 | /* Returns: void */ |
109 | /* Parameters: (void) */ |
110 | /* */ |
111 | /* Initialize the filter rule entry and session limiter. */ |
112 | /* -------------------------------------------------------------------- */ |
113 | void |
114 | ipf_p_rpcb_main_load(void) |
115 | { |
116 | rpcbcnt = 0; |
117 | |
118 | bzero((char *)&rpcbfr, sizeof(rpcbfr)); |
119 | rpcbfr.fr_ref = 1; |
120 | rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE; |
121 | MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock" ); |
122 | rpcb_proxy_init = 1; |
123 | } |
124 | |
125 | /* -------------------------------------------------------------------- */ |
126 | /* Function: ipf_p_rpcb_main_unload */ |
127 | /* Returns: void */ |
128 | /* Parameters: (void) */ |
129 | /* */ |
130 | /* Destroy rpcbfr's mutex to avoid a lock leak. */ |
131 | /* -------------------------------------------------------------------- */ |
132 | void |
133 | ipf_p_rpcb_main_unload(void) |
134 | { |
135 | if (rpcb_proxy_init == 1) { |
136 | MUTEX_DESTROY(&rpcbfr.fr_lock); |
137 | rpcb_proxy_init = 0; |
138 | } |
139 | } |
140 | |
141 | /* -------------------------------------------------------------------- */ |
142 | /* Function: ipf_p_rpcb_new */ |
143 | /* Returns: int - -1 == failure, 0 == success */ |
144 | /* Parameters: fin(I) - pointer to packet information */ |
145 | /* aps(I) - pointer to proxy session structure */ |
146 | /* nat(I) - pointer to NAT session structure */ |
147 | /* */ |
148 | /* Allocate resources for per-session proxy structures. */ |
149 | /* -------------------------------------------------------------------- */ |
150 | int |
151 | ipf_p_rpcb_new(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
152 | { |
153 | rpcb_session_t *rs; |
154 | |
155 | nat = nat; /* LINT */ |
156 | |
157 | if (fin->fin_v != 4) |
158 | return -1; |
159 | |
160 | KMALLOC(rs, rpcb_session_t *); |
161 | if (rs == NULL) |
162 | return(-1); |
163 | |
164 | bzero((char *)rs, sizeof(*rs)); |
165 | MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock" ); |
166 | |
167 | aps->aps_data = rs; |
168 | |
169 | return(0); |
170 | } |
171 | |
172 | /* -------------------------------------------------------------------- */ |
173 | /* Function: ipf_p_rpcb_del */ |
174 | /* Returns: void */ |
175 | /* Parameters: aps(I) - pointer to proxy session structure */ |
176 | /* */ |
177 | /* Free up a session's list of RPCB requests. */ |
178 | /* -------------------------------------------------------------------- */ |
179 | void |
180 | ipf_p_rpcb_del(ipf_main_softc_t *softc, ap_session_t *aps) |
181 | { |
182 | rpcb_session_t *rs; |
183 | rs = (rpcb_session_t *)aps->aps_data; |
184 | |
185 | MUTEX_ENTER(&rs->rs_rxlock); |
186 | ipf_p_rpcb_flush(rs); |
187 | MUTEX_EXIT(&rs->rs_rxlock); |
188 | MUTEX_DESTROY(&rs->rs_rxlock); |
189 | } |
190 | |
191 | /* -------------------------------------------------------------------- */ |
192 | /* Function: ipf_p_rpcb_in */ |
193 | /* Returns: int - APR_ERR(1) == drop the packet, */ |
194 | /* APR_ERR(2) == kill the proxy session, */ |
195 | /* else change in packet length (in bytes) */ |
196 | /* Parameters: fin(I) - pointer to packet information */ |
197 | /* ip(I) - pointer to packet header */ |
198 | /* aps(I) - pointer to proxy session structure */ |
199 | /* nat(I) - pointer to NAT session structure */ |
200 | /* */ |
201 | /* Given a presumed RPCB request, perform some minor tests and pass off */ |
202 | /* for decoding. Also pass packet off for a rewrite if necessary. */ |
203 | /* -------------------------------------------------------------------- */ |
204 | int |
205 | ipf_p_rpcb_in(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
206 | { |
207 | rpc_msg_t rpcmsg, *rm; |
208 | rpcb_session_t *rs; |
209 | u_int off, dlen; |
210 | mb_t *m; |
211 | int rv; |
212 | |
213 | /* Disallow fragmented or illegally short packets. */ |
214 | if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) |
215 | return(APR_ERR(1)); |
216 | |
217 | /* Perform basic variable initialization. */ |
218 | rs = (rpcb_session_t *)aps->aps_data; |
219 | |
220 | m = fin->fin_m; |
221 | off = (char *)fin->fin_dp - (char *)fin->fin_ip; |
222 | off += sizeof(udphdr_t) + fin->fin_ipoff; |
223 | dlen = fin->fin_dlen - sizeof(udphdr_t); |
224 | |
225 | /* Disallow packets outside legal range for supported requests. */ |
226 | if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX)) |
227 | return(APR_ERR(1)); |
228 | |
229 | /* Copy packet over to convenience buffer. */ |
230 | rm = &rpcmsg; |
231 | bzero((char *)rm, sizeof(*rm)); |
232 | COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); |
233 | rm->rm_buflen = dlen; |
234 | |
235 | /* Send off to decode request. */ |
236 | rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm); |
237 | |
238 | switch(rv) |
239 | { |
240 | case -1: |
241 | return(APR_ERR(1)); |
242 | /*NOTREACHED*/ |
243 | break; |
244 | case 0: |
245 | break; |
246 | case 1: |
247 | rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off); |
248 | break; |
249 | default: |
250 | /*CONSTANTCONDITION*/ |
251 | IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)" , rv)); |
252 | } |
253 | |
254 | return(rv); |
255 | } |
256 | |
257 | /* -------------------------------------------------------------------- */ |
258 | /* Function: ipf_p_rpcb_out */ |
259 | /* Returns: int - APR_ERR(1) == drop the packet, */ |
260 | /* APR_ERR(2) == kill the proxy session, */ |
261 | /* else change in packet length (in bytes) */ |
262 | /* Parameters: fin(I) - pointer to packet information */ |
263 | /* ip(I) - pointer to packet header */ |
264 | /* aps(I) - pointer to proxy session structure */ |
265 | /* nat(I) - pointer to NAT session structure */ |
266 | /* */ |
267 | /* Given a presumed RPCB reply, perform some minor tests and pass off */ |
268 | /* for decoding. If the message indicates a successful request with */ |
269 | /* valid addressing information, create NAT and state structures to */ |
270 | /* allow direct communication between RPC client and server. */ |
271 | /* -------------------------------------------------------------------- */ |
272 | int |
273 | ipf_p_rpcb_out(void *arg, fr_info_t *fin, ap_session_t *aps, nat_t *nat) |
274 | { |
275 | rpc_msg_t rpcmsg, *rm; |
276 | rpcb_session_t *rs; |
277 | rpcb_xact_t *rx; |
278 | u_int off, dlen; |
279 | int rv, diff; |
280 | mb_t *m; |
281 | |
282 | rx = NULL; /* XXX gcc */ |
283 | |
284 | /* Disallow fragmented or illegally short packets. */ |
285 | if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0) |
286 | return(APR_ERR(1)); |
287 | |
288 | /* Perform basic variable initialization. */ |
289 | rs = (rpcb_session_t *)aps->aps_data; |
290 | rx = NULL; |
291 | |
292 | m = fin->fin_m; |
293 | off = (char *)fin->fin_dp - (char *)fin->fin_ip; |
294 | off += sizeof(udphdr_t) + fin->fin_ipoff; |
295 | dlen = fin->fin_dlen - sizeof(udphdr_t); |
296 | diff = 0; |
297 | |
298 | /* Disallow packets outside legal range for supported requests. */ |
299 | if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX)) |
300 | return(APR_ERR(1)); |
301 | |
302 | /* Copy packet over to convenience buffer. */ |
303 | rm = &rpcmsg; |
304 | bzero((char *)rm, sizeof(*rm)); |
305 | COPYDATA(m, off, dlen, (void *)&rm->rm_msgbuf); |
306 | rm->rm_buflen = dlen; |
307 | |
308 | rx = NULL; /* XXX gcc */ |
309 | |
310 | /* Send off to decode reply. */ |
311 | rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx); |
312 | |
313 | switch(rv) |
314 | { |
315 | case -1: /* Bad packet */ |
316 | if (rx != NULL) { |
317 | MUTEX_ENTER(&rs->rs_rxlock); |
318 | ipf_p_rpcb_deref(rs, rx); |
319 | MUTEX_EXIT(&rs->rs_rxlock); |
320 | } |
321 | return(APR_ERR(1)); |
322 | /*NOTREACHED*/ |
323 | break; |
324 | case 0: /* Negative reply / request rejected */ |
325 | break; |
326 | case 1: /* Positive reply */ |
327 | /* |
328 | * With the IP address embedded in a GETADDR(LIST) reply, |
329 | * we'll need to rewrite the packet in the very possible |
330 | * event that the internal & external addresses aren't the |
331 | * same. (i.e., this box is either a router or rpcbind |
332 | * only listens on loopback.) |
333 | */ |
334 | if (nat->nat_odstaddr != nat->nat_ndstaddr) { |
335 | if (rx->rx_type == RPCB_RES_STRING) |
336 | diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off); |
337 | else if (rx->rx_type == RPCB_RES_LIST) |
338 | diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off); |
339 | } |
340 | break; |
341 | default: |
342 | /*CONSTANTCONDITION*/ |
343 | IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)" , rv)); |
344 | } |
345 | |
346 | if (rx != NULL) { |
347 | MUTEX_ENTER(&rs->rs_rxlock); |
348 | /* XXX Gross hack - I'm overloading the reference |
349 | * counter to deal with both threads and retransmitted |
350 | * requests. One deref signals that this thread is |
351 | * finished with rx, and the other signals that we've |
352 | * processed its reply. |
353 | */ |
354 | ipf_p_rpcb_deref(rs, rx); |
355 | ipf_p_rpcb_deref(rs, rx); |
356 | MUTEX_EXIT(&rs->rs_rxlock); |
357 | } |
358 | |
359 | return(diff); |
360 | } |
361 | |
362 | /* |
363 | * Private support subroutines |
364 | */ |
365 | |
366 | /* -------------------------------------------------------------------- */ |
367 | /* Function: ipf_p_rpcb_flush */ |
368 | /* Returns: void */ |
369 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
370 | /* */ |
371 | /* Simply flushes the list of outstanding transactions, if any. */ |
372 | /* -------------------------------------------------------------------- */ |
373 | static void |
374 | ipf_p_rpcb_flush(rpcb_session_t *rs) |
375 | { |
376 | rpcb_xact_t *r1, *r2; |
377 | |
378 | r1 = rs->rs_rxlist; |
379 | if (r1 == NULL) |
380 | return; |
381 | |
382 | while (r1 != NULL) { |
383 | r2 = r1; |
384 | r1 = r1->rx_next; |
385 | KFREE(r2); |
386 | } |
387 | } |
388 | |
389 | /* -------------------------------------------------------------------- */ |
390 | /* Function: ipf_p_rpcb_decodereq */ |
391 | /* Returns: int - -1 == bad request or critical failure, */ |
392 | /* 0 == request successfully decoded, */ |
393 | /* 1 == request successfully decoded; requires */ |
394 | /* address rewrite/modification */ |
395 | /* Parameters: fin(I) - pointer to packet information */ |
396 | /* nat(I) - pointer to NAT session structure */ |
397 | /* rs(I) - pointer to RPCB session structure */ |
398 | /* rm(I) - pointer to RPC message structure */ |
399 | /* */ |
400 | /* Take a presumed RPCB request, decode it, and store the results in */ |
401 | /* the transaction list. If the internal target address needs to be */ |
402 | /* modified, store its location in ptr. */ |
403 | /* WARNING: It's the responsibility of the caller to make sure there */ |
404 | /* is enough room in rs_buf for the basic RPC message "preamble". */ |
405 | /* -------------------------------------------------------------------- */ |
406 | static int |
407 | ipf_p_rpcb_decodereq(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, |
408 | rpc_msg_t *rm) |
409 | { |
410 | rpcb_args_t *ra; |
411 | u_32_t xdr, *p; |
412 | rpc_call_t *rc; |
413 | rpcb_xact_t rx; |
414 | int mod; |
415 | |
416 | p = (u_32_t *)rm->rm_msgbuf; |
417 | mod = 0; |
418 | |
419 | bzero((char *)&rx, sizeof(rx)); |
420 | rc = &rm->rm_call; |
421 | |
422 | rm->rm_xid = p; |
423 | rx.rx_xid = B(p++); /* Record this message's XID. */ |
424 | |
425 | /* Parse out and test the RPC header. */ |
426 | if ((B(p++) != RPCB_CALL) || |
427 | (B(p++) != RPCB_MSG_VERSION) || |
428 | (B(p++) != RPCB_PROG)) |
429 | return(-1); |
430 | |
431 | /* Record the RPCB version and procedure. */ |
432 | rc->rc_vers = p++; |
433 | rc->rc_proc = p++; |
434 | |
435 | /* Bypass RPC authentication stuff. */ |
436 | if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0) |
437 | return(-1); |
438 | if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0) |
439 | return(-1); |
440 | |
441 | /* Compare RPCB version and procedure numbers. */ |
442 | switch(B(rc->rc_vers)) |
443 | { |
444 | case 2: |
445 | /* This proxy only supports PMAP_GETPORT. */ |
446 | if (B(rc->rc_proc) != RPCB_GETPORT) |
447 | return(-1); |
448 | |
449 | /* Portmap requests contain four 4 byte parameters. */ |
450 | if (RPCB_BUF_EQ(rm, p, 16) == 0) |
451 | return(-1); |
452 | |
453 | p += 2; /* Skip requested program and version numbers. */ |
454 | |
455 | /* Sanity check the requested protocol. */ |
456 | xdr = B(p); |
457 | if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP)) |
458 | return(-1); |
459 | |
460 | rx.rx_type = RPCB_RES_PMAP; |
461 | rx.rx_proto = xdr; |
462 | break; |
463 | case 3: |
464 | case 4: |
465 | /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */ |
466 | switch(B(rc->rc_proc)) |
467 | { |
468 | case RPCB_GETADDR: |
469 | rx.rx_type = RPCB_RES_STRING; |
470 | rx.rx_proto = (u_int)fin->fin_p; |
471 | break; |
472 | case RPCB_GETADDRLIST: |
473 | if (B(rc->rc_vers) != 4) |
474 | return(-1); |
475 | rx.rx_type = RPCB_RES_LIST; |
476 | break; |
477 | default: |
478 | return(-1); |
479 | } |
480 | |
481 | ra = &rc->rc_rpcbargs; |
482 | |
483 | /* Decode the 'struct rpcb' request. */ |
484 | if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0) |
485 | return(-1); |
486 | |
487 | /* Are the target address & port valid? */ |
488 | if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) || |
489 | (ra->ra_maddr.xu_port != nat->nat_ndport)) |
490 | return(-1); |
491 | |
492 | /* Do we need to rewrite this packet? */ |
493 | if ((nat->nat_ndstaddr != nat->nat_odstaddr) || |
494 | (nat->nat_ndport != nat->nat_odport)) |
495 | mod = 1; |
496 | break; |
497 | default: |
498 | return(-1); |
499 | } |
500 | |
501 | MUTEX_ENTER(&rs->rs_rxlock); |
502 | if (ipf_p_rpcb_insert(rs, &rx) != 0) { |
503 | MUTEX_EXIT(&rs->rs_rxlock); |
504 | return(-1); |
505 | } |
506 | MUTEX_EXIT(&rs->rs_rxlock); |
507 | |
508 | return(mod); |
509 | } |
510 | |
511 | /* -------------------------------------------------------------------- */ |
512 | /* Function: ipf_p_rpcb_skipauth */ |
513 | /* Returns: int -- -1 == illegal auth parameters (lengths) */ |
514 | /* 0 == valid parameters, pointer advanced */ |
515 | /* Parameters: rm(I) - pointer to RPC message structure */ |
516 | /* auth(I) - pointer to RPC auth structure */ |
517 | /* buf(IO) - pointer to location within convenience buffer */ |
518 | /* */ |
519 | /* Record auth data length & location of auth data, then advance past */ |
520 | /* it. */ |
521 | /* -------------------------------------------------------------------- */ |
522 | static int |
523 | ipf_p_rpcb_skipauth(rpc_msg_t *rm, xdr_auth_t *auth, u_32_t **buf) |
524 | { |
525 | u_32_t *p, xdr; |
526 | |
527 | p = *buf; |
528 | |
529 | /* Make sure we have enough space for expected fixed auth parms. */ |
530 | if (RPCB_BUF_GEQ(rm, p, 8) == 0) |
531 | return(-1); |
532 | |
533 | p++; /* We don't care about auth_flavor. */ |
534 | |
535 | auth->xa_string.xs_len = p; |
536 | xdr = B(p++); /* Length of auth_data */ |
537 | |
538 | /* Test for absurdity / illegality of auth_data length. */ |
539 | if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0)) |
540 | return(-1); |
541 | |
542 | auth->xa_string.xs_str = (char *)p; |
543 | |
544 | p += XDRALIGN(xdr); /* Advance our location. */ |
545 | |
546 | *buf = (u_32_t *)p; |
547 | |
548 | return(0); |
549 | } |
550 | |
551 | /* -------------------------------------------------------------------- */ |
552 | /* Function: ipf_p_rpcb_insert */ |
553 | /* Returns: int -- -1 == list insertion failed, */ |
554 | /* 0 == item successfully added */ |
555 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
556 | /* rx(I) - pointer to RPCB transaction structure */ |
557 | /* -------------------------------------------------------------------- */ |
558 | static int |
559 | ipf_p_rpcb_insert(rpcb_session_t *rs, rpcb_xact_t *rx) |
560 | { |
561 | rpcb_xact_t *rxp; |
562 | |
563 | rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid); |
564 | if (rxp != NULL) { |
565 | ++rxp->rx_ref; |
566 | return(0); |
567 | } |
568 | |
569 | if (rpcbcnt == RPCB_MAXREQS) |
570 | return(-1); |
571 | |
572 | KMALLOC(rxp, rpcb_xact_t *); |
573 | if (rxp == NULL) |
574 | return(-1); |
575 | |
576 | bcopy((char *)rx, (char *)rxp, sizeof(*rx)); |
577 | |
578 | if (rs->rs_rxlist != NULL) |
579 | rs->rs_rxlist->rx_pnext = &rxp->rx_next; |
580 | |
581 | rxp->rx_pnext = &rs->rs_rxlist; |
582 | rxp->rx_next = rs->rs_rxlist; |
583 | rs->rs_rxlist = rxp; |
584 | |
585 | rxp->rx_ref = 1; |
586 | |
587 | ++rpcbcnt; |
588 | |
589 | return(0); |
590 | } |
591 | |
592 | /* -------------------------------------------------------------------- */ |
593 | /* Function: ipf_p_rpcb_xdrrpcb */ |
594 | /* Returns: int -- -1 == failure to properly decode the request */ |
595 | /* 0 == rpcb successfully decoded */ |
596 | /* Parameters: rs(I) - pointer to RPCB session structure */ |
597 | /* p(I) - pointer to location within session buffer */ |
598 | /* rpcb(O) - pointer to rpcb (xdr type) structure */ |
599 | /* */ |
600 | /* Decode a XDR encoded rpcb structure and record its contents in rpcb */ |
601 | /* within only the context of TCP/UDP over IP networks. */ |
602 | /* -------------------------------------------------------------------- */ |
603 | static int |
604 | ipf_p_rpcb_xdrrpcb(rpc_msg_t *rm, u_32_t *p, rpcb_args_t *ra) |
605 | { |
606 | if (!RPCB_BUF_GEQ(rm, p, 20)) |
607 | return(-1); |
608 | |
609 | /* Bypass target program & version. */ |
610 | p += 2; |
611 | |
612 | /* Decode r_netid. Must be "tcp" or "udp". */ |
613 | if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0) |
614 | return(-1); |
615 | |
616 | /* Decode r_maddr. */ |
617 | if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0) |
618 | return(-1); |
619 | |
620 | /* Advance to r_owner and make sure it's empty. */ |
621 | if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0)) |
622 | return(-1); |
623 | |
624 | return(0); |
625 | } |
626 | |
627 | /* -------------------------------------------------------------------- */ |
628 | /* Function: ipf_p_rpcb_getuaddr */ |
629 | /* Returns: int -- -1 == illegal string, */ |
630 | /* 0 == string parsed; contents recorded */ |
631 | /* Parameters: rm(I) - pointer to RPC message structure */ |
632 | /* xu(I) - pointer to universal address structure */ |
633 | /* p(IO) - pointer to location within message buffer */ |
634 | /* */ |
635 | /* Decode the IP address / port at p and record them in xu. */ |
636 | /* -------------------------------------------------------------------- */ |
637 | static int |
638 | ipf_p_rpcb_getuaddr(rpc_msg_t *rm, xdr_uaddr_t *xu, u_32_t **p) |
639 | { |
640 | char *c, *i, *b, *pp; |
641 | u_int d, dd, l, t; |
642 | char uastr[24]; |
643 | |
644 | /* Test for string length. */ |
645 | if (!RPCB_BUF_GEQ(rm, *p, 4)) |
646 | return(-1); |
647 | |
648 | xu->xu_xslen = (*p)++; |
649 | xu->xu_xsstr = (char *)*p; |
650 | |
651 | /* Length check */ |
652 | l = B(xu->xu_xslen); |
653 | if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l))) |
654 | return(-1); |
655 | |
656 | /* Advance p */ |
657 | *(char **)p += XDRALIGN(l); |
658 | |
659 | /* Copy string to local buffer & terminate C style */ |
660 | bcopy(xu->xu_xsstr, uastr, l); |
661 | uastr[l] = '\0'; |
662 | |
663 | i = (char *)&xu->xu_ip; |
664 | pp = (char *)&xu->xu_port; |
665 | |
666 | /* |
667 | * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of |
668 | * an IP address and [ef] are the bytes of a L4 port. |
669 | */ |
670 | if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) |
671 | return(-1); |
672 | b = uastr; |
673 | for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { |
674 | if (ISDIGIT(*c)) { |
675 | dd = 0; |
676 | continue; |
677 | } |
678 | if (*c == '.') { |
679 | if (dd != 0) |
680 | return(-1); |
681 | |
682 | /* Check for ASCII byte. */ |
683 | *c = '\0'; |
684 | t = ipf_p_rpcb_atoi(b); |
685 | if (t > 255) |
686 | return(-1); |
687 | |
688 | /* Aim b at beginning of the next byte. */ |
689 | b = c + 1; |
690 | |
691 | /* Switch off IP addr vs port parsing. */ |
692 | if (d < 4) |
693 | i[d++] = t & 0xff; |
694 | else |
695 | pp[d++ - 4] = t & 0xff; |
696 | |
697 | dd = 1; |
698 | continue; |
699 | } |
700 | return(-1); |
701 | } |
702 | if (d != 5) /* String must contain exactly 5 periods. */ |
703 | return(-1); |
704 | |
705 | /* Handle the last byte (port low byte) */ |
706 | t = ipf_p_rpcb_atoi(b); |
707 | if (t > 255) |
708 | return(-1); |
709 | pp[d - 4] = t & 0xff; |
710 | |
711 | return(0); |
712 | } |
713 | |
714 | /* -------------------------------------------------------------------- */ |
715 | /* Function: ipf_p_rpcb_atoi (XXX should be generic for all proxies) */ |
716 | /* Returns: int -- integer representation of supplied string */ |
717 | /* Parameters: ptr(I) - input string */ |
718 | /* */ |
719 | /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */ |
720 | /* -------------------------------------------------------------------- */ |
721 | static u_int |
722 | ipf_p_rpcb_atoi(char *ptr) |
723 | { |
724 | char *s = ptr, c; |
725 | u_int i = 0; |
726 | |
727 | while (((c = *s++) != '\0') && ISDIGIT(c)) { |
728 | i *= 10; |
729 | i += c - '0'; |
730 | } |
731 | return i; |
732 | } |
733 | |
734 | /* -------------------------------------------------------------------- */ |
735 | /* Function: ipf_p_rpcb_modreq */ |
736 | /* Returns: int -- change in datagram length */ |
737 | /* APR_ERR(2) - critical failure */ |
738 | /* Parameters: fin(I) - pointer to packet information */ |
739 | /* nat(I) - pointer to NAT session */ |
740 | /* rm(I) - pointer to RPC message structure */ |
741 | /* m(I) - pointer to mbuf chain */ |
742 | /* off(I) - current offset within mbuf chain */ |
743 | /* */ |
744 | /* When external and internal addresses differ, we rewrite the former */ |
745 | /* with the latter. (This is exclusive to protocol versions 3 & 4). */ |
746 | /* -------------------------------------------------------------------- */ |
747 | static int |
748 | ipf_p_rpcb_modreq(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
749 | { |
750 | u_int len, xlen, pos, bogo; |
751 | rpcb_args_t *ra; |
752 | char uaddr[24]; |
753 | udphdr_t *udp; |
754 | char *i, *p; |
755 | int diff; |
756 | |
757 | ra = &rm->rm_call.rc_rpcbargs; |
758 | i = (char *)&nat->nat_odstaddr; |
759 | p = (char *)&nat->nat_odport; |
760 | |
761 | /* Form new string. */ |
762 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ |
763 | snprintf(uaddr, sizeof(uaddr), |
764 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, i[1] & 0xff, |
765 | i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); |
766 | len = strlen(uaddr); |
767 | xlen = XDRALIGN(len); |
768 | |
769 | /* Determine mbuf offset to start writing to. */ |
770 | pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf; |
771 | off += pos; |
772 | |
773 | /* Write new string length. */ |
774 | bogo = htonl(len); |
775 | COPYBACK(m, off, 4, (void *)&bogo); |
776 | off += 4; |
777 | |
778 | /* Write new string. */ |
779 | COPYBACK(m, off, xlen, uaddr); |
780 | off += xlen; |
781 | |
782 | /* Write in zero r_owner. */ |
783 | bogo = 0; |
784 | COPYBACK(m, off, 4, (void *)&bogo); |
785 | |
786 | /* Determine difference in data lengths. */ |
787 | diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen)); |
788 | |
789 | /* |
790 | * If our new string has a different length, make necessary |
791 | * adjustments. |
792 | */ |
793 | if (diff != 0) { |
794 | udp = fin->fin_dp; |
795 | udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff); |
796 | fin->fin_plen += diff; |
797 | fin->fin_ip->ip_len = htons(fin->fin_plen); |
798 | fin->fin_dlen += diff; |
799 | /* XXX Storage lengths. */ |
800 | } |
801 | |
802 | return(diff); |
803 | } |
804 | |
805 | /* -------------------------------------------------------------------- */ |
806 | /* Function: ipf_p_rpcb_decoderep */ |
807 | /* Returns: int - -1 == bad request or critical failure, */ |
808 | /* 0 == valid, negative reply */ |
809 | /* 1 == vaddlid, positive reply; needs no changes */ |
810 | /* Parameters: fin(I) - pointer to packet information */ |
811 | /* nat(I) - pointer to NAT session structure */ |
812 | /* rs(I) - pointer to RPCB session structure */ |
813 | /* rm(I) - pointer to RPC message structure */ |
814 | /* rxp(O) - pointer to RPCB transaction structure */ |
815 | /* */ |
816 | /* Take a presumed RPCB reply, extract the XID, search for the original */ |
817 | /* request information, and determine whether the request was accepted */ |
818 | /* or rejected. With a valid accepted reply, go ahead and create NAT */ |
819 | /* and state entries, and finish up by rewriting the packet as */ |
820 | /* required. */ |
821 | /* */ |
822 | /* WARNING: It's the responsibility of the caller to make sure there */ |
823 | /* is enough room in rs_buf for the basic RPC message "preamble". */ |
824 | /* -------------------------------------------------------------------- */ |
825 | static int |
826 | ipf_p_rpcb_decoderep(fr_info_t *fin, nat_t *nat, rpcb_session_t *rs, |
827 | rpc_msg_t *rm, rpcb_xact_t **rxp) |
828 | { |
829 | rpcb_listp_t *rl; |
830 | rpcb_entry_t *re; |
831 | rpcb_xact_t *rx; |
832 | u_32_t xdr, *p; |
833 | rpc_resp_t *rr; |
834 | int rv, cnt; |
835 | |
836 | p = (u_32_t *)rm->rm_msgbuf; |
837 | |
838 | bzero((char *)&rx, sizeof(rx)); |
839 | rr = &rm->rm_resp; |
840 | |
841 | rm->rm_xid = p; |
842 | xdr = B(p++); /* Record this message's XID. */ |
843 | |
844 | /* Lookup XID */ |
845 | MUTEX_ENTER(&rs->rs_rxlock); |
846 | if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) { |
847 | MUTEX_EXIT(&rs->rs_rxlock); |
848 | return(-1); |
849 | } |
850 | ++rx->rx_ref; /* per thread reference */ |
851 | MUTEX_EXIT(&rs->rs_rxlock); |
852 | |
853 | *rxp = rx; |
854 | |
855 | /* Test call vs reply */ |
856 | if (B(p++) != RPCB_REPLY) |
857 | return(-1); |
858 | |
859 | /* Test reply_stat */ |
860 | switch(B(p++)) |
861 | { |
862 | case RPCB_MSG_DENIED: |
863 | return(0); |
864 | case RPCB_MSG_ACCEPTED: |
865 | break; |
866 | default: |
867 | return(-1); |
868 | } |
869 | |
870 | /* Bypass RPC authentication stuff. */ |
871 | if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0) |
872 | return(-1); |
873 | |
874 | /* Test accept status */ |
875 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
876 | return(-1); |
877 | if (B(p++) != 0) |
878 | return(0); |
879 | |
880 | /* Parse out the expected reply */ |
881 | switch(rx->rx_type) |
882 | { |
883 | case RPCB_RES_PMAP: |
884 | /* There must be only one 4 byte argument. */ |
885 | if (!RPCB_BUF_EQ(rm, p, 4)) |
886 | return(-1); |
887 | |
888 | rr->rr_v2 = p; |
889 | xdr = B(rr->rr_v2); |
890 | |
891 | /* Reply w/ a 0 port indicates service isn't registered */ |
892 | if (xdr == 0) |
893 | return(0); |
894 | |
895 | /* Is the value sane? */ |
896 | if (xdr > 65535) |
897 | return(-1); |
898 | |
899 | /* Create NAT & state table entries. */ |
900 | if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0) |
901 | return(-1); |
902 | break; |
903 | case RPCB_RES_STRING: |
904 | /* Expecting a XDR string; need 4 bytes for length */ |
905 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
906 | return(-1); |
907 | |
908 | rr->rr_v3.xu_str.xs_len = p++; |
909 | rr->rr_v3.xu_str.xs_str = (char *)p; |
910 | |
911 | xdr = B(rr->rr_v3.xu_xslen); |
912 | |
913 | /* A null string indicates an unregistered service */ |
914 | if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0)) |
915 | return(0); |
916 | |
917 | /* Decode the target IP address / port. */ |
918 | if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0) |
919 | return(-1); |
920 | |
921 | /* Validate the IP address and port contained. */ |
922 | if (nat->nat_odstaddr != rr->rr_v3.xu_ip) |
923 | return(-1); |
924 | |
925 | /* Create NAT & state table entries. */ |
926 | if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, |
927 | (u_int)rr->rr_v3.xu_port) != 0) |
928 | return(-1); |
929 | break; |
930 | case RPCB_RES_LIST: |
931 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
932 | return(-1); |
933 | /* rpcb_entry_list_ptr */ |
934 | switch(B(p)) |
935 | { |
936 | case 0: |
937 | return(0); |
938 | /*NOTREACHED*/ |
939 | break; |
940 | case 1: |
941 | break; |
942 | default: |
943 | return(-1); |
944 | } |
945 | rl = &rr->rr_v4; |
946 | rl->rl_list = p++; |
947 | cnt = 0; |
948 | |
949 | for(;;) { |
950 | re = &rl->rl_entries[rl->rl_cnt]; |
951 | if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0) |
952 | return(-1); |
953 | if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0) |
954 | return(-1); |
955 | /* re_semantics & re_pfamily length */ |
956 | if (!RPCB_BUF_GEQ(rm, p, 12)) |
957 | return(-1); |
958 | p++; /* Skipping re_semantics. */ |
959 | xdr = B(p++); |
960 | if ((xdr != 4) || strncmp((char *)p, "inet" , 4)) |
961 | return(-1); |
962 | p++; |
963 | if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0) |
964 | return(-1); |
965 | if (!RPCB_BUF_GEQ(rm, p, 4)) |
966 | return(-1); |
967 | re->re_more = p; |
968 | if (B(re->re_more) > 1) /* 0,1 only legal values */ |
969 | return(-1); |
970 | ++rl->rl_cnt; |
971 | ++cnt; |
972 | if (B(re->re_more) == 0) |
973 | break; |
974 | /* Replies in max out at 2; TCP and/or UDP */ |
975 | if (cnt > 2) |
976 | return(-1); |
977 | p++; |
978 | } |
979 | |
980 | for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) { |
981 | re = &rl->rl_entries[rl->rl_cnt]; |
982 | rv = ipf_p_rpcb_getnat(fin, nat, |
983 | re->re_proto.xp_proto, |
984 | (u_int)re->re_maddr.xu_port); |
985 | if (rv != 0) |
986 | return(-1); |
987 | } |
988 | break; |
989 | default: |
990 | /*CONSTANTCONDITION*/ |
991 | IPF_PANIC(1, ("illegal rx_type %d" , rx->rx_type)); |
992 | } |
993 | |
994 | return(1); |
995 | } |
996 | |
997 | /* -------------------------------------------------------------------- */ |
998 | /* Function: ipf_p_rpcb_lookup */ |
999 | /* Returns: rpcb_xact_t * - NULL == no matching record, */ |
1000 | /* else pointer to relevant entry */ |
1001 | /* Parameters: rs(I) - pointer to RPCB session */ |
1002 | /* xid(I) - XID to look for */ |
1003 | /* -------------------------------------------------------------------- */ |
1004 | static rpcb_xact_t * |
1005 | ipf_p_rpcb_lookup(rpcb_session_t *rs, u_32_t xid) |
1006 | { |
1007 | rpcb_xact_t *rx; |
1008 | |
1009 | if (rs->rs_rxlist == NULL) |
1010 | return(NULL); |
1011 | |
1012 | for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next) |
1013 | if (rx->rx_xid == xid) |
1014 | break; |
1015 | |
1016 | return(rx); |
1017 | } |
1018 | |
1019 | /* -------------------------------------------------------------------- */ |
1020 | /* Function: ipf_p_rpcb_deref */ |
1021 | /* Returns: (void) */ |
1022 | /* Parameters: rs(I) - pointer to RPCB session */ |
1023 | /* rx(I) - pointer to RPC transaction struct to remove */ |
1024 | /* force(I) - indicates to delete entry regardless of */ |
1025 | /* reference count */ |
1026 | /* Locking: rs->rs_rxlock must be held write only */ |
1027 | /* */ |
1028 | /* Free the RPCB transaction record rx from the chain of entries. */ |
1029 | /* -------------------------------------------------------------------- */ |
1030 | static void |
1031 | ipf_p_rpcb_deref(rpcb_session_t *rs, rpcb_xact_t *rx) |
1032 | { |
1033 | rs = rs; /* LINT */ |
1034 | |
1035 | if (rx == NULL) |
1036 | return; |
1037 | |
1038 | if (--rx->rx_ref != 0) |
1039 | return; |
1040 | |
1041 | if (rx->rx_next != NULL) |
1042 | rx->rx_next->rx_pnext = rx->rx_pnext; |
1043 | |
1044 | *rx->rx_pnext = rx->rx_next; |
1045 | |
1046 | KFREE(rx); |
1047 | |
1048 | --rpcbcnt; |
1049 | } |
1050 | |
1051 | /* -------------------------------------------------------------------- */ |
1052 | /* Function: ipf_p_rpcb_getproto */ |
1053 | /* Returns: int - -1 == illegal protocol/netid, */ |
1054 | /* 0 == legal protocol/netid */ |
1055 | /* Parameters: rm(I) - pointer to RPC message structure */ |
1056 | /* xp(I) - pointer to netid structure */ |
1057 | /* p(IO) - pointer to location within packet buffer */ |
1058 | /* */ |
1059 | /* Decode netid/proto stored at p and record its numeric value. */ |
1060 | /* -------------------------------------------------------------------- */ |
1061 | static int |
1062 | ipf_p_rpcb_getproto(rpc_msg_t *rm, xdr_proto_t *xp, u_32_t **p) |
1063 | { |
1064 | u_int len; |
1065 | |
1066 | /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */ |
1067 | if (!RPCB_BUF_GEQ(rm, p, 8)) |
1068 | return(-1); |
1069 | |
1070 | xp->xp_xslen = (*p)++; |
1071 | xp->xp_xsstr = (char *)*p; |
1072 | |
1073 | /* Test the string length. */ |
1074 | len = B(xp->xp_xslen); |
1075 | if (len != 3) |
1076 | return(-1); |
1077 | |
1078 | /* Test the actual string & record the protocol accordingly. */ |
1079 | if (!strncmp((char *)xp->xp_xsstr, "tcp\0" , 4)) |
1080 | xp->xp_proto = IPPROTO_TCP; |
1081 | else if (!strncmp((char *)xp->xp_xsstr, "udp\0" , 4)) |
1082 | xp->xp_proto = IPPROTO_UDP; |
1083 | else { |
1084 | return(-1); |
1085 | } |
1086 | |
1087 | /* Advance past the string. */ |
1088 | (*p)++; |
1089 | |
1090 | return(0); |
1091 | } |
1092 | |
1093 | /* -------------------------------------------------------------------- */ |
1094 | /* Function: ipf_p_rpcb_getnat */ |
1095 | /* Returns: int -- -1 == failed to create table entries, */ |
1096 | /* 0 == success */ |
1097 | /* Parameters: fin(I) - pointer to packet information */ |
1098 | /* nat(I) - pointer to NAT table entry */ |
1099 | /* proto(I) - transport protocol for new entries */ |
1100 | /* port(I) - new port to use w/ wildcard table entries */ |
1101 | /* */ |
1102 | /* Create state and NAT entries to handle an anticipated connection */ |
1103 | /* attempt between RPC client and server. */ |
1104 | /* -------------------------------------------------------------------- */ |
1105 | static int |
1106 | ipf_p_rpcb_getnat(fr_info_t *fin, nat_t *nat, u_int proto, u_int port) |
1107 | { |
1108 | ipf_main_softc_t *softc = fin->fin_main_soft; |
1109 | ipnat_t *ipn, ipnat; |
1110 | tcphdr_t tcp; |
1111 | ipstate_t *is; |
1112 | fr_info_t fi; |
1113 | nat_t *natl; |
1114 | int nflags; |
1115 | |
1116 | ipn = nat->nat_ptr; |
1117 | |
1118 | /* Generate dummy fr_info */ |
1119 | bcopy((char *)fin, (char *)&fi, sizeof(fi)); |
1120 | fi.fin_out = 0; |
1121 | fi.fin_p = proto; |
1122 | fi.fin_sport = 0; |
1123 | fi.fin_dport = port & 0xffff; |
1124 | fi.fin_flx |= FI_IGNORE; |
1125 | fi.fin_saddr = nat->nat_osrcaddr; |
1126 | fi.fin_daddr = nat->nat_odstaddr; |
1127 | |
1128 | bzero((char *)&tcp, sizeof(tcp)); |
1129 | tcp.th_dport = htons(port); |
1130 | |
1131 | if (proto == IPPROTO_TCP) { |
1132 | tcp.th_win = htons(8192); |
1133 | TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); |
1134 | fi.fin_dlen = sizeof(tcphdr_t); |
1135 | tcp.th_flags = TH_SYN; |
1136 | nflags = NAT_TCP; |
1137 | } else { |
1138 | fi.fin_dlen = sizeof(udphdr_t); |
1139 | nflags = NAT_UDP; |
1140 | } |
1141 | |
1142 | nflags |= SI_W_SPORT|NAT_SEARCH; |
1143 | fi.fin_dp = &tcp; |
1144 | fi.fin_plen = fi.fin_hlen + fi.fin_dlen; |
1145 | |
1146 | /* |
1147 | * Search for existing NAT & state entries. Pay close attention to |
1148 | * mutexes / locks grabbed from lookup routines, as not doing so could |
1149 | * lead to bad things. |
1150 | * |
1151 | * If successful, fr_stlookup returns with ipf_state locked. We have |
1152 | * no use for this lock, so simply unlock it if necessary. |
1153 | */ |
1154 | is = ipf_state_lookup(&fi, &tcp, NULL); |
1155 | if (is != NULL) { |
1156 | RWLOCK_EXIT(&softc->ipf_state); |
1157 | } |
1158 | |
1159 | RWLOCK_EXIT(&softc->ipf_nat); |
1160 | |
1161 | WRITE_ENTER(&softc->ipf_nat); |
1162 | natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst); |
1163 | |
1164 | if ((natl != NULL) && (is != NULL)) { |
1165 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
1166 | return(0); |
1167 | } |
1168 | |
1169 | /* Slightly modify the following structures for actual use in creating |
1170 | * NAT and/or state entries. We're primarily concerned with stripping |
1171 | * flags that may be detrimental to the creation process or simply |
1172 | * shouldn't be associated with a table entry. |
1173 | */ |
1174 | fi.fin_fr = &rpcbfr; |
1175 | fi.fin_flx &= ~FI_IGNORE; |
1176 | nflags &= ~NAT_SEARCH; |
1177 | |
1178 | if (natl == NULL) { |
1179 | #ifdef USE_MUTEXES |
1180 | ipf_nat_softc_t *softn = softc->ipf_nat_soft; |
1181 | #endif |
1182 | |
1183 | /* XXX Since we're just copying the original ipn contents |
1184 | * back, would we be better off just sending a pointer to |
1185 | * the 'temp' copy off to nat_new instead? |
1186 | */ |
1187 | /* Generate template/bogus NAT rule. */ |
1188 | bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat)); |
1189 | ipn->in_flags = nflags & IPN_TCPUDP; |
1190 | ipn->in_apr = NULL; |
1191 | ipn->in_pr[0] = proto; |
1192 | ipn->in_pr[1] = proto; |
1193 | ipn->in_dpmin = fi.fin_dport; |
1194 | ipn->in_dpmax = fi.fin_dport; |
1195 | ipn->in_dpnext = fi.fin_dport; |
1196 | ipn->in_space = 1; |
1197 | ipn->in_ippip = 1; |
1198 | if (ipn->in_flags & IPN_FILTER) { |
1199 | ipn->in_scmp = 0; |
1200 | ipn->in_dcmp = 0; |
1201 | } |
1202 | ipn->in_plabel = -1; |
1203 | |
1204 | /* Create NAT entry. return NULL if this fails. */ |
1205 | MUTEX_ENTER(&softn->ipf_nat_new); |
1206 | natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE, |
1207 | NAT_INBOUND); |
1208 | MUTEX_EXIT(&softn->ipf_nat_new); |
1209 | |
1210 | bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat)); |
1211 | |
1212 | if (natl == NULL) { |
1213 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
1214 | return(-1); |
1215 | } |
1216 | |
1217 | natl->nat_ptr = ipn; |
1218 | fi.fin_saddr = natl->nat_nsrcaddr; |
1219 | fi.fin_daddr = natl->nat_ndstaddr; |
1220 | ipn->in_use++; |
1221 | (void) ipf_nat_proto(&fi, natl, nflags); |
1222 | MUTEX_ENTER(&natl->nat_lock); |
1223 | ipf_nat_update(&fi, natl); |
1224 | MUTEX_EXIT(&natl->nat_lock); |
1225 | } |
1226 | MUTEX_DOWNGRADE(&softc->ipf_nat); |
1227 | |
1228 | if (is == NULL) { |
1229 | /* Create state entry. Return NULL if this fails. */ |
1230 | fi.fin_flx |= FI_NATED; |
1231 | fi.fin_flx &= ~FI_STATE; |
1232 | nflags &= NAT_TCPUDP; |
1233 | nflags |= SI_W_SPORT|SI_CLONE; |
1234 | |
1235 | if (ipf_state_add(softc, &fi, NULL, nflags) != 0) { |
1236 | /* |
1237 | * XXX nat_delete is private to ip_nat.c. Should |
1238 | * check w/ Darren about this one. |
1239 | * |
1240 | * nat_delete(natl, NL_EXPIRE); |
1241 | */ |
1242 | return(-1); |
1243 | } |
1244 | } |
1245 | |
1246 | return(0); |
1247 | } |
1248 | |
1249 | /* -------------------------------------------------------------------- */ |
1250 | /* Function: ipf_p_rpcb_modv3 */ |
1251 | /* Returns: int -- change in packet length */ |
1252 | /* Parameters: fin(I) - pointer to packet information */ |
1253 | /* nat(I) - pointer to NAT session */ |
1254 | /* rm(I) - pointer to RPC message structure */ |
1255 | /* m(I) - pointer to mbuf chain */ |
1256 | /* off(I) - offset within mbuf chain */ |
1257 | /* */ |
1258 | /* Write a new universal address string to this packet, adjusting */ |
1259 | /* lengths as necessary. */ |
1260 | /* -------------------------------------------------------------------- */ |
1261 | static int |
1262 | ipf_p_rpcb_modv3(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
1263 | { |
1264 | u_int len, xlen, pos, bogo; |
1265 | rpc_resp_t *rr; |
1266 | char uaddr[24]; |
1267 | char *i, *p; |
1268 | int diff; |
1269 | |
1270 | rr = &rm->rm_resp; |
1271 | i = (char *)&nat->nat_ndstaddr; |
1272 | p = (char *)&rr->rr_v3.xu_port; |
1273 | |
1274 | /* Form new string. */ |
1275 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */ |
1276 | snprintf(uaddr, sizeof(uaddr), |
1277 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, i[1] & 0xff, |
1278 | i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff); |
1279 | len = strlen(uaddr); |
1280 | xlen = XDRALIGN(len); |
1281 | |
1282 | /* Determine mbuf offset to write to. */ |
1283 | pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf; |
1284 | off += pos; |
1285 | |
1286 | /* Write new string length. */ |
1287 | bogo = htonl(len); |
1288 | COPYBACK(m, off, 4, (void *)&bogo); |
1289 | off += 4; |
1290 | |
1291 | /* Write new string. */ |
1292 | COPYBACK(m, off, xlen, uaddr); |
1293 | |
1294 | /* Determine difference in data lengths. */ |
1295 | diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen)); |
1296 | |
1297 | /* |
1298 | * If our new string has a different length, make necessary |
1299 | * adjustments. |
1300 | */ |
1301 | if (diff != 0) |
1302 | ipf_p_rpcb_fixlen(fin, diff); |
1303 | |
1304 | return(diff); |
1305 | } |
1306 | |
1307 | /* -------------------------------------------------------------------- */ |
1308 | /* Function: ipf_p_rpcb_modv4 */ |
1309 | /* Returns: int -- change in packet length */ |
1310 | /* Parameters: fin(I) - pointer to packet information */ |
1311 | /* nat(I) - pointer to NAT session */ |
1312 | /* rm(I) - pointer to RPC message structure */ |
1313 | /* m(I) - pointer to mbuf chain */ |
1314 | /* off(I) - offset within mbuf chain */ |
1315 | /* */ |
1316 | /* Write new rpcb_entry list, adjusting lengths as necessary. */ |
1317 | /* -------------------------------------------------------------------- */ |
1318 | static int |
1319 | ipf_p_rpcb_modv4(fr_info_t *fin, nat_t *nat, rpc_msg_t *rm, mb_t *m, u_int off) |
1320 | { |
1321 | u_int len, xlen, pos, bogo; |
1322 | rpcb_listp_t *rl; |
1323 | rpcb_entry_t *re; |
1324 | rpc_resp_t *rr; |
1325 | char uaddr[24]; |
1326 | int diff, cnt; |
1327 | char *i, *p; |
1328 | |
1329 | diff = 0; |
1330 | rr = &rm->rm_resp; |
1331 | rl = &rr->rr_v4; |
1332 | |
1333 | i = (char *)&nat->nat_ndstaddr; |
1334 | |
1335 | /* Determine mbuf offset to write to. */ |
1336 | re = &rl->rl_entries[0]; |
1337 | pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf; |
1338 | off += pos; |
1339 | |
1340 | for (cnt = 0; cnt < rl->rl_cnt; cnt++) { |
1341 | re = &rl->rl_entries[cnt]; |
1342 | p = (char *)&re->re_maddr.xu_port; |
1343 | |
1344 | /* Form new string. */ |
1345 | bzero(uaddr, sizeof(uaddr)); /* Just in case we need |
1346 | padding. */ |
1347 | snprintf(uaddr, sizeof(uaddr), |
1348 | "%u.%u.%u.%u.%u.%u" , i[0] & 0xff, |
1349 | i[1] & 0xff, i[2] & 0xff, i[3] & 0xff, |
1350 | p[0] & 0xff, p[1] & 0xff); |
1351 | len = strlen(uaddr); |
1352 | xlen = XDRALIGN(len); |
1353 | |
1354 | /* Write new string length. */ |
1355 | bogo = htonl(len); |
1356 | COPYBACK(m, off, 4, (void *)&bogo); |
1357 | off += 4; |
1358 | |
1359 | /* Write new string. */ |
1360 | COPYBACK(m, off, xlen, uaddr); |
1361 | off += xlen; |
1362 | |
1363 | /* Record any change in length. */ |
1364 | diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen)); |
1365 | |
1366 | /* If the length changed, copy back the rest of this entry. */ |
1367 | len = ((char *)re->re_more + 4) - |
1368 | (char *)re->re_netid.xp_xslen; |
1369 | if (diff != 0) { |
1370 | COPYBACK(m, off, len, (void *)re->re_netid.xp_xslen); |
1371 | } |
1372 | off += len; |
1373 | } |
1374 | |
1375 | /* |
1376 | * If our new string has a different length, make necessary |
1377 | * adjustments. |
1378 | */ |
1379 | if (diff != 0) |
1380 | ipf_p_rpcb_fixlen(fin, diff); |
1381 | |
1382 | return(diff); |
1383 | } |
1384 | |
1385 | |
1386 | /* -------------------------------------------------------------------- */ |
1387 | /* Function: ipf_p_rpcb_fixlen */ |
1388 | /* Returns: (void) */ |
1389 | /* Parameters: fin(I) - pointer to packet information */ |
1390 | /* len(I) - change in packet length */ |
1391 | /* */ |
1392 | /* Adjust various packet related lengths held in structure and packet */ |
1393 | /* header fields. */ |
1394 | /* -------------------------------------------------------------------- */ |
1395 | static void |
1396 | ipf_p_rpcb_fixlen(fr_info_t *fin, int len) |
1397 | { |
1398 | udphdr_t *udp; |
1399 | |
1400 | udp = fin->fin_dp; |
1401 | udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len); |
1402 | fin->fin_plen += len; |
1403 | fin->fin_ip->ip_len = htons(fin->fin_plen); |
1404 | fin->fin_dlen += len; |
1405 | } |
1406 | |
1407 | #undef B |
1408 | |