sys: Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

libalias: Switch to efficient data structure for incoming traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
inserted entries are most likely to be used again. In order to avoid
long search times in other cases, the lists are hashed into many
buckets. Unfortunatly a search for a miss needs an exhaustive
inspection and a careful definition of the hash.

Splay trees offer a similar feature: Almost O(1) for access of the
least recently used entries, and amortized O(ln(n)) for almost all
other cases. Get rid of the hash.

Now the data structure should able to quickly react to external
packets without eating CPU cycles for breakfast, preventing a DoS.

PR: 192888
Discussed with: Dimitry Luhtionov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30536

libalias: Switch to efficient data structure for outgoing traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
inserted entries are most likely to be used again. In order to avoid
long search times in other cases, the lists are hashed into many
buckets. Unfortunatly a search for a miss needs an exhaustive
inspection and a careful definition of the hash.

Splay trees offer a similar feature - almost O(1) for access of the
least recently used entries), and amortized O(ln(n) - for almost all
other cases. Get rid of the hash.

Discussed with: Dimitry Luhtionov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30516

libalias: Restructure - Remove temporary state deleteAllLinks from global struct

The entry deleteAllLinks in the struct libalias is only used to signal
a state between internal calls. It's not used between API calls.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30604

libalias: Restructure - Table for PPTP

Let PPTP use its own data structure.
Regroup and rename other lists, which are not PPTP.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30580

libalias: Restructure - Group incoming links

Reorder incoming links by grouping of common search terms.
Significant performance improvement for incoming (missing) flows.

Remove LSNAT from outgoing search.
Slight speedup due to less comparsions in the loop.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30574

libalias: Restructure - Table for partially links

Separate the partially specified links into a separate data structure.

This would causes a major parformance impact, if there are many of
them. Use a (smaller) hash table to speed up the partially link
access.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30570

libalias: Promote per instance global variable timeStamp

Summary:
- Use LibAliasTime as a real global variable for central timekeeping.
- Reduce number of syscalls in user space considerably.
- Dynamically adjust the packet counters to match the second resolution.
- Only check the first few packets after a time increase for expiry.

Discussed with: hselasky
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30566

libalias: Stats are unsigned

Stats counters are used as unsigned valued (i.e. printf("%u")) but are
defined as signed int. This causes trouble later, so fix it early.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30587

libalias: tidy up housekeeping

Replace current expensive, but sparsly called housekeeping
by a single, repetive action.

This is part of a larger restructure of libalias in order to switch to
more efficient data structures. The whole restructure process is
split into 15 reviews to ease reviewing. All those steps will be
squashed into a single commit for MFC in order to hide the
intermediate states from production systems.

Reviewed by: hselasky
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30277

libalias: Remove unused function LibAliasCheckNewLink

The functionality to detect a newly created link after processing a
single packet is decoupled from the packet processing. Every new
packet is processed asynchronously and will reset the indicator, hence
the function is unusable. I made a Google search for third party code,
which uses the function, and failed to find one.

That's why the function should be removed: It unusable and unused.
A much simplified API/ABI will remain in anything below 14.

Discussed with: kp
Reviewed by: manpages (bcr)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30275

libalias: replace placeholder with static constant

The field nullAddress in struct libalias is never set and never used.
It exists as a placeholder for an unused argument only.

Reviewed by: hselasky
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30253

libalias: Style cleanup

libalias is a convolut of various coding styles modified by a series
of different editors enforcing interesting convetions on spacing and
comments.

This patch is a baseline to start with a perfomance rework of
libalias. Upcoming patches should be focus on the code, not on the
style. That's why most annoying style errors should be fixed
beforehand.

Reviewed by: hselasky
Discussed by: emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30259

Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.

Reviewed by: donner, kp
Approved by: 0mp (mentor), donner, kp
Differential Revision: https://reviews.freebsd.org/D23450

libalias: Fix -Wcast-align compiler warnings

This fixes -Wcast-align warnings caused by the underaligned `struct ip`.
This also silences them in the public functions by changing the function
signature from char * to void *. This is source and binary compatible and
avoids the -Wcast-align warning.

Reviewed By: ae, gbe (manpages)
Differential Revision: https://reviews.freebsd.org/D27882

net: clean up empty lines in .c and .h files

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

Use inet_ntoa_r() instead of inet_ntoa() throughout the kernel

inet_ntoa() cannot be used safely in a multithreaded environment
because it uses a static local buffer. Instead, use inet_ntoa_r()
with a buffer on the caller's stack.

Suggested by: glebius, emaste
Reviewed by: gnn
MFC after: 2 weeks
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D9625

sys/net*: minor spelling fixes.

No functional change.

Export AddLink() function from libalias. It can be used when custom
alias address needs to be specified.
Add inbound handler to the alias_ftp module. It helps handle active
FTP transfer mode for the case with external clients and FTP server behind
NAT. Fix passive FTP transfer case for server behind NAT using redirect with
external IP address different from NAT ip address.

PR: kern/157957
Submitted by: Alexander V. Chernikov

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Add SCTP NAT support.

Submitted by: CAIA (http://caia.swin.edu.au)

- Import the HEAD csup code which is the basis for the cvsmode work.

Increase LINK_TABLE_OUT_SIZE from 101 to 4001 like LINK_TABLE_IN_SIZE
to reduce performance degradation under heavy outgoing scan/flood.
Scalability is now much more important then several kilobytes of RAM.

Remove unneded TCP-specific expiration handeling. Before this connected
TCP sessions could never expire. Now connected TCP sessions will expire
after 24hours of inactivity.

Simplify HouseKeeping() to avoid several mul/div-s per packet. Taking into
account increased LINK_TABLE_OUT_SIZE, precision is still much more then
required.

MFP4:
restrict the utilization of direct pointers to the content of
ip packet. These modifications are functionally nop()s thus
can be merged with no side effects.

o made in kernel libalias mpsafe
o fixed a comment
o made in kernel libalias a bit less verbose (disabled automatic
logging everytime a new link is added or deleted)

Approved by: glebius (mentor)

Summer of Code 2005: improve libalias - part 1 of 2

With the first part of my previous Summer of Code work, we get:

-made libalias modular:

-support for 'particular' protocols (like ftp/irc/etcetc) is no more
hardcoded inside libalias, but it's available through external
modules loadable at runtime

-modules are available both in kernel (/boot/kernel/alias_*.ko) and
user land (/lib/libalias_*)

-protocols/applications modularized are: cuseeme, ftp, irc, nbt, pptp,
skinny and smedia

-added logging support for kernel side

-cleanup

After a buildworld, do a 'mergemaster -i' to install the file libalias.conf
in /etc or manually copy it.

During startup (and after every HUP signal) user land applications running
the new libalias will try to read a file in /etc called libalias.conf:
that file contains the list of modules to load.

User land applications affected by this commit are ppp and natd:
if libalias.conf is present in /etc you won't notice any difference.

The only kernel land bit affected by this commit is ng_nat:
if you are using ng_nat, and it doesn't correctly handle
ftp/irc/etcetc sessions anymore, remember to kldload
the correspondent module (i.e. kldload alias_ftp).

General information and details about the inner working are available
in the libalias man page under the section 'MODULAR ARCHITECTURE
(AND ipfw(4) SUPPORT)'.

NOTA BENE: this commit affects _ONLY_ libalias, ipfw in-kernel nat
support will be part of the next libalias-related commit.

Approved by: glebius
Reviewed by: glebius, ru

Disable checksum processing in LibAlias, when it works as a
kernel module. LibAlias is not aware about checksum offloading,
so the caller should provide checksum calculation. (The only
current consumer is ng_nat(4)). When TCP packet internals has
been changed and it requires checksum recalculation, a cookie
is set in th_x2 field of TCP packet, to inform caller that it
needs to recalculate checksum. This ugly hack would be removed
when LibAlias is made more kernel friendly.

Incremental checksum updates are left as is, since they don't
conflict with offloading.

Approved by: re (scottl)

Things required to build libalias as kernel module:
- kernel module declarations and handler.
- macros to map malloc(3) calls to malloc(9) ones.
- malloc(9) declarations.
- call finishoff() from module handler MOD_UNLOAD case
instead of atexit(3).
- use panic(9) instead of abort(3)
- take time from time_second instead of gettimeofday(2)
- define INADDR_NONE

Add NO_LOGGING knob, which cuts off functionality of debug logging to a file.

Introduce inline {ip,udp,tcp}_next() functions which take a pointer to an
{ip,udp,tcp} header and return a void * pointing to the payload (i.e. the
first byte past the end of the header and any required padding). Use them
consistently throughout libalias to a) reduce code duplication, b) improve
code legibility, c) get rid of a bunch of alignment warnings.

Make libalias WARNS?=6-clean. This mostly involves renaming variables
named link, foo_link or link_foo to lnk, foo_lnk or lnk_foo, fixing
signed / unsigned comparisons, and shoving unused function arguments
under the carpet.

I was hoping WARNS?=6 might reveal more serious problems, and perhaps
the source of the -O2 breakage, but found no smoking gun.

Deal with aliasing warnings.

Reviewed by: ru
Approved by: silence on the lists

Run through indent(1) so I can read the code without getting a headache.
The result isn't quite knf, but it's knfer than the original, and far
more consistent.

Mostly mechanical rework of libalias:

Makes it possible to have multiple packet aliasing instances in a
single process by moving all static and global variables into an
instance structure called "struct libalias".

Redefine a new API based on s/PacketAlias/LibAlias/g

Add new "instance" argument to all functions in the new API.

Implement old API in terms of the new API.

Add Cisco Skinny Station protocol support to libalias, natd, and ppp.
Skinny is the protocol used by Cisco IP phones to talk to Cisco Call
Managers. With this code, one can use a Cisco IP phone behind a FreeBSD
NAT gateway.

Currently, having the Call Manager behind the NAT gateway is not supported.
More information on enabling Skinny support in libalias, natd, and ppp
can be found in those applications' manpages.

PR: 55843
Reviewed by: ru
Approved by: ru
MFC after: 30 days

Remove trailing whitespace

cmott@scientech.com -> cm@linktel.net

Requested by: Charles Mott <cmott@scientech.com>

Add BSD-style copyright headers

Approved by: Charles Mott <cmott@scientech.com>

Add an integer field to keep protocol-specific flags with links.

For FTP control connection, keep the CRLF end-of-line termination
status in there.

Fixed the bug when the first FTP command in a session was ignored.

PR: 24048
MFC after: 1 week

Make header files conform to style(9).

Reviewed by (*): bde

(*) alias_local.h only got a cursory glance.

Added boolean argument to link searching functions, indicating
whether they should create a link if lookup has failed or not.

A significant rewrite of PPTP aliasing code.

PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.

It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.

Problems were reported and the fix was tested by:
Michael Adler <Michael.Adler@compaq.com>,
David Andersen <dga@lcs.mit.edu>

Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by: Erik Salander <erik@whistle.com>

Added true support for PPTP aliasing. Some nice features include:

- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
port 1723 to a local machine. Multiple servers behind NAT is
possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru
Rewritten by: ru
Reviewed by: Erik Salander <erik@whistle.com>

- Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
o the segment preceding a PORT/227 segment terminates with a \r\n;
o the IP address in the PORT/227 matches the source IP address of
the packet;
o the port number in the PORT command or 277 reply is greater than
or equal to 1024.

Submitted by: Erik Salander <erik@whistle.com>
Reviewed by: ru

Replace PacketAliasRedirectPptp() (which had nothing specific
to PPTP) with more generic PacketAliasRedirectProto().

Major number is not bumped because it is believed that noone
has started using PacketAliasRedirectPptp() yet.

Add support for multiple PPTP sessions:

- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.

- Moved NULL definition into private include file.
- Minor spelling fixes.

Add $FreeBSD$ and spell Eklund properly.

Approved by: brian (well, he approved adding $Id$)

Add a ``const'' and remove some inconsistent prototype args.

Version 3.0: January 1, 1999
- Transparent proxying support added.
- PPTP redirecting support added based on patches
contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>

Reviewed by: freebsd-current

Add bounds checking to netbios NS packet resolving code. This should
prevent natd from crashing on badly formed netbios packets (as might be
heard when the machine is sitting on a cable modem or certain DSL
networks), and also closes potential security holes that might have
exploited the lack of bounds checking in the previous version of the
code.

Add CUSEEME support. This has *not* been tested, nor
could I find anyone to test it, so please report any
problems to me.

Don't call PunchFWHole() ifdef NO_FW_PUNCH
Pointed out by: "Steve Sims" <SimsS@IBM.Net>

Primary verison of NetBIOS over TCP/IP. Now you can connect Windows
DOMAIN as DOMAIN user through NAT function. See also RFC1002 for
futher detail of SMB structure.

Submitted by: Atsushi Murai <amurai@spec.co.jp>

Teach libalias to work with IPFW firewalls (controlled by a flag).

Obtained from: Yes development tree (+ 10 lines of patches from
Charles Mott, original libalias author)

Update to version 2.2. Only the PacketAlias*()
functions should now be used. The old 2.1 stuff is
there for backwards compatability.
Submitted by: Charles Mott <cmott@snake.srv.net>

Create the alias library. This is currently only used by
ppp (or will be shortly). Natd can now be updated to use
this library rather than carrying its own version of the code.

Submitted by: Charles Mott <cmott@srv.net>