ipfilter/netinet/ip_rpcb_pxy.c

145516Sdarrenr/*
255332Scy * Copyright (C) 2002-2012 by Ryan Beasley <ryanb@goddamnbastard.org>
145516Sdarrenr *
145516Sdarrenr * See the IPFILTER.LICENCE file for details on licencing.
145516Sdarrenr */
145516Sdarrenr/*
145516Sdarrenr * Overview:
145516Sdarrenr *   This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
145516Sdarrenr *   protocol as defined in RFC1833.  It is far from complete, mostly
145516Sdarrenr *   lacking in less-likely corner cases, but it's definitely functional.
145516Sdarrenr *
145516Sdarrenr *   Invocation:
145516Sdarrenr *     rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
145516Sdarrenr *
145516Sdarrenr *   If the host running IP Filter is the same as the RPC server, it's
145516Sdarrenr *   perfectly legal for both the internal and external addresses and ports
145516Sdarrenr *   to match.
145516Sdarrenr *
145516Sdarrenr *   When triggered by appropriate IP NAT rules, this proxy works by
145516Sdarrenr *   examining data contained in received packets.  Requests and replies are
145516Sdarrenr *   modified, NAT and state table entries created, etc., as necessary.
145516Sdarrenr */
145516Sdarrenr/*
145516Sdarrenr * TODO / NOTES
145516Sdarrenr *
145516Sdarrenr *   o Must implement locking to protect proxy session data.
145516Sdarrenr *   o Fragmentation isn't supported.
145516Sdarrenr *   o Only supports UDP.
145516Sdarrenr *   o Doesn't support multiple RPC records in a single request.
145516Sdarrenr *   o Errors should be more fine-grained.  (e.g., malloc failure vs.
145516Sdarrenr *     illegal RPCB request / reply)
145516Sdarrenr *   o Even with the limit on the total amount of recorded transactions,
145516Sdarrenr *     should there be a timeout on transaction removal?
145516Sdarrenr *   o There is a potential collision between cloning, wildcard NAT and
145516Sdarrenr *     state entries.  There should be an appr_getport routine for
145516Sdarrenr *     to avoid this.
145516Sdarrenr *   o The enclosed hack of STREAMS support is pretty sick and most likely
145516Sdarrenr *     broken.
145516Sdarrenr *
255332Scy *	$Id$
145516Sdarrenr */
145516Sdarrenr#define	IPF_RPCB_PROXY
145516Sdarrenr
145516Sdarrenr/*
145516Sdarrenr * Function prototypes
145516Sdarrenr */
255332Scyvoid	ipf_p_rpcb_main_load __P((void));
255332Scyvoid	ipf_p_rpcb_main_unload __P((void));
255332Scyint	ipf_p_rpcb_new __P((void *, fr_info_t *, ap_session_t *, nat_t *));
255332Scyvoid	ipf_p_rpcb_del __P((ipf_main_softc_t *, ap_session_t *));
255332Scyint	ipf_p_rpcb_in __P((void *, fr_info_t *, ap_session_t *, nat_t *));
255332Scyint	ipf_p_rpcb_out __P((void *, fr_info_t *, ap_session_t *, nat_t *));
145516Sdarrenr
255332Scystatic void	ipf_p_rpcb_flush __P((rpcb_session_t *));
255332Scystatic int	ipf_p_rpcb_decodereq __P((fr_info_t *, nat_t *,
145516Sdarrenr	rpcb_session_t *, rpc_msg_t *));
255332Scystatic int	ipf_p_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **));
255332Scystatic int	ipf_p_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *));
255332Scystatic int	ipf_p_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *));
255332Scystatic int	ipf_p_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *,
145516Sdarrenr	u_32_t **));
255332Scystatic u_int	ipf_p_rpcb_atoi __P((char *));
255332Scystatic int	ipf_p_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *,
145516Sdarrenr	mb_t *, u_int));
255332Scystatic int	ipf_p_rpcb_decoderep __P((fr_info_t *, nat_t *,
145516Sdarrenr	rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **));
255332Scystatic rpcb_xact_t *	ipf_p_rpcb_lookup __P((rpcb_session_t *, u_32_t));
255332Scystatic void	ipf_p_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *));
255332Scystatic int	ipf_p_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *,
145516Sdarrenr	u_32_t **));
255332Scystatic int	ipf_p_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int));
255332Scystatic int	ipf_p_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *,
145516Sdarrenr	mb_t *, u_int));
255332Scystatic int	ipf_p_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *,
145516Sdarrenr	mb_t *, u_int));
255332Scystatic void     ipf_p_rpcb_fixlen __P((fr_info_t *, int));
145516Sdarrenr
145516Sdarrenr/*
145516Sdarrenr * Global variables
145516Sdarrenr */
145516Sdarrenrstatic	frentry_t	rpcbfr;	/* Skeleton rule for reference by entities
145516Sdarrenr				   this proxy creates. */
145516Sdarrenrstatic	int	rpcbcnt;	/* Upper bound of allocated RPCB sessions. */
145516Sdarrenr				/* XXX rpcbcnt still requires locking. */
145516Sdarrenr
255332Scystatic	int	rpcb_proxy_init = 0;
145516Sdarrenr
145516Sdarrenr
145516Sdarrenr/*
145516Sdarrenr * Since rpc_msg contains only pointers, one should use this macro as a
145516Sdarrenr * handy way to get to the goods.  (In case you're wondering about the name,
145516Sdarrenr * this started as BYTEREF -> BREF -> B.)
145516Sdarrenr */
145516Sdarrenr#define	B(r)	(u_32_t)ntohl(*(r))
145516Sdarrenr
145516Sdarrenr/*
145516Sdarrenr * Public subroutines
145516Sdarrenr */
145516Sdarrenr
255332Scy/* -------------------------------------------------------------------- */
255332Scy/* Function:    ipf_p_rpcb_main_load                                    */
255332Scy/* Returns:     void                                                    */
255332Scy/* Parameters:  (void)                                                  */
255332Scy/*                                                                      */
255332Scy/* Initialize the filter rule entry and session limiter.                */
255332Scy/* -------------------------------------------------------------------- */
255332Scyvoid
255332Scyipf_p_rpcb_main_load()
145516Sdarrenr{
145516Sdarrenr	rpcbcnt = 0;
145516Sdarrenr
145516Sdarrenr	bzero((char *)&rpcbfr, sizeof(rpcbfr));
145516Sdarrenr	rpcbfr.fr_ref = 1;
145516Sdarrenr	rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
145516Sdarrenr	MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
145516Sdarrenr	rpcb_proxy_init = 1;
145516Sdarrenr}
145516Sdarrenr
255332Scy/* -------------------------------------------------------------------- */
255332Scy/* Function:    ipf_p_rpcb_main_unload                                  */
255332Scy/* Returns:     void                                                    */
255332Scy/* Parameters:  (void)                                                  */
255332Scy/*                                                                      */
255332Scy/* Destroy rpcbfr's mutex to avoid a lock leak.                         */
255332Scy/* -------------------------------------------------------------------- */
145516Sdarrenrvoid
255332Scyipf_p_rpcb_main_unload()
145516Sdarrenr{
145516Sdarrenr	if (rpcb_proxy_init == 1) {
145516Sdarrenr		MUTEX_DESTROY(&rpcbfr.fr_lock);
145516Sdarrenr		rpcb_proxy_init = 0;
145516Sdarrenr	}
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_new						*/
145516Sdarrenr/* Returns:	int - -1 == failure, 0 == success			*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		aps(I)	- pointer to proxy session structure		*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Allocate resources for per-session proxy structures.			*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrint
255332Scyipf_p_rpcb_new(arg, fin, aps, nat)
255332Scy	void *arg;
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	ap_session_t *aps;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr{
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr
145516Sdarrenr	nat = nat;	/* LINT */
145516Sdarrenr
255332Scy	if (fin->fin_v != 4)
255332Scy		return -1;
255332Scy
145516Sdarrenr	KMALLOC(rs, rpcb_session_t *);
145516Sdarrenr	if (rs == NULL)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	bzero((char *)rs, sizeof(*rs));
145516Sdarrenr	MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
145516Sdarrenr
145516Sdarrenr	aps->aps_data = rs;
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_del						*/
145516Sdarrenr/* Returns:	void							*/
145516Sdarrenr/* Parameters:	aps(I)	- pointer to proxy session structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Free up a session's list of RPCB requests.				*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrvoid
255332Scyipf_p_rpcb_del(softc, aps)
255332Scy	ipf_main_softc_t *softc;
145516Sdarrenr	ap_session_t *aps;
145516Sdarrenr{
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rs = (rpcb_session_t *)aps->aps_data;
145516Sdarrenr
145516Sdarrenr	MUTEX_ENTER(&rs->rs_rxlock);
255332Scy	ipf_p_rpcb_flush(rs);
145516Sdarrenr	MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr	MUTEX_DESTROY(&rs->rs_rxlock);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_in						*/
145516Sdarrenr/* Returns:	int - APR_ERR(1) == drop the packet, 			*/
145516Sdarrenr/*		      APR_ERR(2) == kill the proxy session,		*/
145516Sdarrenr/*		      else change in packet length (in bytes)		*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		ip(I)	- pointer to packet header			*/
145516Sdarrenr/*		aps(I)	- pointer to proxy session structure		*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Given a presumed RPCB request, perform some minor tests and pass off */
145516Sdarrenr/* for decoding.  Also pass packet off for a rewrite if necessary.	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrint
255332Scyipf_p_rpcb_in(arg, fin, aps, nat)
255332Scy	void *arg;
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	ap_session_t *aps;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr{
145516Sdarrenr	rpc_msg_t rpcmsg, *rm;
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	u_int off, dlen;
145516Sdarrenr	mb_t *m;
145516Sdarrenr	int rv;
145516Sdarrenr
145516Sdarrenr	/* Disallow fragmented or illegally short packets. */
145516Sdarrenr	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr
145516Sdarrenr	/* Perform basic variable initialization. */
145516Sdarrenr	rs = (rpcb_session_t *)aps->aps_data;
145516Sdarrenr
145516Sdarrenr	m = fin->fin_m;
145516Sdarrenr	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
145516Sdarrenr	off += sizeof(udphdr_t) + fin->fin_ipoff;
145516Sdarrenr	dlen = fin->fin_dlen - sizeof(udphdr_t);
145516Sdarrenr
145516Sdarrenr	/* Disallow packets outside legal range for supported requests. */
145516Sdarrenr	if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr
145516Sdarrenr	/* Copy packet over to convenience buffer. */
145516Sdarrenr	rm = &rpcmsg;
145516Sdarrenr	bzero((char *)rm, sizeof(*rm));
145516Sdarrenr	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
145516Sdarrenr	rm->rm_buflen = dlen;
145516Sdarrenr
145516Sdarrenr	/* Send off to decode request. */
255332Scy	rv = ipf_p_rpcb_decodereq(fin, nat, rs, rm);
145516Sdarrenr
145516Sdarrenr	switch(rv)
145516Sdarrenr	{
145516Sdarrenr	case -1:
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr		/*NOTREACHED*/
145516Sdarrenr		break;
145516Sdarrenr	case 0:
145516Sdarrenr		break;
145516Sdarrenr	case 1:
255332Scy		rv = ipf_p_rpcb_modreq(fin, nat, rm, m, off);
145516Sdarrenr		break;
145516Sdarrenr	default:
145516Sdarrenr		/*CONSTANTCONDITION*/
255332Scy		IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_req)", rv));
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	return(rv);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_out						*/
145516Sdarrenr/* Returns:	int - APR_ERR(1) == drop the packet, 			*/
145516Sdarrenr/*		      APR_ERR(2) == kill the proxy session,		*/
145516Sdarrenr/*		      else change in packet length (in bytes)		*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		ip(I)	- pointer to packet header			*/
145516Sdarrenr/*		aps(I)	- pointer to proxy session structure		*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Given a presumed RPCB reply, perform some minor tests and pass off	*/
145516Sdarrenr/* for decoding.  If the message indicates a successful request with	*/
145516Sdarrenr/* valid addressing information, create NAT and state structures to	*/
145516Sdarrenr/* allow direct communication between RPC client and server.		*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrint
255332Scyipf_p_rpcb_out(arg, fin, aps, nat)
255332Scy	void *arg;
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	ap_session_t *aps;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr{
145516Sdarrenr	rpc_msg_t rpcmsg, *rm;
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rpcb_xact_t *rx;
145516Sdarrenr	u_int off, dlen;
145516Sdarrenr	int rv, diff;
145516Sdarrenr	mb_t *m;
145516Sdarrenr
145516Sdarrenr	/* Disallow fragmented or illegally short packets. */
145516Sdarrenr	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr
145516Sdarrenr	/* Perform basic variable initialization. */
145516Sdarrenr	rs = (rpcb_session_t *)aps->aps_data;
170263Sdarrenr	rx = NULL;
145516Sdarrenr
145516Sdarrenr	m = fin->fin_m;
145516Sdarrenr	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
145516Sdarrenr	off += sizeof(udphdr_t) + fin->fin_ipoff;
145516Sdarrenr	dlen = fin->fin_dlen - sizeof(udphdr_t);
145516Sdarrenr	diff = 0;
145516Sdarrenr
145516Sdarrenr	/* Disallow packets outside legal range for supported requests. */
145516Sdarrenr	if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr
145516Sdarrenr	/* Copy packet over to convenience buffer. */
145516Sdarrenr	rm = &rpcmsg;
145516Sdarrenr	bzero((char *)rm, sizeof(*rm));
145516Sdarrenr	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
145516Sdarrenr	rm->rm_buflen = dlen;
145516Sdarrenr
170263Sdarrenr	rx = NULL;		/* XXX gcc */
170263Sdarrenr
145516Sdarrenr	/* Send off to decode reply. */
255332Scy	rv = ipf_p_rpcb_decoderep(fin, nat, rs, rm, &rx);
145516Sdarrenr
145516Sdarrenr	switch(rv)
145516Sdarrenr	{
145516Sdarrenr	case -1: /* Bad packet */
145516Sdarrenr                if (rx != NULL) {
145516Sdarrenr                        MUTEX_ENTER(&rs->rs_rxlock);
255332Scy                        ipf_p_rpcb_deref(rs, rx);
145516Sdarrenr                        MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr                }
145516Sdarrenr		return(APR_ERR(1));
145516Sdarrenr		/*NOTREACHED*/
145516Sdarrenr		break;
145516Sdarrenr	case  0: /* Negative reply / request rejected */
145516Sdarrenr		break;
145516Sdarrenr	case  1: /* Positive reply */
145516Sdarrenr		/*
145516Sdarrenr		 * With the IP address embedded in a GETADDR(LIST) reply,
145516Sdarrenr		 * we'll need to rewrite the packet in the very possible
145516Sdarrenr		 * event that the internal & external addresses aren't the
145516Sdarrenr		 * same.  (i.e., this box is either a router or rpcbind
145516Sdarrenr		 * only listens on loopback.)
145516Sdarrenr		 */
255332Scy		if (nat->nat_odstaddr != nat->nat_ndstaddr) {
145516Sdarrenr			if (rx->rx_type == RPCB_RES_STRING)
255332Scy				diff = ipf_p_rpcb_modv3(fin, nat, rm, m, off);
145516Sdarrenr			else if (rx->rx_type == RPCB_RES_LIST)
255332Scy				diff = ipf_p_rpcb_modv4(fin, nat, rm, m, off);
145516Sdarrenr		}
145516Sdarrenr		break;
145516Sdarrenr	default:
145516Sdarrenr		/*CONSTANTCONDITION*/
255332Scy		IPF_PANIC(1, ("illegal rv %d (ipf_p_rpcb_decoderep)", rv));
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	if (rx != NULL) {
145516Sdarrenr                MUTEX_ENTER(&rs->rs_rxlock);
145516Sdarrenr                /* XXX Gross hack - I'm overloading the reference
145516Sdarrenr                 * counter to deal with both threads and retransmitted
145516Sdarrenr                 * requests.  One deref signals that this thread is
145516Sdarrenr                 * finished with rx, and the other signals that we've
145516Sdarrenr                 * processed its reply.
145516Sdarrenr                 */
255332Scy                ipf_p_rpcb_deref(rs, rx);
255332Scy                ipf_p_rpcb_deref(rs, rx);
145516Sdarrenr                MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	return(diff);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/*
145516Sdarrenr * Private support subroutines
145516Sdarrenr */
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_flush						*/
145516Sdarrenr/* Returns:	void							*/
145516Sdarrenr/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Simply flushes the list of outstanding transactions, if any.		*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic void
255332Scyipf_p_rpcb_flush(rs)
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr{
145516Sdarrenr	rpcb_xact_t *r1, *r2;
145516Sdarrenr
145516Sdarrenr	r1 = rs->rs_rxlist;
145516Sdarrenr	if (r1 == NULL)
145516Sdarrenr		return;
145516Sdarrenr
145516Sdarrenr	while (r1 != NULL) {
145516Sdarrenr		r2 = r1;
145516Sdarrenr		r1 = r1->rx_next;
145516Sdarrenr		KFREE(r2);
145516Sdarrenr	}
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_decodereq					*/
145516Sdarrenr/* Returns:	int - -1 == bad request or critical failure,		*/
145516Sdarrenr/*		       0 == request successfully decoded,		*/
145516Sdarrenr/*		       1 == request successfully decoded; requires	*/
145516Sdarrenr/*			    address rewrite/modification		*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session structure		*/
145516Sdarrenr/*		rs(I)	- pointer to RPCB session structure		*/
145516Sdarrenr/*		rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Take a presumed RPCB request, decode it, and store the results in	*/
145516Sdarrenr/* the transaction list.  If the internal target address needs to be	*/
145516Sdarrenr/* modified, store its location in ptr.					*/
145516Sdarrenr/* WARNING:  It's the responsibility of the caller to make sure there	*/
145516Sdarrenr/* is enough room in rs_buf for the basic RPC message "preamble".	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_decodereq(fin, nat, rs, rm)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr{
145516Sdarrenr	rpcb_args_t *ra;
145516Sdarrenr	u_32_t xdr, *p;
145516Sdarrenr	rpc_call_t *rc;
145516Sdarrenr	rpcb_xact_t rx;
145516Sdarrenr	int mod;
145516Sdarrenr
145516Sdarrenr	p = (u_32_t *)rm->rm_msgbuf;
145516Sdarrenr	mod = 0;
145516Sdarrenr
145516Sdarrenr	bzero((char *)&rx, sizeof(rx));
145516Sdarrenr	rc = &rm->rm_call;
145516Sdarrenr
145516Sdarrenr	rm->rm_xid = p;
145516Sdarrenr	rx.rx_xid = B(p++);	/* Record this message's XID. */
145516Sdarrenr
145516Sdarrenr	/* Parse out and test the RPC header. */
145516Sdarrenr	if ((B(p++) != RPCB_CALL) ||
145516Sdarrenr	    (B(p++) != RPCB_MSG_VERSION) ||
145516Sdarrenr	    (B(p++) != RPCB_PROG))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Record the RPCB version and procedure. */
145516Sdarrenr	rc->rc_vers = p++;
145516Sdarrenr	rc->rc_proc = p++;
145516Sdarrenr
145516Sdarrenr	/* Bypass RPC authentication stuff. */
255332Scy	if (ipf_p_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
145516Sdarrenr		return(-1);
255332Scy	if (ipf_p_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Compare RPCB version and procedure numbers. */
145516Sdarrenr	switch(B(rc->rc_vers))
145516Sdarrenr	{
145516Sdarrenr	case 2:
145516Sdarrenr		/* This proxy only supports PMAP_GETPORT. */
145516Sdarrenr		if (B(rc->rc_proc) != RPCB_GETPORT)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		/* Portmap requests contain four 4 byte parameters. */
145516Sdarrenr		if (RPCB_BUF_EQ(rm, p, 16) == 0)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		p += 2; /* Skip requested program and version numbers. */
145516Sdarrenr
145516Sdarrenr		/* Sanity check the requested protocol. */
145516Sdarrenr		xdr = B(p);
145516Sdarrenr		if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		rx.rx_type = RPCB_RES_PMAP;
145516Sdarrenr		rx.rx_proto = xdr;
145516Sdarrenr		break;
145516Sdarrenr	case 3:
145516Sdarrenr	case 4:
145516Sdarrenr		/* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
145516Sdarrenr		switch(B(rc->rc_proc))
145516Sdarrenr		{
145516Sdarrenr		case RPCB_GETADDR:
145516Sdarrenr			rx.rx_type = RPCB_RES_STRING;
145516Sdarrenr			rx.rx_proto = (u_int)fin->fin_p;
145516Sdarrenr			break;
145516Sdarrenr		case RPCB_GETADDRLIST:
145516Sdarrenr			if (B(rc->rc_vers) != 4)
145516Sdarrenr				return(-1);
145516Sdarrenr			rx.rx_type = RPCB_RES_LIST;
145516Sdarrenr			break;
145516Sdarrenr		default:
145516Sdarrenr			return(-1);
145516Sdarrenr		}
145516Sdarrenr
145516Sdarrenr		ra = &rc->rc_rpcbargs;
145516Sdarrenr
145516Sdarrenr		/* Decode the 'struct rpcb' request. */
255332Scy		if (ipf_p_rpcb_xdrrpcb(rm, p, ra) != 0)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		/* Are the target address & port valid? */
255332Scy		if ((ra->ra_maddr.xu_ip != nat->nat_ndstaddr) ||
255332Scy		    (ra->ra_maddr.xu_port != nat->nat_ndport))
145516Sdarrenr		    	return(-1);
145516Sdarrenr
145516Sdarrenr		/* Do we need to rewrite this packet? */
255332Scy		if ((nat->nat_ndstaddr != nat->nat_odstaddr) ||
255332Scy		    (nat->nat_ndport != nat->nat_odport))
145516Sdarrenr		    	mod = 1;
145516Sdarrenr		break;
145516Sdarrenr	default:
145516Sdarrenr		return(-1);
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr        MUTEX_ENTER(&rs->rs_rxlock);
255332Scy	if (ipf_p_rpcb_insert(rs, &rx) != 0) {
145516Sdarrenr                MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr		return(-1);
145516Sdarrenr	}
145516Sdarrenr        MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr
145516Sdarrenr	return(mod);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_skipauth					*/
145516Sdarrenr/* Returns:	int -- -1 == illegal auth parameters (lengths)		*/
145516Sdarrenr/*			0 == valid parameters, pointer advanced		*/
145516Sdarrenr/* Parameters:	rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		auth(I)	- pointer to RPC auth structure			*/
145516Sdarrenr/*		buf(IO)	- pointer to location within convenience buffer	*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Record auth data length & location of auth data, then advance past	*/
145516Sdarrenr/* it.									*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_skipauth(rm, auth, buf)
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	xdr_auth_t *auth;
145516Sdarrenr	u_32_t **buf;
145516Sdarrenr{
145516Sdarrenr	u_32_t *p, xdr;
145516Sdarrenr
145516Sdarrenr	p = *buf;
145516Sdarrenr
145516Sdarrenr	/* Make sure we have enough space for expected fixed auth parms. */
145516Sdarrenr	if (RPCB_BUF_GEQ(rm, p, 8) == 0)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	p++; /* We don't care about auth_flavor. */
145516Sdarrenr
145516Sdarrenr	auth->xa_string.xs_len = p;
145516Sdarrenr	xdr = B(p++);		/* Length of auth_data */
145516Sdarrenr
145516Sdarrenr	/* Test for absurdity / illegality of auth_data length. */
145516Sdarrenr	if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	auth->xa_string.xs_str = (char *)p;
145516Sdarrenr
145516Sdarrenr	p += XDRALIGN(xdr);	/* Advance our location. */
145516Sdarrenr
145516Sdarrenr	*buf = (u_32_t *)p;
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_insert					*/
145516Sdarrenr/* Returns:	int -- -1 == list insertion failed,			*/
145516Sdarrenr/*			0 == item successfully added			*/
145516Sdarrenr/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
145516Sdarrenr/*		rx(I)	- pointer to RPCB transaction structure		*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_insert(rs, rx)
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rpcb_xact_t *rx;
145516Sdarrenr{
145516Sdarrenr	rpcb_xact_t *rxp;
145516Sdarrenr
255332Scy	rxp = ipf_p_rpcb_lookup(rs, rx->rx_xid);
145516Sdarrenr	if (rxp != NULL) {
145516Sdarrenr                ++rxp->rx_ref;
145516Sdarrenr		return(0);
145516Sdarrenr        }
145516Sdarrenr
145516Sdarrenr	if (rpcbcnt == RPCB_MAXREQS)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	KMALLOC(rxp, rpcb_xact_t *);
145516Sdarrenr	if (rxp == NULL)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	bcopy((char *)rx, (char *)rxp, sizeof(*rx));
145516Sdarrenr
145516Sdarrenr	if (rs->rs_rxlist != NULL)
145516Sdarrenr		rs->rs_rxlist->rx_pnext = &rxp->rx_next;
145516Sdarrenr
145516Sdarrenr	rxp->rx_pnext = &rs->rs_rxlist;
145516Sdarrenr	rxp->rx_next = rs->rs_rxlist;
145516Sdarrenr	rs->rs_rxlist = rxp;
145516Sdarrenr
145516Sdarrenr	rxp->rx_ref = 1;
145516Sdarrenr
145516Sdarrenr	++rpcbcnt;
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_xdrrpcb					*/
145516Sdarrenr/* Returns:	int -- -1 == failure to properly decode the request	*/
145516Sdarrenr/*			0 == rpcb successfully decoded			*/
145516Sdarrenr/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
145516Sdarrenr/*		p(I)	- pointer to location within session buffer	*/
145516Sdarrenr/*		rpcb(O)	- pointer to rpcb (xdr type) structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Decode a XDR encoded rpcb structure and record its contents in rpcb  */
145516Sdarrenr/* within only the context of TCP/UDP over IP networks.			*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_xdrrpcb(rm, p, ra)
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	u_32_t *p;
145516Sdarrenr	rpcb_args_t *ra;
145516Sdarrenr{
145516Sdarrenr	if (!RPCB_BUF_GEQ(rm, p, 20))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Bypass target program & version. */
145516Sdarrenr	p += 2;
145516Sdarrenr
145516Sdarrenr	/* Decode r_netid.  Must be "tcp" or "udp". */
255332Scy	if (ipf_p_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Decode r_maddr. */
255332Scy	if (ipf_p_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Advance to r_owner and make sure it's empty. */
145516Sdarrenr	if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_getuaddr					*/
145516Sdarrenr/* Returns:	int -- -1 == illegal string,				*/
145516Sdarrenr/*			0 == string parsed; contents recorded		*/
145516Sdarrenr/* Parameters:	rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		xu(I)	- pointer to universal address structure	*/
145516Sdarrenr/*		p(IO)	- pointer to location within message buffer	*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Decode the IP address / port at p and record them in xu.		*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_getuaddr(rm, xu, p)
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	xdr_uaddr_t *xu;
145516Sdarrenr	u_32_t **p;
145516Sdarrenr{
145516Sdarrenr	char *c, *i, *b, *pp;
145516Sdarrenr	u_int d, dd, l, t;
145516Sdarrenr	char uastr[24];
145516Sdarrenr
145516Sdarrenr	/* Test for string length. */
145516Sdarrenr	if (!RPCB_BUF_GEQ(rm, *p, 4))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	xu->xu_xslen = (*p)++;
145516Sdarrenr	xu->xu_xsstr = (char *)*p;
145516Sdarrenr
145516Sdarrenr	/* Length check */
145516Sdarrenr	l = B(xu->xu_xslen);
145516Sdarrenr	if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Advance p */
145516Sdarrenr	*(char **)p += XDRALIGN(l);
145516Sdarrenr
145516Sdarrenr	/* Copy string to local buffer & terminate C style */
145516Sdarrenr	bcopy(xu->xu_xsstr, uastr, l);
145516Sdarrenr	uastr[l] = '\0';
145516Sdarrenr
145516Sdarrenr	i = (char *)&xu->xu_ip;
145516Sdarrenr	pp = (char *)&xu->xu_port;
145516Sdarrenr
145516Sdarrenr	/*
145516Sdarrenr	 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
145516Sdarrenr	 * an IP address and [ef] are the bytes of a L4 port.
145516Sdarrenr	 */
145516Sdarrenr	if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
145516Sdarrenr		return(-1);
145516Sdarrenr	b = uastr;
145516Sdarrenr	for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
145516Sdarrenr		if (ISDIGIT(*c)) {
145516Sdarrenr			dd = 0;
145516Sdarrenr			continue;
145516Sdarrenr		}
145516Sdarrenr		if (*c == '.') {
145516Sdarrenr			if (dd != 0)
145516Sdarrenr				return(-1);
145516Sdarrenr
145516Sdarrenr			/* Check for ASCII byte. */
145516Sdarrenr			*c = '\0';
255332Scy			t = ipf_p_rpcb_atoi(b);
145516Sdarrenr			if (t > 255)
145516Sdarrenr				return(-1);
145516Sdarrenr
145516Sdarrenr			/* Aim b at beginning of the next byte. */
145516Sdarrenr			b = c + 1;
145516Sdarrenr
145516Sdarrenr			/* Switch off IP addr vs port parsing. */
145516Sdarrenr			if (d < 4)
145516Sdarrenr				i[d++] = t & 0xff;
145516Sdarrenr			else
145516Sdarrenr				pp[d++ - 4] = t & 0xff;
145516Sdarrenr
145516Sdarrenr			dd = 1;
145516Sdarrenr			continue;
145516Sdarrenr		}
145516Sdarrenr		return(-1);
145516Sdarrenr	}
145516Sdarrenr	if (d != 5) /* String must contain exactly 5 periods. */
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Handle the last byte (port low byte) */
255332Scy	t = ipf_p_rpcb_atoi(b);
145516Sdarrenr	if (t > 255)
145516Sdarrenr		return(-1);
145516Sdarrenr	pp[d - 4] = t & 0xff;
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_atoi (XXX should be generic for all proxies)	*/
145516Sdarrenr/* Returns:	int -- integer representation of supplied string	*/
145516Sdarrenr/* Parameters:	ptr(I)	- input string					*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Simple version of atoi(3) ripped from ip_rcmd_pxy.c.			*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic u_int
255332Scyipf_p_rpcb_atoi(ptr)
145516Sdarrenr	char *ptr;
145516Sdarrenr{
145516Sdarrenr	register char *s = ptr, c;
145516Sdarrenr	register u_int i = 0;
145516Sdarrenr
145516Sdarrenr	while (((c = *s++) != '\0') && ISDIGIT(c)) {
145516Sdarrenr		i *= 10;
145516Sdarrenr		i += c - '0';
145516Sdarrenr	}
145516Sdarrenr	return i;
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_modreq					*/
145516Sdarrenr/* Returns:	int -- change in datagram length			*/
145516Sdarrenr/*			APR_ERR(2) - critical failure			*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session			*/
145516Sdarrenr/*		rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		m(I)	- pointer to mbuf chain				*/
145516Sdarrenr/*		off(I)	- current offset within mbuf chain		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* When external and internal addresses differ, we rewrite the former	*/
145516Sdarrenr/* with the latter.  (This is exclusive to protocol versions 3 & 4).	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_modreq(fin, nat, rm, m, off)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	mb_t *m;
145516Sdarrenr	u_int off;
145516Sdarrenr{
145516Sdarrenr	u_int len, xlen, pos, bogo;
145516Sdarrenr	rpcb_args_t *ra;
145516Sdarrenr	char uaddr[24];
145516Sdarrenr	udphdr_t *udp;
145516Sdarrenr	char *i, *p;
145516Sdarrenr	int diff;
145516Sdarrenr
145516Sdarrenr	ra = &rm->rm_call.rc_rpcbargs;
255332Scy	i = (char *)&nat->nat_odstaddr;
255332Scy	p = (char *)&nat->nat_odport;
145516Sdarrenr
145516Sdarrenr	/* Form new string. */
145516Sdarrenr	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
145516Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145516Sdarrenr	SNPRINTF(uaddr, sizeof(uaddr),
145516Sdarrenr#else
145516Sdarrenr	(void) sprintf(uaddr,
145516Sdarrenr#endif
145516Sdarrenr		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
145516Sdarrenr		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
145516Sdarrenr	len = strlen(uaddr);
145516Sdarrenr	xlen = XDRALIGN(len);
145516Sdarrenr
145516Sdarrenr	/* Determine mbuf offset to start writing to. */
145516Sdarrenr	pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
145516Sdarrenr	off += pos;
145516Sdarrenr
145516Sdarrenr	/* Write new string length. */
145516Sdarrenr	bogo = htonl(len);
145516Sdarrenr	COPYBACK(m, off, 4, (caddr_t)&bogo);
145516Sdarrenr	off += 4;
145516Sdarrenr
145516Sdarrenr	/* Write new string. */
145516Sdarrenr	COPYBACK(m, off, xlen, uaddr);
145516Sdarrenr	off += xlen;
145516Sdarrenr
145516Sdarrenr	/* Write in zero r_owner. */
145516Sdarrenr	bogo = 0;
145516Sdarrenr	COPYBACK(m, off, 4, (caddr_t)&bogo);
145516Sdarrenr
145516Sdarrenr	/* Determine difference in data lengths. */
145516Sdarrenr	diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
145516Sdarrenr
145516Sdarrenr	/*
145516Sdarrenr	 * If our new string has a different length, make necessary
145516Sdarrenr	 * adjustments.
145516Sdarrenr	 */
145516Sdarrenr	if (diff != 0) {
145516Sdarrenr		udp = fin->fin_dp;
145516Sdarrenr		udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
255332Scy		fin->fin_plen += diff;
255332Scy		fin->fin_ip->ip_len = htons(fin->fin_plen);
145516Sdarrenr		fin->fin_dlen += diff;
145516Sdarrenr		/* XXX Storage lengths. */
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	return(diff);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_decoderep					*/
145516Sdarrenr/* Returns:	int - -1 == bad request or critical failure,		*/
145516Sdarrenr/*		       0 == valid, negative reply			*/
145516Sdarrenr/*		       1 == vaddlid, positive reply; needs no changes	*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session structure		*/
145516Sdarrenr/*		rs(I)	- pointer to RPCB session structure		*/
145516Sdarrenr/*		rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		rxp(O)	- pointer to RPCB transaction structure		*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Take a presumed RPCB reply, extract the XID, search for the original */
145516Sdarrenr/* request information, and determine whether the request was accepted	*/
145516Sdarrenr/* or rejected.  With a valid accepted reply, go ahead and create NAT	*/
145516Sdarrenr/* and state entries, and finish up by rewriting the packet as 		*/
145516Sdarrenr/* required.								*/
145516Sdarrenr/*									*/
145516Sdarrenr/* WARNING:  It's the responsibility of the caller to make sure there	*/
145516Sdarrenr/* is enough room in rs_buf for the basic RPC message "preamble".	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_decoderep(fin, nat, rs, rm, rxp)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	rpcb_xact_t **rxp;
145516Sdarrenr{
145516Sdarrenr	rpcb_listp_t *rl;
145516Sdarrenr	rpcb_entry_t *re;
145516Sdarrenr	rpcb_xact_t *rx;
145516Sdarrenr	u_32_t xdr, *p;
145516Sdarrenr	rpc_resp_t *rr;
145516Sdarrenr	int rv, cnt;
145516Sdarrenr
145516Sdarrenr	p = (u_32_t *)rm->rm_msgbuf;
145516Sdarrenr
145516Sdarrenr	bzero((char *)&rx, sizeof(rx));
145516Sdarrenr	rr = &rm->rm_resp;
145516Sdarrenr
145516Sdarrenr	rm->rm_xid = p;
145516Sdarrenr	xdr = B(p++);		/* Record this message's XID. */
145516Sdarrenr
145516Sdarrenr	/* Lookup XID */
145516Sdarrenr        MUTEX_ENTER(&rs->rs_rxlock);
255332Scy	if ((rx = ipf_p_rpcb_lookup(rs, xdr)) == NULL) {
145516Sdarrenr                MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr		return(-1);
145516Sdarrenr        }
145516Sdarrenr        ++rx->rx_ref;        /* per thread reference */
145516Sdarrenr        MUTEX_EXIT(&rs->rs_rxlock);
145516Sdarrenr
145516Sdarrenr	*rxp = rx;
145516Sdarrenr
145516Sdarrenr	/* Test call vs reply */
145516Sdarrenr	if (B(p++) != RPCB_REPLY)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Test reply_stat */
145516Sdarrenr	switch(B(p++))
145516Sdarrenr	{
145516Sdarrenr	case RPCB_MSG_DENIED:
145516Sdarrenr		return(0);
145516Sdarrenr	case RPCB_MSG_ACCEPTED:
145516Sdarrenr		break;
145516Sdarrenr	default:
145516Sdarrenr		return(-1);
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	/* Bypass RPC authentication stuff. */
255332Scy	if (ipf_p_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	/* Test accept status */
145516Sdarrenr	if (!RPCB_BUF_GEQ(rm, p, 4))
145516Sdarrenr		return(-1);
145516Sdarrenr	if (B(p++) != 0)
145516Sdarrenr		return(0);
145516Sdarrenr
145516Sdarrenr	/* Parse out the expected reply */
145516Sdarrenr	switch(rx->rx_type)
145516Sdarrenr	{
145516Sdarrenr	case RPCB_RES_PMAP:
145516Sdarrenr		/* There must be only one 4 byte argument. */
145516Sdarrenr		if (!RPCB_BUF_EQ(rm, p, 4))
145516Sdarrenr			return(-1);
255332Scy
145516Sdarrenr		rr->rr_v2 = p;
145516Sdarrenr		xdr = B(rr->rr_v2);
255332Scy
145516Sdarrenr		/* Reply w/ a 0 port indicates service isn't registered */
145516Sdarrenr		if (xdr == 0)
145516Sdarrenr			return(0);
255332Scy
145516Sdarrenr		/* Is the value sane? */
145516Sdarrenr		if (xdr > 65535)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		/* Create NAT & state table entries. */
255332Scy		if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
145516Sdarrenr			return(-1);
145516Sdarrenr		break;
145516Sdarrenr	case RPCB_RES_STRING:
145516Sdarrenr		/* Expecting a XDR string; need 4 bytes for length */
145516Sdarrenr		if (!RPCB_BUF_GEQ(rm, p, 4))
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		rr->rr_v3.xu_str.xs_len = p++;
145516Sdarrenr		rr->rr_v3.xu_str.xs_str = (char *)p;
145516Sdarrenr
145516Sdarrenr		xdr = B(rr->rr_v3.xu_xslen);
145516Sdarrenr
145516Sdarrenr		/* A null string indicates an unregistered service */
145516Sdarrenr		if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
145516Sdarrenr			return(0);
145516Sdarrenr
145516Sdarrenr		/* Decode the target IP address / port. */
255332Scy		if (ipf_p_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		/* Validate the IP address and port contained. */
255332Scy		if (nat->nat_odstaddr != rr->rr_v3.xu_ip)
145516Sdarrenr			return(-1);
145516Sdarrenr
145516Sdarrenr		/* Create NAT & state table entries. */
255332Scy		if (ipf_p_rpcb_getnat(fin, nat, rx->rx_proto,
145516Sdarrenr				     (u_int)rr->rr_v3.xu_port) != 0)
145516Sdarrenr			return(-1);
145516Sdarrenr		break;
145516Sdarrenr	case RPCB_RES_LIST:
145516Sdarrenr		if (!RPCB_BUF_GEQ(rm, p, 4))
145516Sdarrenr			return(-1);
145516Sdarrenr		/* rpcb_entry_list_ptr */
145516Sdarrenr		switch(B(p))
145516Sdarrenr		{
145516Sdarrenr		case 0:
145516Sdarrenr			return(0);
145516Sdarrenr			/*NOTREACHED*/
145516Sdarrenr			break;
145516Sdarrenr		case 1:
145516Sdarrenr			break;
145516Sdarrenr		default:
145516Sdarrenr			return(-1);
145516Sdarrenr		}
145516Sdarrenr		rl = &rr->rr_v4;
145516Sdarrenr		rl->rl_list = p++;
145516Sdarrenr		cnt = 0;
145516Sdarrenr
145516Sdarrenr		for(;;) {
145516Sdarrenr			re = &rl->rl_entries[rl->rl_cnt];
255332Scy			if (ipf_p_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
145516Sdarrenr				return(-1);
255332Scy			if (ipf_p_rpcb_getproto(rm, &re->re_netid, &p) != 0)
145516Sdarrenr				return(-1);
145516Sdarrenr			/* re_semantics & re_pfamily length */
145516Sdarrenr			if (!RPCB_BUF_GEQ(rm, p, 12))
145516Sdarrenr				return(-1);
145516Sdarrenr			p++; /* Skipping re_semantics. */
145516Sdarrenr			xdr = B(p++);
145516Sdarrenr			if ((xdr != 4) || strncmp((char *)p, "inet", 4))
145516Sdarrenr				return(-1);
145516Sdarrenr			p++;
255332Scy			if (ipf_p_rpcb_getproto(rm, &re->re_proto, &p) != 0)
145516Sdarrenr				return(-1);
145516Sdarrenr			if (!RPCB_BUF_GEQ(rm, p, 4))
145516Sdarrenr				return(-1);
145516Sdarrenr			re->re_more = p;
145516Sdarrenr			if (B(re->re_more) > 1) /* 0,1 only legal values */
145516Sdarrenr				return(-1);
145516Sdarrenr			++rl->rl_cnt;
145516Sdarrenr			++cnt;
145516Sdarrenr			if (B(re->re_more) == 0)
145516Sdarrenr				break;
145516Sdarrenr			/* Replies in  max out at 2; TCP and/or UDP */
145516Sdarrenr			if (cnt > 2)
145516Sdarrenr				return(-1);
145516Sdarrenr			p++;
145516Sdarrenr		}
145516Sdarrenr
145516Sdarrenr		for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
145516Sdarrenr			re = &rl->rl_entries[rl->rl_cnt];
255332Scy			rv = ipf_p_rpcb_getnat(fin, nat,
145516Sdarrenr			                      re->re_proto.xp_proto,
145516Sdarrenr				              (u_int)re->re_maddr.xu_port);
145516Sdarrenr			if (rv != 0)
145516Sdarrenr				return(-1);
145516Sdarrenr		}
145516Sdarrenr		break;
145516Sdarrenr	default:
145516Sdarrenr		/*CONSTANTCONDITION*/
145516Sdarrenr		IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	return(1);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_lookup					*/
145516Sdarrenr/* Returns:	rpcb_xact_t * 	- NULL == no matching record,		*/
145516Sdarrenr/*				  else pointer to relevant entry	*/
145516Sdarrenr/* Parameters:	rs(I)	- pointer to RPCB session			*/
145516Sdarrenr/*		xid(I)	- XID to look for				*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic rpcb_xact_t *
255332Scyipf_p_rpcb_lookup(rs, xid)
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	u_32_t xid;
145516Sdarrenr{
145516Sdarrenr	rpcb_xact_t *rx;
145516Sdarrenr
145516Sdarrenr	if (rs->rs_rxlist == NULL)
145516Sdarrenr		return(NULL);
145516Sdarrenr
145516Sdarrenr	for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
145516Sdarrenr		if (rx->rx_xid == xid)
145516Sdarrenr			break;
145516Sdarrenr
145516Sdarrenr	return(rx);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_deref					        */
145516Sdarrenr/* Returns:	(void)							*/
145516Sdarrenr/* Parameters:	rs(I)	- pointer to RPCB session			*/
145516Sdarrenr/*		rx(I)	- pointer to RPC transaction struct to remove	*/
145516Sdarrenr/*              force(I) - indicates to delete entry regardless of      */
145516Sdarrenr/*                         reference count                              */
145516Sdarrenr/* Locking:	rs->rs_rxlock must be held write only			*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Free the RPCB transaction record rx from the chain of entries.	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic void
255332Scyipf_p_rpcb_deref(rs, rx)
145516Sdarrenr	rpcb_session_t *rs;
145516Sdarrenr	rpcb_xact_t *rx;
145516Sdarrenr{
145516Sdarrenr	rs = rs;	/* LINT */
145516Sdarrenr
145516Sdarrenr	if (rx == NULL)
145516Sdarrenr		return;
145516Sdarrenr
145516Sdarrenr	if (--rx->rx_ref != 0)
145516Sdarrenr		return;
145516Sdarrenr
145516Sdarrenr	if (rx->rx_next != NULL)
145516Sdarrenr		rx->rx_next->rx_pnext = rx->rx_pnext;
145516Sdarrenr
145516Sdarrenr	*rx->rx_pnext = rx->rx_next;
145516Sdarrenr
145516Sdarrenr	KFREE(rx);
145516Sdarrenr
145516Sdarrenr	--rpcbcnt;
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_getproto					*/
145516Sdarrenr/* Returns:	int - -1 == illegal protocol/netid,			*/
145516Sdarrenr/*		       0 == legal protocol/netid			*/
145516Sdarrenr/* Parameters:	rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		xp(I)	- pointer to netid structure			*/
145516Sdarrenr/*		p(IO)	- pointer to location within packet buffer	*/
145516Sdarrenr/* 									*/
145516Sdarrenr/* Decode netid/proto stored at p and record its numeric value.	 	*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_getproto(rm, xp, p)
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	xdr_proto_t *xp;
145516Sdarrenr	u_32_t **p;
145516Sdarrenr{
145516Sdarrenr	u_int len;
145516Sdarrenr
145516Sdarrenr	/* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
145516Sdarrenr	if (!RPCB_BUF_GEQ(rm, p, 8))
145516Sdarrenr		return(-1);
145516Sdarrenr
145516Sdarrenr	xp->xp_xslen = (*p)++;
145516Sdarrenr	xp->xp_xsstr = (char *)*p;
145516Sdarrenr
145516Sdarrenr	/* Test the string length. */
145516Sdarrenr	len = B(xp->xp_xslen);
145516Sdarrenr	if (len != 3)
145516Sdarrenr	 	return(-1);
145516Sdarrenr
145516Sdarrenr	/* Test the actual string & record the protocol accordingly. */
145516Sdarrenr	if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
145516Sdarrenr		xp->xp_proto = IPPROTO_TCP;
145516Sdarrenr	else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
145516Sdarrenr		xp->xp_proto = IPPROTO_UDP;
145516Sdarrenr	else {
145516Sdarrenr		return(-1);
145516Sdarrenr	}
255332Scy
145516Sdarrenr	/* Advance past the string. */
145516Sdarrenr	(*p)++;
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_getnat					*/
145516Sdarrenr/* Returns:	int -- -1 == failed to create table entries,		*/
145516Sdarrenr/*			0 == success					*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT table entry			*/
145516Sdarrenr/*		proto(I) - transport protocol for new entries		*/
145516Sdarrenr/*		port(I)	- new port to use w/ wildcard table entries	*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Create state and NAT entries to handle an anticipated connection	*/
145516Sdarrenr/* attempt between RPC client and server.				*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_getnat(fin, nat, proto, port)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	u_int proto;
145516Sdarrenr	u_int port;
145516Sdarrenr{
255332Scy	ipf_main_softc_t *softc = fin->fin_main_soft;
145516Sdarrenr	ipnat_t *ipn, ipnat;
145516Sdarrenr	tcphdr_t tcp;
145516Sdarrenr	ipstate_t *is;
145516Sdarrenr	fr_info_t fi;
145516Sdarrenr	nat_t *natl;
145516Sdarrenr	int nflags;
145516Sdarrenr
145516Sdarrenr	ipn = nat->nat_ptr;
145516Sdarrenr
145516Sdarrenr	/* Generate dummy fr_info */
145516Sdarrenr	bcopy((char *)fin, (char *)&fi, sizeof(fi));
145516Sdarrenr	fi.fin_out = 0;
145516Sdarrenr	fi.fin_p = proto;
145516Sdarrenr	fi.fin_sport = 0;
145516Sdarrenr	fi.fin_dport = port & 0xffff;
145516Sdarrenr	fi.fin_flx |= FI_IGNORE;
255332Scy	fi.fin_saddr = nat->nat_osrcaddr;
255332Scy	fi.fin_daddr = nat->nat_odstaddr;
145516Sdarrenr
145516Sdarrenr	bzero((char *)&tcp, sizeof(tcp));
145516Sdarrenr	tcp.th_dport = htons(port);
145516Sdarrenr
145516Sdarrenr	if (proto == IPPROTO_TCP) {
145516Sdarrenr		tcp.th_win = htons(8192);
145516Sdarrenr		TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
145516Sdarrenr		fi.fin_dlen = sizeof(tcphdr_t);
145516Sdarrenr		tcp.th_flags = TH_SYN;
145516Sdarrenr		nflags = NAT_TCP;
145516Sdarrenr	} else {
145516Sdarrenr		fi.fin_dlen = sizeof(udphdr_t);
145516Sdarrenr		nflags = NAT_UDP;
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	nflags |= SI_W_SPORT|NAT_SEARCH;
145516Sdarrenr	fi.fin_dp = &tcp;
145516Sdarrenr	fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
145516Sdarrenr
145516Sdarrenr	/*
145516Sdarrenr	 * Search for existing NAT & state entries.  Pay close attention to
145516Sdarrenr	 * mutexes / locks grabbed from lookup routines, as not doing so could
145516Sdarrenr	 * lead to bad things.
145516Sdarrenr	 *
145516Sdarrenr	 * If successful, fr_stlookup returns with ipf_state locked.  We have
145516Sdarrenr	 * no use for this lock, so simply unlock it if necessary.
145516Sdarrenr	 */
255332Scy	is = ipf_state_lookup(&fi, &tcp, NULL);
170263Sdarrenr	if (is != NULL) {
255332Scy		RWLOCK_EXIT(&softc->ipf_state);
170263Sdarrenr	}
145516Sdarrenr
255332Scy	RWLOCK_EXIT(&softc->ipf_nat);
145516Sdarrenr
255332Scy	WRITE_ENTER(&softc->ipf_nat);
255332Scy	natl = ipf_nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
145516Sdarrenr
145516Sdarrenr	if ((natl != NULL) && (is != NULL)) {
255332Scy		MUTEX_DOWNGRADE(&softc->ipf_nat);
145516Sdarrenr		return(0);
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	/* Slightly modify the following structures for actual use in creating
145516Sdarrenr	 * NAT and/or state entries.  We're primarily concerned with stripping
145516Sdarrenr	 * flags that may be detrimental to the creation process or simply
145516Sdarrenr	 * shouldn't be associated with a table entry.
145516Sdarrenr	 */
145516Sdarrenr	fi.fin_fr = &rpcbfr;
145516Sdarrenr	fi.fin_flx &= ~FI_IGNORE;
145516Sdarrenr	nflags &= ~NAT_SEARCH;
145516Sdarrenr
145516Sdarrenr	if (natl == NULL) {
255332Scy#ifdef USE_MUTEXES
255332Scy		ipf_nat_softc_t *softn = softc->ipf_nat_soft;
255332Scy#endif
255332Scy
145516Sdarrenr		/* XXX Since we're just copying the original ipn contents
145516Sdarrenr		 * back, would we be better off just sending a pointer to
145516Sdarrenr		 * the 'temp' copy off to nat_new instead?
145516Sdarrenr		 */
145516Sdarrenr		/* Generate template/bogus NAT rule. */
145516Sdarrenr		bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
145516Sdarrenr		ipn->in_flags = nflags & IPN_TCPUDP;
145516Sdarrenr		ipn->in_apr = NULL;
255332Scy		ipn->in_pr[0] = proto;
255332Scy		ipn->in_pr[1] = proto;
255332Scy		ipn->in_dpmin = fi.fin_dport;
255332Scy		ipn->in_dpmax = fi.fin_dport;
255332Scy		ipn->in_dpnext = fi.fin_dport;
145516Sdarrenr		ipn->in_space = 1;
145516Sdarrenr		ipn->in_ippip = 1;
145516Sdarrenr		if (ipn->in_flags & IPN_FILTER) {
145516Sdarrenr			ipn->in_scmp = 0;
145516Sdarrenr			ipn->in_dcmp = 0;
145516Sdarrenr		}
255332Scy		ipn->in_plabel = -1;
145516Sdarrenr
145516Sdarrenr		/* Create NAT entry.  return NULL if this fails. */
255332Scy		MUTEX_ENTER(&softn->ipf_nat_new);
255332Scy		natl = ipf_nat_add(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
145516Sdarrenr			       NAT_INBOUND);
255332Scy		MUTEX_EXIT(&softn->ipf_nat_new);
145516Sdarrenr
145516Sdarrenr		bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
145516Sdarrenr
145516Sdarrenr		if (natl == NULL) {
255332Scy			MUTEX_DOWNGRADE(&softc->ipf_nat);
145516Sdarrenr			return(-1);
145516Sdarrenr		}
145516Sdarrenr
255332Scy		natl->nat_ptr = ipn;
255332Scy		fi.fin_saddr = natl->nat_nsrcaddr;
255332Scy		fi.fin_daddr = natl->nat_ndstaddr;
145516Sdarrenr		ipn->in_use++;
255332Scy		(void) ipf_nat_proto(&fi, natl, nflags);
255332Scy		MUTEX_ENTER(&natl->nat_lock);
255332Scy		ipf_nat_update(&fi, natl);
255332Scy		MUTEX_EXIT(&natl->nat_lock);
145516Sdarrenr	}
255332Scy	MUTEX_DOWNGRADE(&softc->ipf_nat);
145516Sdarrenr
145516Sdarrenr	if (is == NULL) {
145516Sdarrenr		/* Create state entry.  Return NULL if this fails. */
145516Sdarrenr		fi.fin_flx |= FI_NATED;
145516Sdarrenr		fi.fin_flx &= ~FI_STATE;
145516Sdarrenr		nflags &= NAT_TCPUDP;
145516Sdarrenr		nflags |= SI_W_SPORT|SI_CLONE;
145516Sdarrenr
255332Scy		if (ipf_state_add(softc, &fi, NULL, nflags) != 0) {
145516Sdarrenr			/*
145516Sdarrenr			 * XXX nat_delete is private to ip_nat.c.  Should
145516Sdarrenr			 * check w/ Darren about this one.
145516Sdarrenr			 *
145516Sdarrenr			 * nat_delete(natl, NL_EXPIRE);
145516Sdarrenr			 */
145516Sdarrenr			return(-1);
145516Sdarrenr		}
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	return(0);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_modv3						*/
145516Sdarrenr/* Returns:	int -- change in packet length				*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session			*/
145516Sdarrenr/*		rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		m(I)	- pointer to mbuf chain				*/
145516Sdarrenr/*		off(I)	- offset within mbuf chain			*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Write a new universal address string to this packet, adjusting	*/
145516Sdarrenr/* lengths as necessary.						*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_modv3(fin, nat, rm, m, off)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	mb_t *m;
145516Sdarrenr	u_int off;
145516Sdarrenr{
145516Sdarrenr	u_int len, xlen, pos, bogo;
145516Sdarrenr	rpc_resp_t *rr;
145516Sdarrenr	char uaddr[24];
145516Sdarrenr	char *i, *p;
145516Sdarrenr	int diff;
145516Sdarrenr
145516Sdarrenr	rr = &rm->rm_resp;
255332Scy	i = (char *)&nat->nat_ndstaddr;
145516Sdarrenr	p = (char *)&rr->rr_v3.xu_port;
145516Sdarrenr
145516Sdarrenr	/* Form new string. */
145516Sdarrenr	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
145516Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145516Sdarrenr	SNPRINTF(uaddr, sizeof(uaddr),
145516Sdarrenr#else
145516Sdarrenr	(void) sprintf(uaddr,
145516Sdarrenr#endif
145516Sdarrenr		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
145516Sdarrenr		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
145516Sdarrenr	len = strlen(uaddr);
145516Sdarrenr	xlen = XDRALIGN(len);
145516Sdarrenr
145516Sdarrenr	/* Determine mbuf offset to write to. */
145516Sdarrenr	pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
145516Sdarrenr	off += pos;
145516Sdarrenr
145516Sdarrenr	/* Write new string length. */
145516Sdarrenr	bogo = htonl(len);
145516Sdarrenr	COPYBACK(m, off, 4, (caddr_t)&bogo);
145516Sdarrenr	off += 4;
145516Sdarrenr
145516Sdarrenr	/* Write new string. */
145516Sdarrenr	COPYBACK(m, off, xlen, uaddr);
255332Scy
145516Sdarrenr	/* Determine difference in data lengths. */
145516Sdarrenr	diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
145516Sdarrenr
145516Sdarrenr	/*
145516Sdarrenr	 * If our new string has a different length, make necessary
145516Sdarrenr	 * adjustments.
145516Sdarrenr	 */
145516Sdarrenr	if (diff != 0)
255332Scy		ipf_p_rpcb_fixlen(fin, diff);
145516Sdarrenr
145516Sdarrenr	return(diff);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:	ipf_p_rpcb_modv4						*/
145516Sdarrenr/* Returns:	int -- change in packet length				*/
145516Sdarrenr/* Parameters:	fin(I)	- pointer to packet information			*/
145516Sdarrenr/*		nat(I)	- pointer to NAT session			*/
145516Sdarrenr/*		rm(I)	- pointer to RPC message structure		*/
145516Sdarrenr/*		m(I)	- pointer to mbuf chain				*/
145516Sdarrenr/*		off(I)	- offset within mbuf chain			*/
145516Sdarrenr/*									*/
145516Sdarrenr/* Write new rpcb_entry list, adjusting	lengths as necessary.		*/
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic int
255332Scyipf_p_rpcb_modv4(fin, nat, rm, m, off)
145516Sdarrenr	fr_info_t *fin;
145516Sdarrenr	nat_t *nat;
145516Sdarrenr	rpc_msg_t *rm;
145516Sdarrenr	mb_t *m;
145516Sdarrenr	u_int off;
145516Sdarrenr{
145516Sdarrenr	u_int len, xlen, pos, bogo;
145516Sdarrenr	rpcb_listp_t *rl;
145516Sdarrenr	rpcb_entry_t *re;
145516Sdarrenr	rpc_resp_t *rr;
145516Sdarrenr	char uaddr[24];
145516Sdarrenr	int diff, cnt;
145516Sdarrenr	char *i, *p;
145516Sdarrenr
145516Sdarrenr	diff = 0;
145516Sdarrenr	rr = &rm->rm_resp;
145516Sdarrenr	rl = &rr->rr_v4;
145516Sdarrenr
255332Scy	i = (char *)&nat->nat_ndstaddr;
145516Sdarrenr
145516Sdarrenr	/* Determine mbuf offset to write to. */
145516Sdarrenr	re = &rl->rl_entries[0];
145516Sdarrenr	pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
145516Sdarrenr	off += pos;
145516Sdarrenr
145516Sdarrenr	for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
145516Sdarrenr		re = &rl->rl_entries[cnt];
145516Sdarrenr		p = (char *)&re->re_maddr.xu_port;
145516Sdarrenr
145516Sdarrenr		/* Form new string. */
145516Sdarrenr		bzero(uaddr, sizeof(uaddr)); /* Just in case we need
145516Sdarrenr						padding. */
145516Sdarrenr#if defined(SNPRINTF) && defined(_KERNEL)
145516Sdarrenr		SNPRINTF(uaddr, sizeof(uaddr),
145516Sdarrenr#else
145516Sdarrenr		(void) sprintf(uaddr,
145516Sdarrenr#endif
145516Sdarrenr			       "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
145516Sdarrenr			       i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
145516Sdarrenr			       p[0] & 0xff, p[1] & 0xff);
145516Sdarrenr		len = strlen(uaddr);
145516Sdarrenr		xlen = XDRALIGN(len);
145516Sdarrenr
145516Sdarrenr		/* Write new string length. */
145516Sdarrenr		bogo = htonl(len);
145516Sdarrenr		COPYBACK(m, off, 4, (caddr_t)&bogo);
145516Sdarrenr		off += 4;
145516Sdarrenr
145516Sdarrenr		/* Write new string. */
145516Sdarrenr		COPYBACK(m, off, xlen, uaddr);
145516Sdarrenr		off += xlen;
145516Sdarrenr
145516Sdarrenr		/* Record any change in length. */
145516Sdarrenr		diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
145516Sdarrenr
145516Sdarrenr		/* If the length changed, copy back the rest of this entry. */
145516Sdarrenr		len = ((char *)re->re_more + 4) -
145516Sdarrenr		       (char *)re->re_netid.xp_xslen;
145516Sdarrenr		if (diff != 0) {
145516Sdarrenr			COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
145516Sdarrenr		}
145516Sdarrenr		off += len;
145516Sdarrenr	}
145516Sdarrenr
145516Sdarrenr	/*
145516Sdarrenr	 * If our new string has a different length, make necessary
145516Sdarrenr	 * adjustments.
145516Sdarrenr	 */
145516Sdarrenr	if (diff != 0)
255332Scy		ipf_p_rpcb_fixlen(fin, diff);
145516Sdarrenr
145516Sdarrenr	return(diff);
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr
145516Sdarrenr/* --------------------------------------------------------------------	*/
255332Scy/* Function:    ipf_p_rpcb_fixlen                                        */
145516Sdarrenr/* Returns:     (void)                                                  */
145516Sdarrenr/* Parameters:  fin(I)  - pointer to packet information                 */
145516Sdarrenr/*              len(I)  - change in packet length                       */
145516Sdarrenr/*                                                                      */
145516Sdarrenr/* Adjust various packet related lengths held in structure and packet   */
145516Sdarrenr/* header fields.                                                       */
145516Sdarrenr/* --------------------------------------------------------------------	*/
145516Sdarrenrstatic void
255332Scyipf_p_rpcb_fixlen(fin, len)
145516Sdarrenr        fr_info_t *fin;
145516Sdarrenr        int len;
145516Sdarrenr{
145516Sdarrenr        udphdr_t *udp;
145516Sdarrenr
145516Sdarrenr        udp = fin->fin_dp;
145516Sdarrenr        udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
255332Scy        fin->fin_plen += len;
255332Scy        fin->fin_ip->ip_len = htons(fin->fin_plen);
145516Sdarrenr        fin->fin_dlen += len;
145516Sdarrenr}
145516Sdarrenr
145516Sdarrenr#undef B