xref: /freebsd/sbin/natd/natd.c (revision 3416500aef140042c64bc149cb1ec6620483bc44)
1 /*
2  * natd - Network Address Translation Daemon for FreeBSD.
3  *
4  * This software is provided free of charge, with no
5  * warranty of any kind, either expressed or implied.
6  * Use at your own risk.
7  *
8  * You may copy, modify and distribute this software (natd.c) freely.
9  *
10  * Ari Suutari <suutari@iki.fi>
11  */
12 
13 #include <sys/cdefs.h>
14 __FBSDID("$FreeBSD$");
15 
16 #define SYSLOG_NAMES
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/sysctl.h>
21 #include <sys/time.h>
22 #include <sys/queue.h>
23 
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
27 #include <machine/in_cksum.h>
28 #include <netinet/tcp.h>
29 #include <netinet/udp.h>
30 #include <netinet/ip_icmp.h>
31 #include <net/if.h>
32 #include <net/if_dl.h>
33 #include <net/route.h>
34 #include <arpa/inet.h>
35 
36 #include <alias.h>
37 #include <ctype.h>
38 #include <err.h>
39 #include <errno.h>
40 #include <netdb.h>
41 #include <signal.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <syslog.h>
46 #include <unistd.h>
47 
48 #include "natd.h"
49 
50 struct instance {
51 	const char		*name;
52 	struct libalias		*la;
53 	LIST_ENTRY(instance)	list;
54 
55 	int			ifIndex;
56 	int			assignAliasAddr;
57 	char*			ifName;
58 	int			logDropped;
59 	u_short			inPort;
60 	u_short			outPort;
61 	u_short			inOutPort;
62 	struct in_addr		aliasAddr;
63 	int			ifMTU;
64 	int			aliasOverhead;
65 	int			dropIgnoredIncoming;
66 	int			divertIn;
67 	int			divertOut;
68 	int			divertInOut;
69 };
70 
71 static LIST_HEAD(, instance) root = LIST_HEAD_INITIALIZER(root);
72 
73 struct libalias *mla;
74 static struct instance *mip;
75 static int ninstance = 1;
76 
77 /*
78  * Default values for input and output
79  * divert socket ports.
80  */
81 
82 #define	DEFAULT_SERVICE	"natd"
83 
84 /*
85  * Definition of a port range, and macros to deal with values.
86  * FORMAT:  HI 16-bits == first port in range, 0 == all ports.
87  *          LO 16-bits == number of ports in range
88  * NOTES:   - Port values are not stored in network byte order.
89  */
90 
91 typedef u_long port_range;
92 
93 #define GETLOPORT(x)     ((x) >> 0x10)
94 #define GETNUMPORTS(x)   ((x) & 0x0000ffff)
95 #define GETHIPORT(x)     (GETLOPORT((x)) + GETNUMPORTS((x)))
96 
97 /* Set y to be the low-port value in port_range variable x. */
98 #define SETLOPORT(x,y)   ((x) = ((x) & 0x0000ffff) | ((y) << 0x10))
99 
100 /* Set y to be the number of ports in port_range variable x. */
101 #define SETNUMPORTS(x,y) ((x) = ((x) & 0xffff0000) | (y))
102 
103 /*
104  * Function prototypes.
105  */
106 
107 static void	DoAliasing (int fd, int direction);
108 static void	DaemonMode (void);
109 static void	HandleRoutingInfo (int fd);
110 static void	Usage (void);
111 static char*	FormatPacket (struct ip*);
112 static void	PrintPacket (struct ip*);
113 static void	SyslogPacket (struct ip*, int priority, const char *label);
114 static int	SetAliasAddressFromIfName (const char *ifName);
115 static void	InitiateShutdown (int);
116 static void	Shutdown (int);
117 static void	RefreshAddr (int);
118 static void	ParseOption (const char* option, const char* parms);
119 static void	ReadConfigFile (const char* fileName);
120 static void	SetupPortRedirect (const char* parms);
121 static void	SetupProtoRedirect(const char* parms);
122 static void	SetupAddressRedirect (const char* parms);
123 static void	StrToAddr (const char* str, struct in_addr* addr);
124 static u_short  StrToPort (const char* str, const char* proto);
125 static int      StrToPortRange (const char* str, const char* proto, port_range *portRange);
126 static int 	StrToProto (const char* str);
127 static int      StrToAddrAndPortRange (char* str, struct in_addr* addr, char* proto, port_range *portRange);
128 static void	ParseArgs (int argc, char** argv);
129 static void	SetupPunchFW(const char *strValue);
130 static void	SetupSkinnyPort(const char *strValue);
131 static void	NewInstance(const char *name);
132 static void	DoGlobal (int fd);
133 static int	CheckIpfwRulenum(unsigned int rnum);
134 
135 /*
136  * Globals.
137  */
138 
139 static	int			verbose;
140 static 	int			background;
141 static	int			running;
142 static	int			logFacility;
143 
144 static 	int			dynamicMode;
145 static 	int			icmpSock;
146 static	int			logIpfwDenied;
147 static	const char*		pidName;
148 static	int			routeSock;
149 static	int			globalPort;
150 static	int			divertGlobal;
151 static	int			exitDelay;
152 
153 
154 int main (int argc, char** argv)
155 {
156 	struct sockaddr_in	addr;
157 	fd_set			readMask;
158 	int			fdMax;
159 	int			rval;
160 /*
161  * Initialize packet aliasing software.
162  * Done already here to be able to alter option bits
163  * during command line and configuration file processing.
164  */
165 	NewInstance("default");
166 
167 /*
168  * Parse options.
169  */
170 	verbose 		= 0;
171 	background		= 0;
172 	running			= 1;
173 	dynamicMode		= 0;
174  	logFacility		= LOG_DAEMON;
175 	logIpfwDenied		= -1;
176 	pidName			= PIDFILE;
177 	routeSock 		= -1;
178 	icmpSock 		= -1;
179 	fdMax	 		= -1;
180 	divertGlobal		= -1;
181 	exitDelay		= EXIT_DELAY;
182 
183 	ParseArgs (argc, argv);
184 /*
185  * Log ipfw(8) denied packets by default in verbose mode.
186  */
187 	if (logIpfwDenied == -1)
188 		logIpfwDenied = verbose;
189 /*
190  * Open syslog channel.
191  */
192 	openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
193 		 logFacility);
194 
195 	LIST_FOREACH(mip, &root, list) {
196 		mla = mip->la;
197 /*
198  * If not doing the transparent proxying only,
199  * check that valid aliasing address has been given.
200  */
201 		if (mip->aliasAddr.s_addr == INADDR_NONE && mip->ifName == NULL &&
202 		    !(LibAliasSetMode(mla, 0,0) & PKT_ALIAS_PROXY_ONLY))
203 			errx (1, "instance %s: aliasing address not given", mip->name);
204 
205 		if (mip->aliasAddr.s_addr != INADDR_NONE && mip->ifName != NULL)
206 			errx (1, "both alias address and interface "
207 				 "name are not allowed");
208 /*
209  * Check that valid port number is known.
210  */
211 		if (mip->inPort != 0 || mip->outPort != 0)
212 			if (mip->inPort == 0 || mip->outPort == 0)
213 				errx (1, "both input and output ports are required");
214 
215 		if (mip->inPort == 0 && mip->outPort == 0 && mip->inOutPort == 0)
216 			ParseOption ("port", DEFAULT_SERVICE);
217 
218 /*
219  * Check if ignored packets should be dropped.
220  */
221 		mip->dropIgnoredIncoming = LibAliasSetMode (mla, 0, 0);
222 		mip->dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING;
223 /*
224  * Create divert sockets. Use only one socket if -p was specified
225  * on command line. Otherwise, create separate sockets for
226  * outgoing and incoming connections.
227  */
228 		if (mip->inOutPort) {
229 
230 			mip->divertInOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
231 			if (mip->divertInOut == -1)
232 				Quit ("Unable to create divert socket.");
233 			if (mip->divertInOut > fdMax)
234 				fdMax = mip->divertInOut;
235 
236 			mip->divertIn  = -1;
237 			mip->divertOut = -1;
238 /*
239  * Bind socket.
240  */
241 
242 			addr.sin_family		= AF_INET;
243 			addr.sin_addr.s_addr	= INADDR_ANY;
244 			addr.sin_port		= mip->inOutPort;
245 
246 			if (bind (mip->divertInOut,
247 				  (struct sockaddr*) &addr,
248 				  sizeof addr) == -1)
249 				Quit ("Unable to bind divert socket.");
250 		}
251 		else {
252 
253 			mip->divertIn = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
254 			if (mip->divertIn == -1)
255 				Quit ("Unable to create incoming divert socket.");
256 			if (mip->divertIn > fdMax)
257 				fdMax = mip->divertIn;
258 
259 
260 			mip->divertOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
261 			if (mip->divertOut == -1)
262 				Quit ("Unable to create outgoing divert socket.");
263 			if (mip->divertOut > fdMax)
264 				fdMax = mip->divertOut;
265 
266 			mip->divertInOut = -1;
267 
268 /*
269  * Bind divert sockets.
270  */
271 
272 			addr.sin_family		= AF_INET;
273 			addr.sin_addr.s_addr	= INADDR_ANY;
274 			addr.sin_port		= mip->inPort;
275 
276 			if (bind (mip->divertIn,
277 				  (struct sockaddr*) &addr,
278 				  sizeof addr) == -1)
279 				Quit ("Unable to bind incoming divert socket.");
280 
281 			addr.sin_family		= AF_INET;
282 			addr.sin_addr.s_addr	= INADDR_ANY;
283 			addr.sin_port		= mip->outPort;
284 
285 			if (bind (mip->divertOut,
286 				  (struct sockaddr*) &addr,
287 				  sizeof addr) == -1)
288 				Quit ("Unable to bind outgoing divert socket.");
289 		}
290 /*
291  * Create routing socket if interface name specified and in dynamic mode.
292  */
293 		if (mip->ifName) {
294 			if (dynamicMode) {
295 
296 				if (routeSock == -1)
297 					routeSock = socket (PF_ROUTE, SOCK_RAW, 0);
298 				if (routeSock == -1)
299 					Quit ("Unable to create routing info socket.");
300 				if (routeSock > fdMax)
301 					fdMax = routeSock;
302 
303 				mip->assignAliasAddr = 1;
304 			}
305 			else {
306 				do {
307 					rval = SetAliasAddressFromIfName (mip->ifName);
308 					if (background == 0 || dynamicMode == 0)
309 						break;
310 					if (rval == EAGAIN)
311 						sleep(1);
312 				} while (rval == EAGAIN);
313 				if (rval != 0)
314 					exit(1);
315 			}
316 		}
317 
318 	}
319 	if (globalPort) {
320 
321 		divertGlobal = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
322 		if (divertGlobal == -1)
323 			Quit ("Unable to create divert socket.");
324 		if (divertGlobal > fdMax)
325 			fdMax = divertGlobal;
326 
327 /*
328 * Bind socket.
329 */
330 
331 		addr.sin_family		= AF_INET;
332 		addr.sin_addr.s_addr	= INADDR_ANY;
333 		addr.sin_port		= globalPort;
334 
335 		if (bind (divertGlobal,
336 			  (struct sockaddr*) &addr,
337 			  sizeof addr) == -1)
338 			Quit ("Unable to bind global divert socket.");
339 	}
340 /*
341  * Create socket for sending ICMP messages.
342  */
343 	icmpSock = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP);
344 	if (icmpSock == -1)
345 		Quit ("Unable to create ICMP socket.");
346 
347 /*
348  * And disable reads for the socket, otherwise it slowly fills
349  * up with received icmps which we do not use.
350  */
351 	shutdown(icmpSock, SHUT_RD);
352 
353 /*
354  * Become a daemon unless verbose mode was requested.
355  */
356 	if (!verbose)
357 		DaemonMode ();
358 /*
359  * Catch signals to manage shutdown and
360  * refresh of interface address.
361  */
362 	siginterrupt(SIGTERM, 1);
363 	siginterrupt(SIGHUP, 1);
364 	if (exitDelay)
365 		signal(SIGTERM, InitiateShutdown);
366 	else
367 		signal(SIGTERM, Shutdown);
368 	signal (SIGHUP, RefreshAddr);
369 /*
370  * Set alias address if it has been given.
371  */
372 	mip = LIST_FIRST(&root);	/* XXX: simon */
373 	LIST_FOREACH(mip, &root, list) {
374 		mla = mip->la;
375 		if (mip->aliasAddr.s_addr != INADDR_NONE)
376 			LibAliasSetAddress (mla, mip->aliasAddr);
377 	}
378 
379 	while (running) {
380 		mip = LIST_FIRST(&root);	/* XXX: simon */
381 
382 		if (mip->divertInOut != -1 && !mip->ifName && ninstance == 1) {
383 /*
384  * When using only one socket, just call
385  * DoAliasing repeatedly to process packets.
386  */
387 			DoAliasing (mip->divertInOut, DONT_KNOW);
388 			continue;
389 		}
390 /*
391  * Build read mask from socket descriptors to select.
392  */
393 		FD_ZERO (&readMask);
394 /*
395  * Check if new packets are available.
396  */
397 		LIST_FOREACH(mip, &root, list) {
398 			if (mip->divertIn != -1)
399 				FD_SET (mip->divertIn, &readMask);
400 
401 			if (mip->divertOut != -1)
402 				FD_SET (mip->divertOut, &readMask);
403 
404 			if (mip->divertInOut != -1)
405 				FD_SET (mip->divertInOut, &readMask);
406 		}
407 /*
408  * Routing info is processed always.
409  */
410 		if (routeSock != -1)
411 			FD_SET (routeSock, &readMask);
412 
413 		if (divertGlobal != -1)
414 			FD_SET (divertGlobal, &readMask);
415 
416 		if (select (fdMax + 1,
417 			    &readMask,
418 			    NULL,
419 			    NULL,
420 			    NULL) == -1) {
421 
422 			if (errno == EINTR)
423 				continue;
424 
425 			Quit ("Select failed.");
426 		}
427 
428 		if (divertGlobal != -1)
429 			if (FD_ISSET (divertGlobal, &readMask))
430 				DoGlobal (divertGlobal);
431 		LIST_FOREACH(mip, &root, list) {
432 			mla = mip->la;
433 			if (mip->divertIn != -1)
434 				if (FD_ISSET (mip->divertIn, &readMask))
435 					DoAliasing (mip->divertIn, INPUT);
436 
437 			if (mip->divertOut != -1)
438 				if (FD_ISSET (mip->divertOut, &readMask))
439 					DoAliasing (mip->divertOut, OUTPUT);
440 
441 			if (mip->divertInOut != -1)
442 				if (FD_ISSET (mip->divertInOut, &readMask))
443 					DoAliasing (mip->divertInOut, DONT_KNOW);
444 
445 		}
446 		if (routeSock != -1)
447 			if (FD_ISSET (routeSock, &readMask))
448 				HandleRoutingInfo (routeSock);
449 	}
450 
451 	if (background)
452 		unlink (pidName);
453 
454 	return 0;
455 }
456 
457 static void DaemonMode(void)
458 {
459 	FILE*	pidFile;
460 
461 	daemon (0, 0);
462 	background = 1;
463 
464 	pidFile = fopen (pidName, "w");
465 	if (pidFile) {
466 
467 		fprintf (pidFile, "%d\n", getpid ());
468 		fclose (pidFile);
469 	}
470 }
471 
472 static void ParseArgs (int argc, char** argv)
473 {
474 	int		arg;
475 	char*		opt;
476 	char		parmBuf[256];
477 	int		len; /* bounds checking */
478 
479 	for (arg = 1; arg < argc; arg++) {
480 
481 		opt  = argv[arg];
482 		if (*opt != '-') {
483 
484 			warnx ("invalid option %s", opt);
485 			Usage ();
486 		}
487 
488 		parmBuf[0] = '\0';
489 		len = 0;
490 
491 		while (arg < argc - 1) {
492 
493 			if (argv[arg + 1][0] == '-')
494 				break;
495 
496 			if (len) {
497 				strncat (parmBuf, " ", sizeof(parmBuf) - (len + 1));
498 				len += strlen(parmBuf + len);
499 			}
500 
501 			++arg;
502 			strncat (parmBuf, argv[arg], sizeof(parmBuf) - (len + 1));
503 			len += strlen(parmBuf + len);
504 
505 		}
506 
507 		ParseOption (opt + 1, (len ? parmBuf : NULL));
508 
509 	}
510 }
511 
512 static void DoGlobal (int fd)
513 {
514 	int			bytes;
515 	int			origBytes;
516 	char			buf[IP_MAXPACKET];
517 	struct sockaddr_in	addr;
518 	int			wrote;
519 	socklen_t		addrSize;
520 	struct ip*		ip;
521 	char			msgBuf[80];
522 
523 /*
524  * Get packet from socket.
525  */
526 	addrSize  = sizeof addr;
527 	origBytes = recvfrom (fd,
528 			      buf,
529 			      sizeof buf,
530 			      0,
531 			      (struct sockaddr*) &addr,
532 			      &addrSize);
533 
534 	if (origBytes == -1) {
535 
536 		if (errno != EINTR)
537 			Warn ("read from divert socket failed");
538 
539 		return;
540 	}
541 
542 #if 0
543 	if (mip->assignAliasAddr) {
544 		if (SetAliasAddressFromIfName (mip->ifName) != 0)
545 			exit(1);
546 		mip->assignAliasAddr = 0;
547 	}
548 #endif
549 /*
550  * This is an IP packet.
551  */
552 	ip = (struct ip*) buf;
553 
554 	if (verbose) {
555 /*
556  * Print packet direction and protocol type.
557  */
558 		printf ("Glb ");
559 
560 		switch (ip->ip_p) {
561 		case IPPROTO_TCP:
562 			printf ("[TCP]  ");
563 			break;
564 
565 		case IPPROTO_UDP:
566 			printf ("[UDP]  ");
567 			break;
568 
569 		case IPPROTO_ICMP:
570 			printf ("[ICMP] ");
571 			break;
572 
573 		default:
574 			printf ("[%d]    ", ip->ip_p);
575 			break;
576 		}
577 /*
578  * Print addresses.
579  */
580 		PrintPacket (ip);
581 	}
582 
583 	LIST_FOREACH(mip, &root, list) {
584 		mla = mip->la;
585 		if (LibAliasOutTry (mla, buf, IP_MAXPACKET, 0) != PKT_ALIAS_IGNORED)
586 			break;
587 	}
588 /*
589  * Length might have changed during aliasing.
590  */
591 	bytes = ntohs (ip->ip_len);
592 /*
593  * Update alias overhead size for outgoing packets.
594  */
595 	if (mip != NULL && bytes - origBytes > mip->aliasOverhead)
596 		mip->aliasOverhead = bytes - origBytes;
597 
598 	if (verbose) {
599 
600 /*
601  * Print addresses after aliasing.
602  */
603 		printf (" aliased to\n");
604 		printf ("           ");
605 		PrintPacket (ip);
606 		printf ("\n");
607 	}
608 
609 /*
610  * Put packet back for processing.
611  */
612 	wrote = sendto (fd,
613 		        buf,
614 	    		bytes,
615 	    		0,
616 	    		(struct sockaddr*) &addr,
617 	    		sizeof addr);
618 
619 	if (wrote != bytes) {
620 
621 		if (errno == EMSGSIZE && mip != NULL) {
622 
623 			if (mip->ifMTU != -1)
624 				SendNeedFragIcmp (icmpSock,
625 						  (struct ip*) buf,
626 						  mip->ifMTU - mip->aliasOverhead);
627 		}
628 		else if (errno == EACCES && logIpfwDenied) {
629 
630 			sprintf (msgBuf, "failed to write packet back");
631 			Warn (msgBuf);
632 		}
633 	}
634 }
635 
636 
637 static void DoAliasing (int fd, int direction)
638 {
639 	int			bytes;
640 	int			origBytes;
641 	char			buf[IP_MAXPACKET];
642 	struct sockaddr_in	addr;
643 	int			wrote;
644 	int			status;
645 	socklen_t		addrSize;
646 	struct ip*		ip;
647 	char			msgBuf[80];
648 	int			rval;
649 
650 	if (mip->assignAliasAddr) {
651 		do {
652 			rval = SetAliasAddressFromIfName (mip->ifName);
653 			if (background == 0 || dynamicMode == 0)
654 				break;
655 			if (rval == EAGAIN)
656 				sleep(1);
657 		} while (rval == EAGAIN);
658 		if (rval != 0)
659 			exit(1);
660 		mip->assignAliasAddr = 0;
661 	}
662 /*
663  * Get packet from socket.
664  */
665 	addrSize  = sizeof addr;
666 	origBytes = recvfrom (fd,
667 			      buf,
668 			      sizeof buf,
669 			      0,
670 			      (struct sockaddr*) &addr,
671 			      &addrSize);
672 
673 	if (origBytes == -1) {
674 
675 		if (errno != EINTR)
676 			Warn ("read from divert socket failed");
677 
678 		return;
679 	}
680 /*
681  * This is an IP packet.
682  */
683 	ip = (struct ip*) buf;
684 	if (direction == DONT_KNOW) {
685 		if (addr.sin_addr.s_addr == INADDR_ANY)
686 			direction = OUTPUT;
687 		else
688 			direction = INPUT;
689 	}
690 
691 	if (verbose) {
692 /*
693  * Print packet direction and protocol type.
694  */
695 		printf (direction == OUTPUT ? "Out " : "In  ");
696 		if (ninstance > 1)
697 			printf ("{%s}", mip->name);
698 
699 		switch (ip->ip_p) {
700 		case IPPROTO_TCP:
701 			printf ("[TCP]  ");
702 			break;
703 
704 		case IPPROTO_UDP:
705 			printf ("[UDP]  ");
706 			break;
707 
708 		case IPPROTO_ICMP:
709 			printf ("[ICMP] ");
710 			break;
711 
712 		default:
713 			printf ("[%d]    ", ip->ip_p);
714 			break;
715 		}
716 /*
717  * Print addresses.
718  */
719 		PrintPacket (ip);
720 	}
721 
722 	if (direction == OUTPUT) {
723 /*
724  * Outgoing packets. Do aliasing.
725  */
726 		LibAliasOut (mla, buf, IP_MAXPACKET);
727 	}
728 	else {
729 
730 /*
731  * Do aliasing.
732  */
733 		status = LibAliasIn (mla, buf, IP_MAXPACKET);
734 		if (status == PKT_ALIAS_IGNORED &&
735 		    mip->dropIgnoredIncoming) {
736 
737 			if (verbose)
738 				printf (" dropped.\n");
739 
740 			if (mip->logDropped)
741 				SyslogPacket (ip, LOG_WARNING, "denied");
742 
743 			return;
744 		}
745 	}
746 /*
747  * Length might have changed during aliasing.
748  */
749 	bytes = ntohs (ip->ip_len);
750 /*
751  * Update alias overhead size for outgoing packets.
752  */
753 	if (direction == OUTPUT &&
754 	    bytes - origBytes > mip->aliasOverhead)
755 		mip->aliasOverhead = bytes - origBytes;
756 
757 	if (verbose) {
758 
759 /*
760  * Print addresses after aliasing.
761  */
762 		printf (" aliased to\n");
763 		printf ("           ");
764 		PrintPacket (ip);
765 		printf ("\n");
766 	}
767 
768 /*
769  * Put packet back for processing.
770  */
771 	wrote = sendto (fd,
772 		        buf,
773 	    		bytes,
774 	    		0,
775 	    		(struct sockaddr*) &addr,
776 	    		sizeof addr);
777 
778 	if (wrote != bytes) {
779 
780 		if (errno == EMSGSIZE) {
781 
782 			if (direction == OUTPUT &&
783 			    mip->ifMTU != -1)
784 				SendNeedFragIcmp (icmpSock,
785 						  (struct ip*) buf,
786 						  mip->ifMTU - mip->aliasOverhead);
787 		}
788 		else if (errno == EACCES && logIpfwDenied) {
789 
790 			sprintf (msgBuf, "failed to write packet back");
791 			Warn (msgBuf);
792 		}
793 	}
794 }
795 
796 static void HandleRoutingInfo (int fd)
797 {
798 	int			bytes;
799 	struct if_msghdr	ifMsg;
800 /*
801  * Get packet from socket.
802  */
803 	bytes = read (fd, &ifMsg, sizeof ifMsg);
804 	if (bytes == -1) {
805 
806 		Warn ("read from routing socket failed");
807 		return;
808 	}
809 
810 	if (ifMsg.ifm_version != RTM_VERSION) {
811 
812 		Warn ("unexpected packet read from routing socket");
813 		return;
814 	}
815 
816 	if (verbose)
817 		printf ("Routing message %#x received.\n", ifMsg.ifm_type);
818 
819 	if ((ifMsg.ifm_type == RTM_NEWADDR || ifMsg.ifm_type == RTM_IFINFO)) {
820 		LIST_FOREACH(mip, &root, list) {
821 			mla = mip->la;
822 			if (ifMsg.ifm_index == mip->ifIndex) {
823 				if (verbose)
824 					printf("Interface address/MTU has probably changed.\n");
825 				mip->assignAliasAddr = 1;
826 			}
827 		}
828 	}
829 }
830 
831 static void PrintPacket (struct ip* ip)
832 {
833 	printf ("%s", FormatPacket (ip));
834 }
835 
836 static void SyslogPacket (struct ip* ip, int priority, const char *label)
837 {
838 	syslog (priority, "%s %s", label, FormatPacket (ip));
839 }
840 
841 static char* FormatPacket (struct ip* ip)
842 {
843 	static char	buf[256];
844 	struct tcphdr*	tcphdr;
845 	struct udphdr*	udphdr;
846 	struct icmp*	icmphdr;
847 	char		src[20];
848 	char		dst[20];
849 
850 	strcpy (src, inet_ntoa (ip->ip_src));
851 	strcpy (dst, inet_ntoa (ip->ip_dst));
852 
853 	switch (ip->ip_p) {
854 	case IPPROTO_TCP:
855 		tcphdr = (struct tcphdr*) ((char*) ip + (ip->ip_hl << 2));
856 		sprintf (buf, "[TCP] %s:%d -> %s:%d",
857 			      src,
858 			      ntohs (tcphdr->th_sport),
859 			      dst,
860 			      ntohs (tcphdr->th_dport));
861 		break;
862 
863 	case IPPROTO_UDP:
864 		udphdr = (struct udphdr*) ((char*) ip + (ip->ip_hl << 2));
865 		sprintf (buf, "[UDP] %s:%d -> %s:%d",
866 			      src,
867 			      ntohs (udphdr->uh_sport),
868 			      dst,
869 			      ntohs (udphdr->uh_dport));
870 		break;
871 
872 	case IPPROTO_ICMP:
873 		icmphdr = (struct icmp*) ((char*) ip + (ip->ip_hl << 2));
874 		sprintf (buf, "[ICMP] %s -> %s %u(%u)",
875 			      src,
876 			      dst,
877 			      icmphdr->icmp_type,
878 			      icmphdr->icmp_code);
879 		break;
880 
881 	default:
882 		sprintf (buf, "[%d] %s -> %s ", ip->ip_p, src, dst);
883 		break;
884 	}
885 
886 	return buf;
887 }
888 
889 static int
890 SetAliasAddressFromIfName(const char *ifn)
891 {
892 	size_t needed;
893 	int mib[6];
894 	char *buf, *lim, *next;
895 	struct if_msghdr *ifm;
896 	struct ifa_msghdr *ifam;
897 	struct sockaddr_dl *sdl;
898 	struct sockaddr_in *sin;
899 
900 	mib[0] = CTL_NET;
901 	mib[1] = PF_ROUTE;
902 	mib[2] = 0;
903 	mib[3] = AF_INET;	/* Only IP addresses please */
904 	mib[4] = NET_RT_IFLIST;
905 	mib[5] = 0;		/* ifIndex??? */
906 /*
907  * Get interface data.
908  */
909 	if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1)
910 		err(1, "iflist-sysctl-estimate");
911 	if ((buf = malloc(needed)) == NULL)
912 		errx(1, "malloc failed");
913 	if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1 && errno != ENOMEM)
914 		err(1, "iflist-sysctl-get");
915 	lim = buf + needed;
916 /*
917  * Loop through interfaces until one with
918  * given name is found. This is done to
919  * find correct interface index for routing
920  * message processing.
921  */
922 	mip->ifIndex	= 0;
923 	next = buf;
924 	while (next < lim) {
925 		ifm = (struct if_msghdr *)next;
926 		next += ifm->ifm_msglen;
927 		if (ifm->ifm_version != RTM_VERSION) {
928 			if (verbose)
929 				warnx("routing message version %d "
930 				      "not understood", ifm->ifm_version);
931 			continue;
932 		}
933 		if (ifm->ifm_type == RTM_IFINFO) {
934 			sdl = (struct sockaddr_dl *)(ifm + 1);
935 			if (strlen(ifn) == sdl->sdl_nlen &&
936 			    strncmp(ifn, sdl->sdl_data, sdl->sdl_nlen) == 0) {
937 				mip->ifIndex = ifm->ifm_index;
938 				mip->ifMTU = ifm->ifm_data.ifi_mtu;
939 				break;
940 			}
941 		}
942 	}
943 	if (!mip->ifIndex)
944 		errx(1, "unknown interface name %s", ifn);
945 /*
946  * Get interface address.
947  */
948 	sin = NULL;
949 	while (next < lim) {
950 		ifam = (struct ifa_msghdr *)next;
951 		next += ifam->ifam_msglen;
952 		if (ifam->ifam_version != RTM_VERSION) {
953 			if (verbose)
954 				warnx("routing message version %d "
955 				      "not understood", ifam->ifam_version);
956 			continue;
957 		}
958 		if (ifam->ifam_type != RTM_NEWADDR)
959 			break;
960 		if (ifam->ifam_addrs & RTA_IFA) {
961 			int i;
962 			char *cp = (char *)(ifam + 1);
963 
964 			for (i = 1; i < RTA_IFA; i <<= 1)
965 				if (ifam->ifam_addrs & i)
966 					cp += SA_SIZE((struct sockaddr *)cp);
967 			if (((struct sockaddr *)cp)->sa_family == AF_INET) {
968 				sin = (struct sockaddr_in *)cp;
969 				break;
970 			}
971 		}
972 	}
973 	if (sin == NULL) {
974 		warnx("%s: cannot get interface address", ifn);
975 		free(buf);
976 		return EAGAIN;
977 	}
978 
979 	LibAliasSetAddress(mla, sin->sin_addr);
980 	syslog(LOG_INFO, "Aliasing to %s, mtu %d bytes",
981 	       inet_ntoa(sin->sin_addr), mip->ifMTU);
982 
983 	free(buf);
984 
985 	return 0;
986 }
987 
988 void Quit (const char* msg)
989 {
990 	Warn (msg);
991 	exit (1);
992 }
993 
994 void Warn (const char* msg)
995 {
996 	if (background)
997 		syslog (LOG_ALERT, "%s (%m)", msg);
998 	else
999 		warn ("%s", msg);
1000 }
1001 
1002 static void RefreshAddr (int sig __unused)
1003 {
1004 	LibAliasRefreshModules();
1005 	if (mip != NULL && mip->ifName != NULL)
1006 		mip->assignAliasAddr = 1;
1007 }
1008 
1009 static void InitiateShutdown (int sig __unused)
1010 {
1011 /*
1012  * Start timer to allow kernel gracefully
1013  * shutdown existing connections when system
1014  * is shut down.
1015  */
1016 	siginterrupt(SIGALRM, 1);
1017 	signal (SIGALRM, Shutdown);
1018 	ualarm(exitDelay*1000, 1000);
1019 }
1020 
1021 static void Shutdown (int sig __unused)
1022 {
1023 	running = 0;
1024 }
1025 
1026 /*
1027  * Different options recognized by this program.
1028  */
1029 
1030 enum Option {
1031 
1032 	LibAliasOption,
1033 	Instance,
1034 	Verbose,
1035 	InPort,
1036 	OutPort,
1037 	Port,
1038 	GlobalPort,
1039 	AliasAddress,
1040 	TargetAddress,
1041 	InterfaceName,
1042 	RedirectPort,
1043 	RedirectProto,
1044 	RedirectAddress,
1045 	ConfigFile,
1046 	DynamicMode,
1047 	ProxyRule,
1048  	LogDenied,
1049  	LogFacility,
1050 	PunchFW,
1051 	SkinnyPort,
1052 	LogIpfwDenied,
1053 	PidFile,
1054 	ExitDelay
1055 };
1056 
1057 enum Param {
1058 
1059 	YesNo,
1060 	Numeric,
1061 	String,
1062 	None,
1063 	Address,
1064 	Service
1065 };
1066 
1067 /*
1068  * Option information structure (used by ParseOption).
1069  */
1070 
1071 struct OptionInfo {
1072 
1073 	enum Option		type;
1074 	int			packetAliasOpt;
1075 	enum Param		parm;
1076 	const char*		parmDescription;
1077 	const char*		description;
1078 	const char*		name;
1079 	const char*		shortName;
1080 };
1081 
1082 /*
1083  * Table of known options.
1084  */
1085 
1086 static struct OptionInfo optionTable[] = {
1087 
1088 	{ LibAliasOption,
1089 		PKT_ALIAS_UNREGISTERED_ONLY,
1090 		YesNo,
1091 		"[yes|no]",
1092 		"alias only unregistered addresses",
1093 		"unregistered_only",
1094 		"u" },
1095 
1096 	{ LibAliasOption,
1097 		PKT_ALIAS_LOG,
1098 		YesNo,
1099 		"[yes|no]",
1100 		"enable logging",
1101 		"log",
1102 		"l" },
1103 
1104 	{ LibAliasOption,
1105 		PKT_ALIAS_PROXY_ONLY,
1106 		YesNo,
1107 		"[yes|no]",
1108 		"proxy only",
1109 		"proxy_only",
1110 		NULL },
1111 
1112 	{ LibAliasOption,
1113 		PKT_ALIAS_REVERSE,
1114 		YesNo,
1115 		"[yes|no]",
1116 		"operate in reverse mode",
1117 		"reverse",
1118 		NULL },
1119 
1120 	{ LibAliasOption,
1121 		PKT_ALIAS_DENY_INCOMING,
1122 		YesNo,
1123 		"[yes|no]",
1124 		"allow incoming connections",
1125 		"deny_incoming",
1126 		"d" },
1127 
1128 	{ LibAliasOption,
1129 		PKT_ALIAS_USE_SOCKETS,
1130 		YesNo,
1131 		"[yes|no]",
1132 		"use sockets to inhibit port conflict",
1133 		"use_sockets",
1134 		"s" },
1135 
1136 	{ LibAliasOption,
1137 		PKT_ALIAS_SAME_PORTS,
1138 		YesNo,
1139 		"[yes|no]",
1140 		"try to keep original port numbers for connections",
1141 		"same_ports",
1142 		"m" },
1143 
1144 	{ Verbose,
1145 		0,
1146 		YesNo,
1147 		"[yes|no]",
1148 		"verbose mode, dump packet information",
1149 		"verbose",
1150 		"v" },
1151 
1152 	{ DynamicMode,
1153 		0,
1154 		YesNo,
1155 		"[yes|no]",
1156 		"dynamic mode, automatically detect interface address changes",
1157 		"dynamic",
1158 		NULL },
1159 
1160 	{ InPort,
1161 		0,
1162 		Service,
1163 		"number|service_name",
1164 		"set port for incoming packets",
1165 		"in_port",
1166 		"i" },
1167 
1168 	{ OutPort,
1169 		0,
1170 		Service,
1171 		"number|service_name",
1172 		"set port for outgoing packets",
1173 		"out_port",
1174 		"o" },
1175 
1176 	{ Port,
1177 		0,
1178 		Service,
1179 		"number|service_name",
1180 		"set port (defaults to natd/divert)",
1181 		"port",
1182 		"p" },
1183 
1184 	{ GlobalPort,
1185 		0,
1186 		Service,
1187 		"number|service_name",
1188 		"set globalport",
1189 		"globalport",
1190 		NULL },
1191 
1192 	{ AliasAddress,
1193 		0,
1194 		Address,
1195 		"x.x.x.x",
1196 		"address to use for aliasing",
1197 		"alias_address",
1198 		"a" },
1199 
1200 	{ TargetAddress,
1201 		0,
1202 		Address,
1203 		"x.x.x.x",
1204 		"address to use for incoming sessions",
1205 		"target_address",
1206 		"t" },
1207 
1208 	{ InterfaceName,
1209 		0,
1210 		String,
1211 	        "network_if_name",
1212 		"take aliasing address from interface",
1213 		"interface",
1214 		"n" },
1215 
1216 	{ ProxyRule,
1217 		0,
1218 		String,
1219 	        "[type encode_ip_hdr|encode_tcp_stream] port xxxx server "
1220 		"a.b.c.d:yyyy",
1221 		"add transparent proxying / destination NAT",
1222 		"proxy_rule",
1223 		NULL },
1224 
1225 	{ RedirectPort,
1226 		0,
1227 		String,
1228 	        "tcp|udp local_addr:local_port_range[,...] [public_addr:]public_port_range"
1229 	 	" [remote_addr[:remote_port_range]]",
1230 		"redirect a port (or ports) for incoming traffic",
1231 		"redirect_port",
1232 		NULL },
1233 
1234 	{ RedirectProto,
1235 		0,
1236 		String,
1237 	        "proto local_addr [public_addr] [remote_addr]",
1238 		"redirect packets of a given proto",
1239 		"redirect_proto",
1240 		NULL },
1241 
1242 	{ RedirectAddress,
1243 		0,
1244 		String,
1245 	        "local_addr[,...] public_addr",
1246 		"define mapping between local and public addresses",
1247 		"redirect_address",
1248 		NULL },
1249 
1250 	{ ConfigFile,
1251 		0,
1252 		String,
1253 		"file_name",
1254 		"read options from configuration file",
1255 		"config",
1256 		"f" },
1257 
1258 	{ LogDenied,
1259 		0,
1260 		YesNo,
1261 	        "[yes|no]",
1262 		"enable logging of denied incoming packets",
1263 		"log_denied",
1264 		NULL },
1265 
1266 	{ LogFacility,
1267 		0,
1268 		String,
1269 	        "facility",
1270 		"name of syslog facility to use for logging",
1271 		"log_facility",
1272 		NULL },
1273 
1274 	{ PunchFW,
1275 		0,
1276 		String,
1277 	        "basenumber:count",
1278 		"punch holes in the firewall for incoming FTP/IRC DCC connections",
1279 		"punch_fw",
1280 		NULL },
1281 
1282 	{ SkinnyPort,
1283 		0,
1284 		String,
1285 		"port",
1286 		"set the TCP port for use with the Skinny Station protocol",
1287 		"skinny_port",
1288 		NULL },
1289 
1290 	{ LogIpfwDenied,
1291 		0,
1292 		YesNo,
1293 	        "[yes|no]",
1294 		"log packets converted by natd, but denied by ipfw",
1295 		"log_ipfw_denied",
1296 		NULL },
1297 
1298 	{ PidFile,
1299 		0,
1300 		String,
1301 		"file_name",
1302 		"store PID in an alternate file",
1303 		"pid_file",
1304 		"P" },
1305 	{ Instance,
1306 		0,
1307 		String,
1308 		"instance name",
1309 		"name of aliasing engine instance",
1310 		"instance",
1311 		NULL },
1312 	{ ExitDelay,
1313 		0,
1314 		Numeric,
1315 		"ms",
1316 		"delay in ms before daemon exit after signal",
1317 		"exit_delay",
1318 		NULL },
1319 };
1320 
1321 static void ParseOption (const char* option, const char* parms)
1322 {
1323 	int			i;
1324 	struct OptionInfo*	info;
1325 	int			yesNoValue;
1326 	int			aliasValue;
1327 	int			numValue;
1328 	u_short			uNumValue;
1329 	const char*		strValue;
1330 	struct in_addr		addrValue;
1331 	int			max;
1332 	char*			end;
1333 	const CODE* 		fac_record = NULL;
1334 /*
1335  * Find option from table.
1336  */
1337 	max = sizeof (optionTable) / sizeof (struct OptionInfo);
1338 	for (i = 0, info = optionTable; i < max; i++, info++) {
1339 
1340 		if (!strcmp (info->name, option))
1341 			break;
1342 
1343 		if (info->shortName)
1344 			if (!strcmp (info->shortName, option))
1345 				break;
1346 	}
1347 
1348 	if (i >= max) {
1349 
1350 		warnx ("unknown option %s", option);
1351 		Usage ();
1352 	}
1353 
1354 	uNumValue	= 0;
1355 	yesNoValue	= 0;
1356 	numValue	= 0;
1357 	strValue	= NULL;
1358 /*
1359  * Check parameters.
1360  */
1361 	switch (info->parm) {
1362 	case YesNo:
1363 		if (!parms)
1364 			parms = "yes";
1365 
1366 		if (!strcmp (parms, "yes"))
1367 			yesNoValue = 1;
1368 		else
1369 			if (!strcmp (parms, "no"))
1370 				yesNoValue = 0;
1371 			else
1372 				errx (1, "%s needs yes/no parameter", option);
1373 		break;
1374 
1375 	case Service:
1376 		if (!parms)
1377 			errx (1, "%s needs service name or "
1378 				 "port number parameter",
1379 				 option);
1380 
1381 		uNumValue = StrToPort (parms, "divert");
1382 		break;
1383 
1384 	case Numeric:
1385 		if (parms)
1386 			numValue = strtol (parms, &end, 10);
1387 		else
1388 			end = NULL;
1389 
1390 		if (end == parms)
1391 			errx (1, "%s needs numeric parameter", option);
1392 		break;
1393 
1394 	case String:
1395 		strValue = parms;
1396 		if (!strValue)
1397 			errx (1, "%s needs parameter", option);
1398 		break;
1399 
1400 	case None:
1401 		if (parms)
1402 			errx (1, "%s does not take parameters", option);
1403 		break;
1404 
1405 	case Address:
1406 		if (!parms)
1407 			errx (1, "%s needs address/host parameter", option);
1408 
1409 		StrToAddr (parms, &addrValue);
1410 		break;
1411 	}
1412 
1413 	switch (info->type) {
1414 	case LibAliasOption:
1415 
1416 		aliasValue = yesNoValue ? info->packetAliasOpt : 0;
1417 		LibAliasSetMode (mla, aliasValue, info->packetAliasOpt);
1418 		break;
1419 
1420 	case Verbose:
1421 		verbose = yesNoValue;
1422 		break;
1423 
1424 	case DynamicMode:
1425 		dynamicMode = yesNoValue;
1426 		break;
1427 
1428 	case InPort:
1429 		mip->inPort = uNumValue;
1430 		break;
1431 
1432 	case OutPort:
1433 		mip->outPort = uNumValue;
1434 		break;
1435 
1436 	case Port:
1437 		mip->inOutPort = uNumValue;
1438 		break;
1439 
1440 	case GlobalPort:
1441 		globalPort = uNumValue;
1442 		break;
1443 
1444 	case AliasAddress:
1445 		memcpy (&mip->aliasAddr, &addrValue, sizeof (struct in_addr));
1446 		break;
1447 
1448 	case TargetAddress:
1449 		LibAliasSetTarget(mla, addrValue);
1450 		break;
1451 
1452 	case RedirectPort:
1453 		SetupPortRedirect (strValue);
1454 		break;
1455 
1456 	case RedirectProto:
1457 		SetupProtoRedirect(strValue);
1458 		break;
1459 
1460 	case RedirectAddress:
1461 		SetupAddressRedirect (strValue);
1462 		break;
1463 
1464 	case ProxyRule:
1465 		LibAliasProxyRule (mla, strValue);
1466 		break;
1467 
1468 	case InterfaceName:
1469 		if (mip->ifName)
1470 			free (mip->ifName);
1471 
1472 		mip->ifName = strdup (strValue);
1473 		break;
1474 
1475 	case ConfigFile:
1476 		ReadConfigFile (strValue);
1477 		break;
1478 
1479 	case LogDenied:
1480 		mip->logDropped = yesNoValue;
1481 		break;
1482 
1483 	case LogFacility:
1484 
1485 		fac_record = facilitynames;
1486 		while (fac_record->c_name != NULL) {
1487 
1488 			if (!strcmp (fac_record->c_name, strValue)) {
1489 
1490 				logFacility = fac_record->c_val;
1491 				break;
1492 
1493 			}
1494 			else
1495 				fac_record++;
1496 		}
1497 
1498 		if(fac_record->c_name == NULL)
1499 			errx(1, "Unknown log facility name: %s", strValue);
1500 
1501 		break;
1502 
1503 	case PunchFW:
1504 		SetupPunchFW(strValue);
1505 		break;
1506 
1507 	case SkinnyPort:
1508 		SetupSkinnyPort(strValue);
1509 		break;
1510 
1511 	case LogIpfwDenied:
1512 		logIpfwDenied = yesNoValue;
1513 		break;
1514 
1515 	case PidFile:
1516 		pidName = strdup (strValue);
1517 		break;
1518 	case Instance:
1519 		NewInstance(strValue);
1520 		break;
1521 	case ExitDelay:
1522 		if (numValue < 0 || numValue > MAX_EXIT_DELAY)
1523 			errx(1, "Incorrect exit delay: %d", numValue);
1524 		exitDelay = numValue;
1525 		break;
1526 	}
1527 }
1528 
1529 void ReadConfigFile (const char* fileName)
1530 {
1531 	FILE*	file;
1532 	char	*buf;
1533 	size_t	len;
1534 	char	*ptr, *p;
1535 	char*	option;
1536 
1537 	file = fopen (fileName, "r");
1538 	if (!file)
1539 		err(1, "cannot open config file %s", fileName);
1540 
1541 	while ((buf = fgetln(file, &len)) != NULL) {
1542 		if (buf[len - 1] == '\n')
1543 			buf[len - 1] = '\0';
1544 		else
1545 			errx(1, "config file format error: "
1546 				"last line should end with newline");
1547 
1548 /*
1549  * Check for comments, strip off trailing spaces.
1550  */
1551 		if ((ptr = strchr(buf, '#')))
1552 			*ptr = '\0';
1553 		for (ptr = buf; isspace(*ptr); ++ptr)
1554 			continue;
1555 		if (*ptr == '\0')
1556 			continue;
1557 		for (p = strchr(buf, '\0'); isspace(*--p);)
1558 			continue;
1559 		*++p = '\0';
1560 
1561 /*
1562  * Extract option name.
1563  */
1564 		option = ptr;
1565 		while (*ptr && !isspace (*ptr))
1566 			++ptr;
1567 
1568 		if (*ptr != '\0') {
1569 
1570 			*ptr = '\0';
1571 			++ptr;
1572 		}
1573 /*
1574  * Skip white space between name and parms.
1575  */
1576 		while (*ptr && isspace (*ptr))
1577 			++ptr;
1578 
1579 		ParseOption (option, *ptr ? ptr : NULL);
1580 	}
1581 
1582 	fclose (file);
1583 }
1584 
1585 static void Usage(void)
1586 {
1587 	int			i;
1588 	int			max;
1589 	struct OptionInfo*	info;
1590 
1591 	fprintf (stderr, "Recognized options:\n\n");
1592 
1593 	max = sizeof (optionTable) / sizeof (struct OptionInfo);
1594 	for (i = 0, info = optionTable; i < max; i++, info++) {
1595 
1596 		fprintf (stderr, "-%-20s %s\n", info->name,
1597 						info->parmDescription);
1598 
1599 		if (info->shortName)
1600 			fprintf (stderr, "-%-20s %s\n", info->shortName,
1601 							info->parmDescription);
1602 
1603 		fprintf (stderr, "      %s\n\n", info->description);
1604 	}
1605 
1606 	exit (1);
1607 }
1608 
1609 void SetupPortRedirect (const char* parms)
1610 {
1611 	char		*buf;
1612 	char*		ptr;
1613 	char*		serverPool;
1614 	struct in_addr	localAddr;
1615 	struct in_addr	publicAddr;
1616 	struct in_addr	remoteAddr;
1617 	port_range      portRange;
1618 	u_short         localPort      = 0;
1619 	u_short         publicPort     = 0;
1620 	u_short         remotePort     = 0;
1621 	u_short         numLocalPorts  = 0;
1622 	u_short         numPublicPorts = 0;
1623 	u_short         numRemotePorts = 0;
1624 	int		proto;
1625 	char*		protoName;
1626 	char*		separator;
1627 	int             i;
1628 	struct alias_link *aliaslink = NULL;
1629 
1630 	buf = strdup (parms);
1631 	if (!buf)
1632 		errx (1, "redirect_port: strdup() failed");
1633 /*
1634  * Extract protocol.
1635  */
1636 	protoName = strtok (buf, " \t");
1637 	if (!protoName)
1638 		errx (1, "redirect_port: missing protocol");
1639 
1640 	proto = StrToProto (protoName);
1641 /*
1642  * Extract local address.
1643  */
1644 	ptr = strtok (NULL, " \t");
1645 	if (!ptr)
1646 		errx (1, "redirect_port: missing local address");
1647 
1648 	separator = strchr(ptr, ',');
1649 	if (separator) {		/* LSNAT redirection syntax. */
1650 		localAddr.s_addr = INADDR_NONE;
1651 		localPort = ~0;
1652 		numLocalPorts = 1;
1653 		serverPool = ptr;
1654 	} else {
1655 		if ( StrToAddrAndPortRange (ptr, &localAddr, protoName, &portRange) != 0 )
1656 			errx (1, "redirect_port: invalid local port range");
1657 
1658 		localPort     = GETLOPORT(portRange);
1659 		numLocalPorts = GETNUMPORTS(portRange);
1660 		serverPool = NULL;
1661 	}
1662 
1663 /*
1664  * Extract public port and optionally address.
1665  */
1666 	ptr = strtok (NULL, " \t");
1667 	if (!ptr)
1668 		errx (1, "redirect_port: missing public port");
1669 
1670 	separator = strchr (ptr, ':');
1671 	if (separator) {
1672 	        if (StrToAddrAndPortRange (ptr, &publicAddr, protoName, &portRange) != 0 )
1673 		        errx (1, "redirect_port: invalid public port range");
1674 	}
1675 	else {
1676 		publicAddr.s_addr = INADDR_ANY;
1677 		if (StrToPortRange (ptr, protoName, &portRange) != 0)
1678 		        errx (1, "redirect_port: invalid public port range");
1679 	}
1680 
1681 	publicPort     = GETLOPORT(portRange);
1682 	numPublicPorts = GETNUMPORTS(portRange);
1683 
1684 /*
1685  * Extract remote address and optionally port.
1686  */
1687 	ptr = strtok (NULL, " \t");
1688 	if (ptr) {
1689 		separator = strchr (ptr, ':');
1690 		if (separator) {
1691 		        if (StrToAddrAndPortRange (ptr, &remoteAddr, protoName, &portRange) != 0)
1692 			        errx (1, "redirect_port: invalid remote port range");
1693 		} else {
1694 		        SETLOPORT(portRange, 0);
1695 			SETNUMPORTS(portRange, 1);
1696 			StrToAddr (ptr, &remoteAddr);
1697 		}
1698 	}
1699 	else {
1700 	        SETLOPORT(portRange, 0);
1701 		SETNUMPORTS(portRange, 1);
1702 		remoteAddr.s_addr = INADDR_ANY;
1703 	}
1704 
1705 	remotePort     = GETLOPORT(portRange);
1706 	numRemotePorts = GETNUMPORTS(portRange);
1707 
1708 /*
1709  * Make sure port ranges match up, then add the redirect ports.
1710  */
1711 	if (numLocalPorts != numPublicPorts)
1712 	        errx (1, "redirect_port: port ranges must be equal in size");
1713 
1714 	/* Remote port range is allowed to be '0' which means all ports. */
1715 	if (numRemotePorts != numLocalPorts && (numRemotePorts != 1 || remotePort != 0))
1716 	        errx (1, "redirect_port: remote port must be 0 or equal to local port range in size");
1717 
1718 	for (i = 0 ; i < numPublicPorts ; ++i) {
1719 	        /* If remotePort is all ports, set it to 0. */
1720 	        u_short remotePortCopy = remotePort + i;
1721 	        if (numRemotePorts == 1 && remotePort == 0)
1722 		        remotePortCopy = 0;
1723 
1724 		aliaslink = LibAliasRedirectPort (mla, localAddr,
1725 						htons(localPort + i),
1726 						remoteAddr,
1727 						htons(remotePortCopy),
1728 						publicAddr,
1729 						htons(publicPort + i),
1730 						proto);
1731 	}
1732 
1733 /*
1734  * Setup LSNAT server pool.
1735  */
1736 	if (serverPool != NULL && aliaslink != NULL) {
1737 		ptr = strtok(serverPool, ",");
1738 		while (ptr != NULL) {
1739 			if (StrToAddrAndPortRange(ptr, &localAddr, protoName, &portRange) != 0)
1740 				errx(1, "redirect_port: invalid local port range");
1741 
1742 			localPort = GETLOPORT(portRange);
1743 			if (GETNUMPORTS(portRange) != 1)
1744 				errx(1, "redirect_port: local port must be single in this context");
1745 			LibAliasAddServer(mla, aliaslink, localAddr, htons(localPort));
1746 			ptr = strtok(NULL, ",");
1747 		}
1748 	}
1749 
1750 	free (buf);
1751 }
1752 
1753 void
1754 SetupProtoRedirect(const char* parms)
1755 {
1756 	char		*buf;
1757 	char*		ptr;
1758 	struct in_addr	localAddr;
1759 	struct in_addr	publicAddr;
1760 	struct in_addr	remoteAddr;
1761 	int		proto;
1762 	char*		protoName;
1763 	struct protoent *protoent;
1764 
1765 	buf = strdup (parms);
1766 	if (!buf)
1767 		errx (1, "redirect_port: strdup() failed");
1768 /*
1769  * Extract protocol.
1770  */
1771 	protoName = strtok(buf, " \t");
1772 	if (!protoName)
1773 		errx(1, "redirect_proto: missing protocol");
1774 
1775 	protoent = getprotobyname(protoName);
1776 	if (protoent == NULL)
1777 		errx(1, "redirect_proto: unknown protocol %s", protoName);
1778 	else
1779 		proto = protoent->p_proto;
1780 /*
1781  * Extract local address.
1782  */
1783 	ptr = strtok(NULL, " \t");
1784 	if (!ptr)
1785 		errx(1, "redirect_proto: missing local address");
1786 	else
1787 		StrToAddr(ptr, &localAddr);
1788 /*
1789  * Extract optional public address.
1790  */
1791 	ptr = strtok(NULL, " \t");
1792 	if (ptr)
1793 		StrToAddr(ptr, &publicAddr);
1794 	else
1795 		publicAddr.s_addr = INADDR_ANY;
1796 /*
1797  * Extract optional remote address.
1798  */
1799 	ptr = strtok(NULL, " \t");
1800 	if (ptr)
1801 		StrToAddr(ptr, &remoteAddr);
1802 	else
1803 		remoteAddr.s_addr = INADDR_ANY;
1804 /*
1805  * Create aliasing link.
1806  */
1807 	(void)LibAliasRedirectProto(mla, localAddr, remoteAddr, publicAddr,
1808 				       proto);
1809 
1810 	free (buf);
1811 }
1812 
1813 void SetupAddressRedirect (const char* parms)
1814 {
1815 	char		*buf;
1816 	char*		ptr;
1817 	char*		separator;
1818 	struct in_addr	localAddr;
1819 	struct in_addr	publicAddr;
1820 	char*		serverPool;
1821 	struct alias_link *aliaslink;
1822 
1823 	buf = strdup (parms);
1824 	if (!buf)
1825 		errx (1, "redirect_port: strdup() failed");
1826 /*
1827  * Extract local address.
1828  */
1829 	ptr = strtok (buf, " \t");
1830 	if (!ptr)
1831 		errx (1, "redirect_address: missing local address");
1832 
1833 	separator = strchr(ptr, ',');
1834 	if (separator) {		/* LSNAT redirection syntax. */
1835 		localAddr.s_addr = INADDR_NONE;
1836 		serverPool = ptr;
1837 	} else {
1838 		StrToAddr (ptr, &localAddr);
1839 		serverPool = NULL;
1840 	}
1841 /*
1842  * Extract public address.
1843  */
1844 	ptr = strtok (NULL, " \t");
1845 	if (!ptr)
1846 		errx (1, "redirect_address: missing public address");
1847 
1848 	StrToAddr (ptr, &publicAddr);
1849 	aliaslink = LibAliasRedirectAddr(mla, localAddr, publicAddr);
1850 
1851 /*
1852  * Setup LSNAT server pool.
1853  */
1854 	if (serverPool != NULL && aliaslink != NULL) {
1855 		ptr = strtok(serverPool, ",");
1856 		while (ptr != NULL) {
1857 			StrToAddr(ptr, &localAddr);
1858 			LibAliasAddServer(mla, aliaslink, localAddr, htons(~0));
1859 			ptr = strtok(NULL, ",");
1860 		}
1861 	}
1862 
1863 	free (buf);
1864 }
1865 
1866 void StrToAddr (const char* str, struct in_addr* addr)
1867 {
1868 	struct hostent* hp;
1869 
1870 	if (inet_aton (str, addr))
1871 		return;
1872 
1873 	hp = gethostbyname (str);
1874 	if (!hp)
1875 		errx (1, "unknown host %s", str);
1876 
1877 	memcpy (addr, hp->h_addr, sizeof (struct in_addr));
1878 }
1879 
1880 u_short StrToPort (const char* str, const char* proto)
1881 {
1882 	u_short		port;
1883 	struct servent*	sp;
1884 	char*		end;
1885 
1886 	port = strtol (str, &end, 10);
1887 	if (end != str)
1888 		return htons (port);
1889 
1890 	sp = getservbyname (str, proto);
1891 	if (!sp)
1892 		errx (1, "%s/%s: unknown service", str, proto);
1893 
1894 	return sp->s_port;
1895 }
1896 
1897 int StrToPortRange (const char* str, const char* proto, port_range *portRange)
1898 {
1899 	const char*	sep;
1900 	struct servent*	sp;
1901 	char*		end;
1902 	u_short         loPort;
1903 	u_short         hiPort;
1904 
1905 	/* First see if this is a service, return corresponding port if so. */
1906 	sp = getservbyname (str,proto);
1907 	if (sp) {
1908 	        SETLOPORT(*portRange, ntohs(sp->s_port));
1909 		SETNUMPORTS(*portRange, 1);
1910 		return 0;
1911 	}
1912 
1913 	/* Not a service, see if it's a single port or port range. */
1914 	sep = strchr (str, '-');
1915 	if (sep == NULL) {
1916 	        SETLOPORT(*portRange, strtol(str, &end, 10));
1917 		if (end != str) {
1918 		        /* Single port. */
1919 		        SETNUMPORTS(*portRange, 1);
1920 			return 0;
1921 		}
1922 
1923 		/* Error in port range field. */
1924 		errx (1, "%s/%s: unknown service", str, proto);
1925 	}
1926 
1927 	/* Port range, get the values and sanity check. */
1928 	sscanf (str, "%hu-%hu", &loPort, &hiPort);
1929 	SETLOPORT(*portRange, loPort);
1930 	SETNUMPORTS(*portRange, 0);	/* Error by default */
1931 	if (loPort <= hiPort)
1932 	        SETNUMPORTS(*portRange, hiPort - loPort + 1);
1933 
1934 	if (GETNUMPORTS(*portRange) == 0)
1935 	        errx (1, "invalid port range %s", str);
1936 
1937 	return 0;
1938 }
1939 
1940 
1941 static int
1942 StrToProto (const char* str)
1943 {
1944 	if (!strcmp (str, "tcp"))
1945 		return IPPROTO_TCP;
1946 
1947 	if (!strcmp (str, "udp"))
1948 		return IPPROTO_UDP;
1949 
1950 	errx (1, "unknown protocol %s. Expected tcp or udp", str);
1951 }
1952 
1953 static int
1954 StrToAddrAndPortRange (char* str, struct in_addr* addr, char* proto, port_range *portRange)
1955 {
1956 	char*	ptr;
1957 
1958 	ptr = strchr (str, ':');
1959 	if (!ptr)
1960 		errx (1, "%s is missing port number", str);
1961 
1962 	*ptr = '\0';
1963 	++ptr;
1964 
1965 	StrToAddr (str, addr);
1966 	return StrToPortRange (ptr, proto, portRange);
1967 }
1968 
1969 static void
1970 SetupPunchFW(const char *strValue)
1971 {
1972 	unsigned int base, num;
1973 
1974 	if (sscanf(strValue, "%u:%u", &base, &num) != 2)
1975 		errx(1, "punch_fw: basenumber:count parameter required");
1976 
1977 	if (CheckIpfwRulenum(base + num - 1) == -1)
1978 		errx(1, "punch_fw: basenumber:count parameter should fit "
1979 			"the maximum allowed rule numbers");
1980 
1981 	LibAliasSetFWBase(mla, base, num);
1982 	(void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
1983 }
1984 
1985 static void
1986 SetupSkinnyPort(const char *strValue)
1987 {
1988 	unsigned int port;
1989 
1990 	if (sscanf(strValue, "%u", &port) != 1)
1991 		errx(1, "skinny_port: port parameter required");
1992 
1993 	LibAliasSetSkinnyPort(mla, port);
1994 }
1995 
1996 static void
1997 NewInstance(const char *name)
1998 {
1999 	struct instance *ip;
2000 
2001 	LIST_FOREACH(ip, &root, list) {
2002 		if (!strcmp(ip->name, name)) {
2003 			mla = ip->la;
2004 			mip = ip;
2005 			return;
2006 		}
2007 	}
2008 	ninstance++;
2009 	ip = calloc(1, sizeof(*ip));
2010 	ip->name = strdup(name);
2011 	ip->la = LibAliasInit (ip->la);
2012 	ip->assignAliasAddr	= 0;
2013 	ip->ifName		= NULL;
2014  	ip->logDropped		= 0;
2015 	ip->inPort		= 0;
2016 	ip->outPort		= 0;
2017 	ip->inOutPort		= 0;
2018 	ip->aliasAddr.s_addr	= INADDR_NONE;
2019 	ip->ifMTU		= -1;
2020 	ip->aliasOverhead	= 12;
2021 	LIST_INSERT_HEAD(&root, ip, list);
2022 	mla = ip->la;
2023 	mip = ip;
2024 }
2025 
2026 static int
2027 CheckIpfwRulenum(unsigned int rnum)
2028 {
2029 	unsigned int default_rule;
2030 	size_t len = sizeof(default_rule);
2031 
2032 	if (sysctlbyname("net.inet.ip.fw.default_rule", &default_rule, &len,
2033 		NULL, 0) == -1) {
2034 		warn("Failed to get the default ipfw rule number, using "
2035 		     "default historical value 65535.  The reason was");
2036 		default_rule = 65535;
2037 	}
2038 	if (rnum >= default_rule) {
2039 		return -1;
2040 	}
2041 
2042 	return 0;
2043 }
2044