Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Merge r248158:
Remove LIBALIAS_LOCK_ASSERT(), including a couple with an uninitialzed
argument, in code that isn't compiled in kernel.

PR: kern/176667
Sponsored by: Nginx, Inc.

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Export AddLink() function from libalias. It can be used when custom
alias address needs to be specified.
Add inbound handler to the alias_ftp module. It helps handle active
FTP transfer mode for the case with external clients and FTP server behind
NAT. Fix passive FTP transfer case for server behind NAT using redirect with
external IP address different from NAT ip address.

PR: kern/157957
Submitted by: Alexander V. Chernikov

LibAliasInit() should allocate memory with M_WAITOK flag. Modify it
and its callers.

Don't use struct timezone.

The timezone structure acquired by gettimeofday() is not used at all.
Just remove it.

Remove extraneous semicolons, no functional changes.

Submitted by: Marc Balmer <marc@msys.ch>
MFC after: 1 week

Add SCTP NAT support.

Submitted by: CAIA (http://caia.swin.edu.au)

Conditionally compile out V_ globals while instantiating the appropriate
container structures, depending on VIMAGE_GLOBALS compile time option.

Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out. Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.

Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively

#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif

Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.

Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs. This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.

Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.

De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps. PF virtualization will be done
separately, most probably after next PF import.

Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw. Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.

Discussed at: devsummit Strassburg
Reviewed by: bz, julian
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation

Improve the entropy of the source port randomization for network address
translation. It turns out this is useful for applications which require
source port randomization for security (i.e. dns servers).

Discussed with: secteam
Requested by: mlaier
MFC after: 2 weeks

Partially revert previous commit. DeleteLink() does not deletes permanent
links so we should be aware of it and try to delete every link only once
or we will loop forever.

Increase LINK_TABLE_OUT_SIZE from 101 to 4001 like LINK_TABLE_IN_SIZE
to reduce performance degradation under heavy outgoing scan/flood.
Scalability is now much more important then several kilobytes of RAM.

Remove unneded TCP-specific expiration handeling. Before this connected
TCP sessions could never expire. Now connected TCP sessions will expire
after 24hours of inactivity.

Simplify HouseKeeping() to avoid several mul/div-s per packet. Taking into
account increased LINK_TABLE_OUT_SIZE, precision is still much more then
required.

MFP4:
restrict the utilization of direct pointers to the content of
ip packet. These modifications are functionally nop()s thus
can be merged with no side effects.

Silence Coverity about an unused variable.

Reviewed by: glebius
Approved by: glebius (mentor)
MFC after: 3 days
CID: 538

o made in kernel libalias mpsafe
o fixed a comment
o made in kernel libalias a bit less verbose (disabled automatic
logging everytime a new link is added or deleted)

Approved by: glebius (mentor)

Summer of Code 2005: improve libalias - part 1 of 2

With the first part of my previous Summer of Code work, we get:

-made libalias modular:

-support for 'particular' protocols (like ftp/irc/etcetc) is no more
hardcoded inside libalias, but it's available through external
modules loadable at runtime

-modules are available both in kernel (/boot/kernel/alias_*.ko) and
user land (/lib/libalias_*)

-protocols/applications modularized are: cuseeme, ftp, irc, nbt, pptp,
skinny and smedia

-added logging support for kernel side

-cleanup

After a buildworld, do a 'mergemaster -i' to install the file libalias.conf
in /etc or manually copy it.

During startup (and after every HUP signal) user land applications running
the new libalias will try to read a file in /etc called libalias.conf:
that file contains the list of modules to load.

User land applications affected by this commit are ppp and natd:
if libalias.conf is present in /etc you won't notice any difference.

The only kernel land bit affected by this commit is ng_nat:
if you are using ng_nat, and it doesn't correctly handle
ftp/irc/etcetc sessions anymore, remember to kldload
the correspondent module (i.e. kldload alias_ftp).

General information and details about the inner working are available
in the libalias man page under the section 'MODULAR ARCHITECTURE
(AND ipfw(4) SUPPORT)'.

NOTA BENE: this commit affects _ONLY_ libalias, ipfw in-kernel nat
support will be part of the next libalias-related commit.

Approved by: glebius
Reviewed by: glebius, ru

Use monotonic 'time_uptime' instead of 'time_second' as timebase
for timeouts.

s/DEBUG/LIBALIAS_DEBUG/, since DEBUG is defined in LINT and
not supported for kernel build.

Things required to build libalias as kernel module:
- kernel module declarations and handler.
- macros to map malloc(3) calls to malloc(9) ones.
- malloc(9) declarations.
- call finishoff() from module handler MOD_UNLOAD case
instead of atexit(3).
- use panic(9) instead of abort(3)
- take time from time_second instead of gettimeofday(2)
- define INADDR_NONE

Add NO_USE_SOCKETS knob, which cuts off functionality socket binding.

Add NO_LOGGING knob, which cuts off functionality of debug logging to a file.

Play with includes so that libalias can be compiled both as userland
library and kernel module.

Cleanup IPFW2 ifdefs.

Introduce inline {ip,udp,tcp}_next() functions which take a pointer to an
{ip,udp,tcp} header and return a void * pointing to the payload (i.e. the
first byte past the end of the header and any required padding). Use them
consistently throughout libalias to a) reduce code duplication, b) improve
code legibility, c) get rid of a bunch of alignment warnings.

Make libalias WARNS?=6-clean. This mostly involves renaming variables
named link, foo_link or link_foo to lnk, foo_lnk or lnk_foo, fixing
signed / unsigned comparisons, and shoving unused function arguments
under the carpet.

I was hoping WARNS?=6 might reveal more serious problems, and perhaps
the source of the -O2 breakage, but found no smoking gun.

Parenthesize return values.

Mechanical whitespace cleanup.

Run through indent(1) so I can read the code without getting a headache.
The result isn't quite knf, but it's knfer than the original, and far
more consistent.

Mostly mechanical rework of libalias:

Makes it possible to have multiple packet aliasing instances in a
single process by moving all static and global variables into an
instance structure called "struct libalias".

Redefine a new API based on s/PacketAlias/LibAlias/g

Add new "instance" argument to all functions in the new API.

Implement old API in terms of the new API.

Add Cisco Skinny Station protocol support to libalias, natd, and ppp.
Skinny is the protocol used by Cisco IP phones to talk to Cisco Call
Managers. With this code, one can use a Cisco IP phone behind a FreeBSD
NAT gateway.

Currently, having the Call Manager behind the NAT gateway is not supported.
More information on enabling Skinny support in libalias, natd, and ppp
can be found in those applications' manpages.

PR: 55843
Reviewed by: ru
Approved by: ru
MFC after: 30 days

Fixed -Wpointer-arith warning.

Submitted by: Stefan Farfeleder
PR: bin/56653

A new API function PacketAliasRedirectDynamic() can be used
to mark a fully specified static link as dynamic; i.e. make
it a one-time link.

Make the PacketAliasSetAddress() function call optional. If it
is not called, and no static rules match an outgoing packet, the
latter retains its source IP address. This is in support of the
"static NAT only" mode.

Move IPFW2 definition before including ip_fw.h

Make indentation of new parts consistent with the style used for this file.

Fix a bug caused by dereferencing an invalid pointer when
no punch_fw was used.
Fix another couple of bugs which prevented rules from being
installed properly.

On passing, use IPFW2 instead of NEW_IPFW to compile the new code,
and slightly simplify the instruction generation code.

Remove trailing whitespace

The new ipfw code.

This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.

The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).

The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.

I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.

In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.

On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like

ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any

This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.

Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:

10.20.30.0/26{18,44,33,22,9}

which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).

Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.

The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.

cmott@scientech.com -> cm@linktel.net

Requested by: Charles Mott <cmott@scientech.com>

Add __FBSDID's to libalias

Make the copyright consistent.

Previously approved by: Charles Mott <cmott@scientech.com>

Add BSD-style copyright headers

Approved by: Charles Mott <cmott@scientech.com>

Add an integer field to keep protocol-specific flags with links.

For FTP control connection, keep the CRLF end-of-line termination
status in there.

Fixed the bug when the first FTP command in a session was ignored.

PR: 24048
MFC after: 1 week

Make header files conform to style(9).

Reviewed by (*): bde

(*) alias_local.h only got a cursory glance.

Added boolean argument to link searching functions, indicating
whether they should create a link if lookup has failed or not.

A significant rewrite of PPTP aliasing code.

PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.

It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.

Problems were reported and the fix was tested by:
Michael Adler <Michael.Adler@compaq.com>,
David Andersen <dga@lcs.mit.edu>

A failure to allocate memory for auxiliary TCP data is now fatal.
This fixes a null pointer dereference problem that is unlikely to
happen in normal circumstances.

Create aliasing links for incoming ICMP echo/timestamp requests.
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.

Fixed PunchFW code segmentation violation bug.

Reported by: Christian Schade <chris@cube.sax.de>

Use queue(3) LIST_* macros for doubly-linked lists.

Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by: Erik Salander <erik@whistle.com>

Fixed PunchFWHole():
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.

- Removed PacketAliasPptp() API function.
- SHLIB_MAJOR++.

Added true support for PPTP aliasing. Some nice features include:

- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
port 1723 to a local machine. Multiple servers behind NAT is
possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru
Rewritten by: ru
Reviewed by: Erik Salander <erik@whistle.com>

- Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
o the segment preceding a PORT/227 segment terminates with a \r\n;
o the IP address in the PORT/227 matches the source IP address of
the packet;
o the port number in the PORT command or 277 reply is greater than
or equal to 1024.

Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru

Revert the default behaviour for incoming connections so
that they (once again) go to the target machine rather than
the alias address.

PR: 18354
Submitted by: ru

Replace PacketAliasRedirectPptp() (which had nothing specific
to PPTP) with more generic PacketAliasRedirectProto().

Major number is not bumped because it is believed that noone
has started using PacketAliasRedirectPptp() yet.

Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).

LSNAT links are first created by either PacketAliasRedirectPort() or
PacketAliasRedirectAddress() and then set up by one or more calls to
PacketAliasAddServer().

Add support for multiple PPTP sessions:

- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.

Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established
connections, after SYN packets were seen from both ends. Before this,
it would get applied right after the first SYN packet was seen (either
from client or server). With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory. With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.

PR: bin/17963

Make partially specified permanent links without `dst_addr'
but with `dst_port' work for outgoing packets.

This case was not handled properly when I first fixed this
in revision 1.17.

This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.

Before this change:

# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] aliasIP:localPORT -> remoteIP:remotePORT

After this change:

# natd -v -a aliasIP \
-redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP] [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
[TCP] publicIP:publicPORT -> remoteIP:remotePORT

Allow PacketAliasSetTarget() to be passed the following:
INADDR_NONE: Incoming packets go to the alias address (the default)
INADDR_ANY: Incoming packets are not NAT'd (direct access to the
internal network from outside)
anything else: Incoming packets go to the specified address

Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.

When an incoming packet is received that is not specifically
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.

Make _FindLinkIn() static and only define GetDestPort when
NO_FW_PUNCH isn't defined.

Fix a '&&' that should have been a '&'.

Submitted by: Erik Salander <erik@whistle.com>

Properly handle the case when either the aliasing or source address of
the link are equal to the default aliasing address. Do not zero them!

This will fix the problem with non-working links added with the source
and/or aliasing address equal to the default aliasing address, but the
default aliasing address is set later, after the link has been set up,
like both natd(8) and ppp(8) do (for objective reasons).

Reviewed by: Brian Somers <brian@FreeBSD.org>,
Eivind Eklund <eivind@FreeBSD.org>,
Charles Mott <cmott@srv.net>

ReLink() partial links in FindLinkOut() in the same manner as we do it
in FindLinkIn(). This will make TcpMonitorIn()/TcpMonitorOut() happy.

Reviewed by: eivind

Restore previous version of FindLinkIn().

Instead, natd(8) should be fixed to call PacketAliasSetAddress()
as part of initialization, as required by libalias(3).

- Make partially specified permanent links (without `dst_addr' and/or
`dst_port') work for outgoing packets.

- Make permanent links whose `alias_addr' matches the primary aliasing
address `aliasAddress' work for incoming packets.

- Typo fixes.

Reviewed by: brian, eivind

sys/errno.h -> errno.h

Add $FreeBSD$ and spell Eklund properly.

Approved by: brian (well, he approved adding $Id$)

Make incoming packets work as keepalives, too. This should fix problems
for some games.

Notified of problem by: tim@turbinegames.com

Remove all diagnostics to stdout/stderr with #ifdef DEBUG
Statify functions in alias_nbt.c

Document PacketAliasPptp() and allow it to be disabled
by passing INADDR_NONE.

Version 3.0: January 1, 1999
- Transparent proxying support added.
- PPTP redirecting support added based on patches
contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>

If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR: 9403

o Support a compile-time -DNO_FW_PUNCH for portability
(and those of us that don't want the functionality).
o Don't assume sizeof(long) == 4.
Ok'd by: Charles Mott <cmott@srv.net>

1) in CleanupAliasData, don't nullify entry in linkTableOut
since there might be permanent entries still left after
calls to DeleteLink (it will be nullified by DeleteLink
if all entries are deleted, won't it ?)

2) in PacketAliasSetAddress, set the aliasing address
even when PKT_ALIAS_RESET_ON_ADDR_CHANGE is in effect.
Just don't clean up links in this case.

Submitted by: Ari Suutari <ari@suutari.iki.fi>
via: Charles Mott <cmott@srv.net>
PR: 5041

Remove use of <osreldate.h>.

Screwed up by: myself

Sync with ipfw interface change: fw_pts is now part of a union (a
necessary evil due to the 108 byte setsockopt() limit).

include <net/if.h> and restore this to sanity.

Teach libalias to work with IPFW firewalls (controlled by a flag).

Obtained from: Yes development tree (+ 10 lines of patches from
Charles Mott, original libalias author)

Fix file descriptor leak.

Submitted by: Charles Mott <cmott@srv.net>
Identified by: Gordon Burditt

Update to version 2.2. Only the PacketAlias*()
functions should now be used. The old 2.1 stuff is
there for backwards compatability.
Submitted by: Charles Mott <cmott@snake.srv.net>

Create the alias library. This is currently only used by
ppp (or will be shortly). Natd can now be updated to use
this library rather than carrying its own version of the code.

Submitted by: Charles Mott <cmott@srv.net>