4 * Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
6 * See the IPFILTER.LICENCE file for details on licencing.
10 * This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
11 * protocol as defined in RFC1833. It is far from complete, mostly
12 * lacking in less-likely corner cases, but it's definitely functional.
15 * rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
17 * If the host running IP Filter is the same as the RPC server, it's
18 * perfectly legal for both the internal and external addresses and ports
21 * When triggered by appropriate IP NAT rules, this proxy works by
22 * examining data contained in received packets. Requests and replies are
23 * modified, NAT and state table entries created, etc., as necessary.
28 * o Must implement locking to protect proxy session data.
29 * o Fragmentation isn't supported.
30 * o Only supports UDP.
31 * o Doesn't support multiple RPC records in a single request.
32 * o Errors should be more fine-grained. (e.g., malloc failure vs.
33 * illegal RPCB request / reply)
34 * o Even with the limit on the total amount of recorded transactions,
35 * should there be a timeout on transaction removal?
36 * o There is a potential collision between cloning, wildcard NAT and
37 * state entries. There should be an appr_getport routine for
39 * o The enclosed hack of STREAMS support is pretty sick and most likely
42 * Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp
45 #define IPF_RPCB_PROXY
50 int ippr_rpcb_init __P((void));
51 void ippr_rpcb_fini __P((void));
52 int ippr_rpcb_new __P((fr_info_t *, ap_session_t *, nat_t *));
53 void ippr_rpcb_del __P((ap_session_t *));
54 int ippr_rpcb_in __P((fr_info_t *, ap_session_t *, nat_t *));
55 int ippr_rpcb_out __P((fr_info_t *, ap_session_t *, nat_t *));
57 static void ippr_rpcb_flush __P((rpcb_session_t *));
58 static int ippr_rpcb_decodereq __P((fr_info_t *, nat_t *,
59 rpcb_session_t *, rpc_msg_t *));
60 static int ippr_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **));
61 static int ippr_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *));
62 static int ippr_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *));
63 static int ippr_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *,
65 static u_int ippr_rpcb_atoi __P((char *));
66 static int ippr_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *,
68 static int ippr_rpcb_decoderep __P((fr_info_t *, nat_t *,
69 rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **));
70 static rpcb_xact_t * ippr_rpcb_lookup __P((rpcb_session_t *, u_32_t));
71 static void ippr_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *));
72 static int ippr_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *,
74 static int ippr_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int));
75 static int ippr_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *,
77 static int ippr_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *,
79 static void ippr_rpcb_fixlen __P((fr_info_t *, int));
84 static frentry_t rpcbfr; /* Skeleton rule for reference by entities
85 this proxy creates. */
86 static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */
87 /* XXX rpcbcnt still requires locking. */
89 int rpcb_proxy_init = 0;
93 * Since rpc_msg contains only pointers, one should use this macro as a
94 * handy way to get to the goods. (In case you're wondering about the name,
95 * this started as BYTEREF -> BREF -> B.)
97 #define B(r) (u_32_t)ntohl(*(r))
103 /* -------------------------------------------------------------------- */
104 /* Function: ippr_rpcb_init */
105 /* Returns: int - 0 == success */
106 /* Parameters: (void) */
108 /* Initialize the filter rule entry and session limiter. */
109 /* -------------------------------------------------------------------- */
115 bzero((char *)&rpcbfr, sizeof(rpcbfr));
117 rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
118 MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
124 /* -------------------------------------------------------------------- */
125 /* Function: ippr_rpcb_fini */
127 /* Parameters: (void) */
129 /* Destroy rpcbfr's mutex to avoid a lock leak. */
130 /* -------------------------------------------------------------------- */
134 if (rpcb_proxy_init == 1) {
135 MUTEX_DESTROY(&rpcbfr.fr_lock);
140 /* -------------------------------------------------------------------- */
141 /* Function: ippr_rpcb_new */
142 /* Returns: int - -1 == failure, 0 == success */
143 /* Parameters: fin(I) - pointer to packet information */
144 /* aps(I) - pointer to proxy session structure */
145 /* nat(I) - pointer to NAT session structure */
147 /* Allocate resources for per-session proxy structures. */
148 /* -------------------------------------------------------------------- */
150 ippr_rpcb_new(fin, aps, nat)
157 fin = fin; /* LINT */
158 nat = nat; /* LINT */
160 KMALLOC(rs, rpcb_session_t *);
164 bzero((char *)rs, sizeof(*rs));
165 MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
172 /* -------------------------------------------------------------------- */
173 /* Function: ippr_rpcb_del */
175 /* Parameters: aps(I) - pointer to proxy session structure */
177 /* Free up a session's list of RPCB requests. */
178 /* -------------------------------------------------------------------- */
184 rs = (rpcb_session_t *)aps->aps_data;
186 MUTEX_ENTER(&rs->rs_rxlock);
188 MUTEX_EXIT(&rs->rs_rxlock);
189 MUTEX_DESTROY(&rs->rs_rxlock);
192 /* -------------------------------------------------------------------- */
193 /* Function: ippr_rpcb_in */
194 /* Returns: int - APR_ERR(1) == drop the packet, */
195 /* APR_ERR(2) == kill the proxy session, */
196 /* else change in packet length (in bytes) */
197 /* Parameters: fin(I) - pointer to packet information */
198 /* ip(I) - pointer to packet header */
199 /* aps(I) - pointer to proxy session structure */
200 /* nat(I) - pointer to NAT session structure */
202 /* Given a presumed RPCB request, perform some minor tests and pass off */
203 /* for decoding. Also pass packet off for a rewrite if necessary. */
204 /* -------------------------------------------------------------------- */
206 ippr_rpcb_in(fin, aps, nat)
211 rpc_msg_t rpcmsg, *rm;
217 /* Disallow fragmented or illegally short packets. */
218 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
221 /* Perform basic variable initialization. */
222 rs = (rpcb_session_t *)aps->aps_data;
225 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
226 off += sizeof(udphdr_t) + fin->fin_ipoff;
227 dlen = fin->fin_dlen - sizeof(udphdr_t);
229 /* Disallow packets outside legal range for supported requests. */
230 if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
233 /* Copy packet over to convenience buffer. */
235 bzero((char *)rm, sizeof(*rm));
236 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
237 rm->rm_buflen = dlen;
239 /* Send off to decode request. */
240 rv = ippr_rpcb_decodereq(fin, nat, rs, rm);
251 rv = ippr_rpcb_modreq(fin, nat, rm, m, off);
254 /*CONSTANTCONDITION*/
255 IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_req)", rv));
261 /* -------------------------------------------------------------------- */
262 /* Function: ippr_rpcb_out */
263 /* Returns: int - APR_ERR(1) == drop the packet, */
264 /* APR_ERR(2) == kill the proxy session, */
265 /* else change in packet length (in bytes) */
266 /* Parameters: fin(I) - pointer to packet information */
267 /* ip(I) - pointer to packet header */
268 /* aps(I) - pointer to proxy session structure */
269 /* nat(I) - pointer to NAT session structure */
271 /* Given a presumed RPCB reply, perform some minor tests and pass off */
272 /* for decoding. If the message indicates a successful request with */
273 /* valid addressing information, create NAT and state structures to */
274 /* allow direct communication between RPC client and server. */
275 /* -------------------------------------------------------------------- */
277 ippr_rpcb_out(fin, aps, nat)
282 rpc_msg_t rpcmsg, *rm;
289 /* Disallow fragmented or illegally short packets. */
290 if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
293 /* Perform basic variable initialization. */
294 rs = (rpcb_session_t *)aps->aps_data;
297 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
298 off += sizeof(udphdr_t) + fin->fin_ipoff;
299 dlen = fin->fin_dlen - sizeof(udphdr_t);
302 /* Disallow packets outside legal range for supported requests. */
303 if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
306 /* Copy packet over to convenience buffer. */
308 bzero((char *)rm, sizeof(*rm));
309 COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
310 rm->rm_buflen = dlen;
312 /* Send off to decode reply. */
313 rv = ippr_rpcb_decoderep(fin, nat, rs, rm, &rx);
317 case -1: /* Bad packet */
319 MUTEX_ENTER(&rs->rs_rxlock);
320 ippr_rpcb_deref(rs, rx);
321 MUTEX_EXIT(&rs->rs_rxlock);
326 case 0: /* Negative reply / request rejected */
328 case 1: /* Positive reply */
330 * With the IP address embedded in a GETADDR(LIST) reply,
331 * we'll need to rewrite the packet in the very possible
332 * event that the internal & external addresses aren't the
333 * same. (i.e., this box is either a router or rpcbind
334 * only listens on loopback.)
336 if (nat->nat_inip.s_addr != nat->nat_outip.s_addr) {
337 if (rx->rx_type == RPCB_RES_STRING)
338 diff = ippr_rpcb_modv3(fin, nat, rm, m, off);
339 else if (rx->rx_type == RPCB_RES_LIST)
340 diff = ippr_rpcb_modv4(fin, nat, rm, m, off);
344 /*CONSTANTCONDITION*/
345 IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_decoderep)", rv));
349 MUTEX_ENTER(&rs->rs_rxlock);
350 /* XXX Gross hack - I'm overloading the reference
351 * counter to deal with both threads and retransmitted
352 * requests. One deref signals that this thread is
353 * finished with rx, and the other signals that we've
354 * processed its reply.
356 ippr_rpcb_deref(rs, rx);
357 ippr_rpcb_deref(rs, rx);
358 MUTEX_EXIT(&rs->rs_rxlock);
365 * Private support subroutines
368 /* -------------------------------------------------------------------- */
369 /* Function: ippr_rpcb_flush */
371 /* Parameters: rs(I) - pointer to RPCB session structure */
373 /* Simply flushes the list of outstanding transactions, if any. */
374 /* -------------------------------------------------------------------- */
379 rpcb_xact_t *r1, *r2;
392 /* -------------------------------------------------------------------- */
393 /* Function: ippr_rpcb_decodereq */
394 /* Returns: int - -1 == bad request or critical failure, */
395 /* 0 == request successfully decoded, */
396 /* 1 == request successfully decoded; requires */
397 /* address rewrite/modification */
398 /* Parameters: fin(I) - pointer to packet information */
399 /* nat(I) - pointer to NAT session structure */
400 /* rs(I) - pointer to RPCB session structure */
401 /* rm(I) - pointer to RPC message structure */
403 /* Take a presumed RPCB request, decode it, and store the results in */
404 /* the transaction list. If the internal target address needs to be */
405 /* modified, store its location in ptr. */
406 /* WARNING: It's the responsibility of the caller to make sure there */
407 /* is enough room in rs_buf for the basic RPC message "preamble". */
408 /* -------------------------------------------------------------------- */
410 ippr_rpcb_decodereq(fin, nat, rs, rm)
422 p = (u_32_t *)rm->rm_msgbuf;
425 bzero((char *)&rx, sizeof(rx));
429 rx.rx_xid = B(p++); /* Record this message's XID. */
431 /* Parse out and test the RPC header. */
432 if ((B(p++) != RPCB_CALL) ||
433 (B(p++) != RPCB_MSG_VERSION) ||
434 (B(p++) != RPCB_PROG))
437 /* Record the RPCB version and procedure. */
441 /* Bypass RPC authentication stuff. */
442 if (ippr_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
444 if (ippr_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
447 /* Compare RPCB version and procedure numbers. */
448 switch(B(rc->rc_vers))
451 /* This proxy only supports PMAP_GETPORT. */
452 if (B(rc->rc_proc) != RPCB_GETPORT)
455 /* Portmap requests contain four 4 byte parameters. */
456 if (RPCB_BUF_EQ(rm, p, 16) == 0)
459 p += 2; /* Skip requested program and version numbers. */
461 /* Sanity check the requested protocol. */
463 if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
466 rx.rx_type = RPCB_RES_PMAP;
471 /* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
472 switch(B(rc->rc_proc))
475 rx.rx_type = RPCB_RES_STRING;
476 rx.rx_proto = (u_int)fin->fin_p;
478 case RPCB_GETADDRLIST:
479 if (B(rc->rc_vers) != 4)
481 rx.rx_type = RPCB_RES_LIST;
487 ra = &rc->rc_rpcbargs;
489 /* Decode the 'struct rpcb' request. */
490 if (ippr_rpcb_xdrrpcb(rm, p, ra) != 0)
493 /* Are the target address & port valid? */
494 if ((ra->ra_maddr.xu_ip != nat->nat_outip.s_addr) ||
495 (ra->ra_maddr.xu_port != nat->nat_outport))
498 /* Do we need to rewrite this packet? */
499 if ((nat->nat_outip.s_addr != nat->nat_inip.s_addr) ||
500 (nat->nat_outport != nat->nat_inport))
507 MUTEX_ENTER(&rs->rs_rxlock);
508 if (ippr_rpcb_insert(rs, &rx) != 0) {
509 MUTEX_EXIT(&rs->rs_rxlock);
512 MUTEX_EXIT(&rs->rs_rxlock);
517 /* -------------------------------------------------------------------- */
518 /* Function: ippr_rpcb_skipauth */
519 /* Returns: int -- -1 == illegal auth parameters (lengths) */
520 /* 0 == valid parameters, pointer advanced */
521 /* Parameters: rm(I) - pointer to RPC message structure */
522 /* auth(I) - pointer to RPC auth structure */
523 /* buf(IO) - pointer to location within convenience buffer */
525 /* Record auth data length & location of auth data, then advance past */
527 /* -------------------------------------------------------------------- */
529 ippr_rpcb_skipauth(rm, auth, buf)
538 /* Make sure we have enough space for expected fixed auth parms. */
539 if (RPCB_BUF_GEQ(rm, p, 8) == 0)
542 p++; /* We don't care about auth_flavor. */
544 auth->xa_string.xs_len = p;
545 xdr = B(p++); /* Length of auth_data */
547 /* Test for absurdity / illegality of auth_data length. */
548 if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
551 auth->xa_string.xs_str = (char *)p;
553 p += XDRALIGN(xdr); /* Advance our location. */
560 /* -------------------------------------------------------------------- */
561 /* Function: ippr_rpcb_insert */
562 /* Returns: int -- -1 == list insertion failed, */
563 /* 0 == item successfully added */
564 /* Parameters: rs(I) - pointer to RPCB session structure */
565 /* rx(I) - pointer to RPCB transaction structure */
566 /* -------------------------------------------------------------------- */
568 ippr_rpcb_insert(rs, rx)
574 rxp = ippr_rpcb_lookup(rs, rx->rx_xid);
580 if (rpcbcnt == RPCB_MAXREQS)
583 KMALLOC(rxp, rpcb_xact_t *);
587 bcopy((char *)rx, (char *)rxp, sizeof(*rx));
589 if (rs->rs_rxlist != NULL)
590 rs->rs_rxlist->rx_pnext = &rxp->rx_next;
592 rxp->rx_pnext = &rs->rs_rxlist;
593 rxp->rx_next = rs->rs_rxlist;
603 /* -------------------------------------------------------------------- */
604 /* Function: ippr_rpcb_xdrrpcb */
605 /* Returns: int -- -1 == failure to properly decode the request */
606 /* 0 == rpcb successfully decoded */
607 /* Parameters: rs(I) - pointer to RPCB session structure */
608 /* p(I) - pointer to location within session buffer */
609 /* rpcb(O) - pointer to rpcb (xdr type) structure */
611 /* Decode a XDR encoded rpcb structure and record its contents in rpcb */
612 /* within only the context of TCP/UDP over IP networks. */
613 /* -------------------------------------------------------------------- */
615 ippr_rpcb_xdrrpcb(rm, p, ra)
620 if (!RPCB_BUF_GEQ(rm, p, 20))
623 /* Bypass target program & version. */
626 /* Decode r_netid. Must be "tcp" or "udp". */
627 if (ippr_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
630 /* Decode r_maddr. */
631 if (ippr_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
634 /* Advance to r_owner and make sure it's empty. */
635 if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
641 /* -------------------------------------------------------------------- */
642 /* Function: ippr_rpcb_getuaddr */
643 /* Returns: int -- -1 == illegal string, */
644 /* 0 == string parsed; contents recorded */
645 /* Parameters: rm(I) - pointer to RPC message structure */
646 /* xu(I) - pointer to universal address structure */
647 /* p(IO) - pointer to location within message buffer */
649 /* Decode the IP address / port at p and record them in xu. */
650 /* -------------------------------------------------------------------- */
652 ippr_rpcb_getuaddr(rm, xu, p)
657 char *c, *i, *b, *pp;
661 /* Test for string length. */
662 if (!RPCB_BUF_GEQ(rm, *p, 4))
665 xu->xu_xslen = (*p)++;
666 xu->xu_xsstr = (char *)*p;
670 if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
674 *(char **)p += XDRALIGN(l);
676 /* Copy string to local buffer & terminate C style */
677 bcopy(xu->xu_xsstr, uastr, l);
680 i = (char *)&xu->xu_ip;
681 pp = (char *)&xu->xu_port;
684 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
685 * an IP address and [ef] are the bytes of a L4 port.
687 if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
690 for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
699 /* Check for ASCII byte. */
701 t = ippr_rpcb_atoi(b);
705 /* Aim b at beginning of the next byte. */
708 /* Switch off IP addr vs port parsing. */
712 pp[d++ - 4] = t & 0xff;
719 if (d != 5) /* String must contain exactly 5 periods. */
722 /* Handle the last byte (port low byte) */
723 t = ippr_rpcb_atoi(b);
726 pp[d - 4] = t & 0xff;
731 /* -------------------------------------------------------------------- */
732 /* Function: ippr_rpcb_atoi (XXX should be generic for all proxies) */
733 /* Returns: int -- integer representation of supplied string */
734 /* Parameters: ptr(I) - input string */
736 /* Simple version of atoi(3) ripped from ip_rcmd_pxy.c. */
737 /* -------------------------------------------------------------------- */
742 register char *s = ptr, c;
743 register u_int i = 0;
745 while (((c = *s++) != '\0') && ISDIGIT(c)) {
752 /* -------------------------------------------------------------------- */
753 /* Function: ippr_rpcb_modreq */
754 /* Returns: int -- change in datagram length */
755 /* APR_ERR(2) - critical failure */
756 /* Parameters: fin(I) - pointer to packet information */
757 /* nat(I) - pointer to NAT session */
758 /* rm(I) - pointer to RPC message structure */
759 /* m(I) - pointer to mbuf chain */
760 /* off(I) - current offset within mbuf chain */
762 /* When external and internal addresses differ, we rewrite the former */
763 /* with the latter. (This is exclusive to protocol versions 3 & 4). */
764 /* -------------------------------------------------------------------- */
766 ippr_rpcb_modreq(fin, nat, rm, m, off)
773 u_int len, xlen, pos, bogo;
780 ra = &rm->rm_call.rc_rpcbargs;
781 i = (char *)&nat->nat_inip.s_addr;
782 p = (char *)&nat->nat_inport;
784 /* Form new string. */
785 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
786 #if defined(SNPRINTF) && defined(_KERNEL)
787 SNPRINTF(uaddr, sizeof(uaddr),
789 (void) sprintf(uaddr,
791 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
792 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
794 xlen = XDRALIGN(len);
796 /* Determine mbuf offset to start writing to. */
797 pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
800 /* Write new string length. */
802 COPYBACK(m, off, 4, (caddr_t)&bogo);
805 /* Write new string. */
806 COPYBACK(m, off, xlen, uaddr);
809 /* Write in zero r_owner. */
811 COPYBACK(m, off, 4, (caddr_t)&bogo);
813 /* Determine difference in data lengths. */
814 diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
817 * If our new string has a different length, make necessary
822 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
823 fin->fin_ip->ip_len += diff;
824 fin->fin_dlen += diff;
825 fin->fin_plen += diff;
826 /* XXX Storage lengths. */
832 /* -------------------------------------------------------------------- */
833 /* Function: ippr_rpcb_decoderep */
834 /* Returns: int - -1 == bad request or critical failure, */
835 /* 0 == valid, negative reply */
836 /* 1 == vaddlid, positive reply; needs no changes */
837 /* Parameters: fin(I) - pointer to packet information */
838 /* nat(I) - pointer to NAT session structure */
839 /* rs(I) - pointer to RPCB session structure */
840 /* rm(I) - pointer to RPC message structure */
841 /* rxp(O) - pointer to RPCB transaction structure */
843 /* Take a presumed RPCB reply, extract the XID, search for the original */
844 /* request information, and determine whether the request was accepted */
845 /* or rejected. With a valid accepted reply, go ahead and create NAT */
846 /* and state entries, and finish up by rewriting the packet as */
849 /* WARNING: It's the responsibility of the caller to make sure there */
850 /* is enough room in rs_buf for the basic RPC message "preamble". */
851 /* -------------------------------------------------------------------- */
853 ippr_rpcb_decoderep(fin, nat, rs, rm, rxp)
867 p = (u_32_t *)rm->rm_msgbuf;
869 bzero((char *)&rx, sizeof(rx));
873 xdr = B(p++); /* Record this message's XID. */
876 MUTEX_ENTER(&rs->rs_rxlock);
877 if ((rx = ippr_rpcb_lookup(rs, xdr)) == NULL) {
878 MUTEX_EXIT(&rs->rs_rxlock);
881 ++rx->rx_ref; /* per thread reference */
882 MUTEX_EXIT(&rs->rs_rxlock);
886 /* Test call vs reply */
887 if (B(p++) != RPCB_REPLY)
890 /* Test reply_stat */
893 case RPCB_MSG_DENIED:
895 case RPCB_MSG_ACCEPTED:
901 /* Bypass RPC authentication stuff. */
902 if (ippr_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
905 /* Test accept status */
906 if (!RPCB_BUF_GEQ(rm, p, 4))
911 /* Parse out the expected reply */
915 /* There must be only one 4 byte argument. */
916 if (!RPCB_BUF_EQ(rm, p, 4))
922 /* Reply w/ a 0 port indicates service isn't registered */
926 /* Is the value sane? */
930 /* Create NAT & state table entries. */
931 if (ippr_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
934 case RPCB_RES_STRING:
935 /* Expecting a XDR string; need 4 bytes for length */
936 if (!RPCB_BUF_GEQ(rm, p, 4))
939 rr->rr_v3.xu_str.xs_len = p++;
940 rr->rr_v3.xu_str.xs_str = (char *)p;
942 xdr = B(rr->rr_v3.xu_xslen);
944 /* A null string indicates an unregistered service */
945 if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
948 /* Decode the target IP address / port. */
949 if (ippr_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
952 /* Validate the IP address and port contained. */
953 if (nat->nat_inip.s_addr != rr->rr_v3.xu_ip)
956 /* Create NAT & state table entries. */
957 if (ippr_rpcb_getnat(fin, nat, rx->rx_proto,
958 (u_int)rr->rr_v3.xu_port) != 0)
962 if (!RPCB_BUF_GEQ(rm, p, 4))
964 /* rpcb_entry_list_ptr */
981 re = &rl->rl_entries[rl->rl_cnt];
982 if (ippr_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
984 if (ippr_rpcb_getproto(rm, &re->re_netid, &p) != 0)
986 /* re_semantics & re_pfamily length */
987 if (!RPCB_BUF_GEQ(rm, p, 12))
989 p++; /* Skipping re_semantics. */
991 if ((xdr != 4) || strncmp((char *)p, "inet", 4))
994 if (ippr_rpcb_getproto(rm, &re->re_proto, &p) != 0)
996 if (!RPCB_BUF_GEQ(rm, p, 4))
999 if (B(re->re_more) > 1) /* 0,1 only legal values */
1003 if (B(re->re_more) == 0)
1005 /* Replies in max out at 2; TCP and/or UDP */
1011 for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
1012 re = &rl->rl_entries[rl->rl_cnt];
1013 rv = ippr_rpcb_getnat(fin, nat,
1014 re->re_proto.xp_proto,
1015 (u_int)re->re_maddr.xu_port);
1021 /*CONSTANTCONDITION*/
1022 IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
1028 /* -------------------------------------------------------------------- */
1029 /* Function: ippr_rpcb_lookup */
1030 /* Returns: rpcb_xact_t * - NULL == no matching record, */
1031 /* else pointer to relevant entry */
1032 /* Parameters: rs(I) - pointer to RPCB session */
1033 /* xid(I) - XID to look for */
1034 /* -------------------------------------------------------------------- */
1035 static rpcb_xact_t *
1036 ippr_rpcb_lookup(rs, xid)
1042 if (rs->rs_rxlist == NULL)
1045 for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
1046 if (rx->rx_xid == xid)
1052 /* -------------------------------------------------------------------- */
1053 /* Function: ippr_rpcb_deref */
1054 /* Returns: (void) */
1055 /* Parameters: rs(I) - pointer to RPCB session */
1056 /* rx(I) - pointer to RPC transaction struct to remove */
1057 /* force(I) - indicates to delete entry regardless of */
1058 /* reference count */
1059 /* Locking: rs->rs_rxlock must be held write only */
1061 /* Free the RPCB transaction record rx from the chain of entries. */
1062 /* -------------------------------------------------------------------- */
1064 ippr_rpcb_deref(rs, rx)
1073 if (--rx->rx_ref != 0)
1076 if (rx->rx_next != NULL)
1077 rx->rx_next->rx_pnext = rx->rx_pnext;
1079 *rx->rx_pnext = rx->rx_next;
1086 /* -------------------------------------------------------------------- */
1087 /* Function: ippr_rpcb_getproto */
1088 /* Returns: int - -1 == illegal protocol/netid, */
1089 /* 0 == legal protocol/netid */
1090 /* Parameters: rm(I) - pointer to RPC message structure */
1091 /* xp(I) - pointer to netid structure */
1092 /* p(IO) - pointer to location within packet buffer */
1094 /* Decode netid/proto stored at p and record its numeric value. */
1095 /* -------------------------------------------------------------------- */
1097 ippr_rpcb_getproto(rm, xp, p)
1104 /* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
1105 if (!RPCB_BUF_GEQ(rm, p, 8))
1108 xp->xp_xslen = (*p)++;
1109 xp->xp_xsstr = (char *)*p;
1111 /* Test the string length. */
1112 len = B(xp->xp_xslen);
1116 /* Test the actual string & record the protocol accordingly. */
1117 if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
1118 xp->xp_proto = IPPROTO_TCP;
1119 else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
1120 xp->xp_proto = IPPROTO_UDP;
1125 /* Advance past the string. */
1131 /* -------------------------------------------------------------------- */
1132 /* Function: ippr_rpcb_getnat */
1133 /* Returns: int -- -1 == failed to create table entries, */
1135 /* Parameters: fin(I) - pointer to packet information */
1136 /* nat(I) - pointer to NAT table entry */
1137 /* proto(I) - transport protocol for new entries */
1138 /* port(I) - new port to use w/ wildcard table entries */
1140 /* Create state and NAT entries to handle an anticipated connection */
1141 /* attempt between RPC client and server. */
1142 /* -------------------------------------------------------------------- */
1144 ippr_rpcb_getnat(fin, nat, proto, port)
1150 ipnat_t *ipn, ipnat;
1159 /* Generate dummy fr_info */
1160 bcopy((char *)fin, (char *)&fi, sizeof(fi));
1162 fi.fin_src = fin->fin_dst;
1163 fi.fin_dst = nat->nat_outip;
1166 fi.fin_dport = port & 0xffff;
1167 fi.fin_flx |= FI_IGNORE;
1169 bzero((char *)&tcp, sizeof(tcp));
1170 tcp.th_dport = htons(port);
1172 if (proto == IPPROTO_TCP) {
1173 tcp.th_win = htons(8192);
1174 TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
1175 fi.fin_dlen = sizeof(tcphdr_t);
1176 tcp.th_flags = TH_SYN;
1179 fi.fin_dlen = sizeof(udphdr_t);
1183 nflags |= SI_W_SPORT|NAT_SEARCH;
1185 fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
1188 * Search for existing NAT & state entries. Pay close attention to
1189 * mutexes / locks grabbed from lookup routines, as not doing so could
1190 * lead to bad things.
1192 * If successful, fr_stlookup returns with ipf_state locked. We have
1193 * no use for this lock, so simply unlock it if necessary.
1195 is = fr_stlookup(&fi, &tcp, NULL);
1197 RWLOCK_EXIT(&ipf_state);
1199 RWLOCK_EXIT(&ipf_nat);
1201 WRITE_ENTER(&ipf_nat);
1202 natl = nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
1204 if ((natl != NULL) && (is != NULL)) {
1205 MUTEX_DOWNGRADE(&ipf_nat);
1209 /* Slightly modify the following structures for actual use in creating
1210 * NAT and/or state entries. We're primarily concerned with stripping
1211 * flags that may be detrimental to the creation process or simply
1212 * shouldn't be associated with a table entry.
1214 fi.fin_fr = &rpcbfr;
1215 fi.fin_flx &= ~FI_IGNORE;
1216 nflags &= ~NAT_SEARCH;
1219 /* XXX Since we're just copying the original ipn contents
1220 * back, would we be better off just sending a pointer to
1221 * the 'temp' copy off to nat_new instead?
1223 /* Generate template/bogus NAT rule. */
1224 bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
1225 ipn->in_flags = nflags & IPN_TCPUDP;
1228 ipn->in_pmin = htons(fi.fin_dport);
1229 ipn->in_pmax = htons(fi.fin_dport);
1230 ipn->in_pnext = htons(fi.fin_dport);
1233 if (ipn->in_flags & IPN_FILTER) {
1237 *ipn->in_plabel = '\0';
1239 /* Create NAT entry. return NULL if this fails. */
1240 natl = nat_new(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
1243 bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
1246 MUTEX_DOWNGRADE(&ipf_nat);
1251 (void) nat_proto(&fi, natl, nflags);
1252 nat_update(&fi, natl, natl->nat_ptr);
1254 MUTEX_DOWNGRADE(&ipf_nat);
1257 /* Create state entry. Return NULL if this fails. */
1258 fi.fin_dst = nat->nat_inip;
1259 fi.fin_nat = (void *)natl;
1260 fi.fin_flx |= FI_NATED;
1261 fi.fin_flx &= ~FI_STATE;
1262 nflags &= NAT_TCPUDP;
1263 nflags |= SI_W_SPORT|SI_CLONE;
1265 is = fr_addstate(&fi, NULL, nflags);
1268 * XXX nat_delete is private to ip_nat.c. Should
1269 * check w/ Darren about this one.
1271 * nat_delete(natl, NL_EXPIRE);
1275 if (fi.fin_state != NULL)
1276 fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
1282 /* -------------------------------------------------------------------- */
1283 /* Function: ippr_rpcb_modv3 */
1284 /* Returns: int -- change in packet length */
1285 /* Parameters: fin(I) - pointer to packet information */
1286 /* nat(I) - pointer to NAT session */
1287 /* rm(I) - pointer to RPC message structure */
1288 /* m(I) - pointer to mbuf chain */
1289 /* off(I) - offset within mbuf chain */
1291 /* Write a new universal address string to this packet, adjusting */
1292 /* lengths as necessary. */
1293 /* -------------------------------------------------------------------- */
1295 ippr_rpcb_modv3(fin, nat, rm, m, off)
1302 u_int len, xlen, pos, bogo;
1309 i = (char *)&nat->nat_outip.s_addr;
1310 p = (char *)&rr->rr_v3.xu_port;
1312 /* Form new string. */
1313 bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
1314 #if defined(SNPRINTF) && defined(_KERNEL)
1315 SNPRINTF(uaddr, sizeof(uaddr),
1317 (void) sprintf(uaddr,
1319 "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
1320 i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
1321 len = strlen(uaddr);
1322 xlen = XDRALIGN(len);
1324 /* Determine mbuf offset to write to. */
1325 pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
1328 /* Write new string length. */
1330 COPYBACK(m, off, 4, (caddr_t)&bogo);
1333 /* Write new string. */
1334 COPYBACK(m, off, xlen, uaddr);
1336 /* Determine difference in data lengths. */
1337 diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
1340 * If our new string has a different length, make necessary
1344 ippr_rpcb_fixlen(fin, diff);
1349 /* -------------------------------------------------------------------- */
1350 /* Function: ippr_rpcb_modv4 */
1351 /* Returns: int -- change in packet length */
1352 /* Parameters: fin(I) - pointer to packet information */
1353 /* nat(I) - pointer to NAT session */
1354 /* rm(I) - pointer to RPC message structure */
1355 /* m(I) - pointer to mbuf chain */
1356 /* off(I) - offset within mbuf chain */
1358 /* Write new rpcb_entry list, adjusting lengths as necessary. */
1359 /* -------------------------------------------------------------------- */
1361 ippr_rpcb_modv4(fin, nat, rm, m, off)
1368 u_int len, xlen, pos, bogo;
1380 i = (char *)&nat->nat_outip.s_addr;
1382 /* Determine mbuf offset to write to. */
1383 re = &rl->rl_entries[0];
1384 pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
1387 for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
1388 re = &rl->rl_entries[cnt];
1389 p = (char *)&re->re_maddr.xu_port;
1391 /* Form new string. */
1392 bzero(uaddr, sizeof(uaddr)); /* Just in case we need
1394 #if defined(SNPRINTF) && defined(_KERNEL)
1395 SNPRINTF(uaddr, sizeof(uaddr),
1397 (void) sprintf(uaddr,
1399 "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
1400 i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
1401 p[0] & 0xff, p[1] & 0xff);
1402 len = strlen(uaddr);
1403 xlen = XDRALIGN(len);
1405 /* Write new string length. */
1407 COPYBACK(m, off, 4, (caddr_t)&bogo);
1410 /* Write new string. */
1411 COPYBACK(m, off, xlen, uaddr);
1414 /* Record any change in length. */
1415 diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
1417 /* If the length changed, copy back the rest of this entry. */
1418 len = ((char *)re->re_more + 4) -
1419 (char *)re->re_netid.xp_xslen;
1421 COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
1427 * If our new string has a different length, make necessary
1431 ippr_rpcb_fixlen(fin, diff);
1437 /* -------------------------------------------------------------------- */
1438 /* Function: ippr_rpcb_fixlen */
1439 /* Returns: (void) */
1440 /* Parameters: fin(I) - pointer to packet information */
1441 /* len(I) - change in packet length */
1443 /* Adjust various packet related lengths held in structure and packet */
1444 /* header fields. */
1445 /* -------------------------------------------------------------------- */
1447 ippr_rpcb_fixlen(fin, len)
1454 udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
1455 fin->fin_ip->ip_len += len;
1456 fin->fin_dlen += len;
1457 fin->fin_plen += len;
projects / FreeBSD / FreeBSD.git / blob