xref: /freebsd-10-stable/sbin/natd/natd.c

/*
 * natd - Network Address Translation Daemon for FreeBSD.
 *
 * This software is provided free of charge, with no
 * warranty of any kind, either expressed or implied.
 * Use at your own risk.
 *
 * You may copy, modify and distribute this software (natd.c) freely.
 *
 * Ari Suutari <suutari@iki.fi>
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");

#define SYSLOG_NAMES

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <sys/time.h>
#include <sys/queue.h>

#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <machine/in_cksum.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
#include <net/if_dl.h>
#include <net/route.h>
#include <arpa/inet.h>

#include <alias.h>
#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>

#include "natd.h"

struct instance {
	const char		*name;
	struct libalias		*la;
	LIST_ENTRY(instance)	list;

	int			ifIndex;
	int			assignAliasAddr;
	char*			ifName;
	int			logDropped;
	u_short			inPort;
	u_short			outPort;
	u_short			inOutPort;
	struct in_addr		aliasAddr;
	int			ifMTU;
	int			aliasOverhead;
	int			dropIgnoredIncoming;
	int			divertIn;
	int			divertOut;
	int			divertInOut;
};

static LIST_HEAD(, instance) root = LIST_HEAD_INITIALIZER(root);

struct libalias *mla;
static struct instance *mip;
static int ninstance = 1;

/*
 * Default values for input and output
 * divert socket ports.
 */

#define	DEFAULT_SERVICE	"natd"

/*
 * Definition of a port range, and macros to deal with values.
 * FORMAT:  HI 16-bits == first port in range, 0 == all ports.
 *          LO 16-bits == number of ports in range
 * NOTES:   - Port values are not stored in network byte order.
 */

typedef u_long port_range;

#define GETLOPORT(x)     ((x) >> 0x10)
#define GETNUMPORTS(x)   ((x) & 0x0000ffff)
#define GETHIPORT(x)     (GETLOPORT((x)) + GETNUMPORTS((x)))

/* Set y to be the low-port value in port_range variable x. */
#define SETLOPORT(x,y)   ((x) = ((x) & 0x0000ffff) | ((y) << 0x10))

/* Set y to be the number of ports in port_range variable x. */
#define SETNUMPORTS(x,y) ((x) = ((x) & 0xffff0000) | (y))

/*
 * Function prototypes.
 */

static void	DoAliasing (int fd, int direction);
static void	DaemonMode (void);
static void	HandleRoutingInfo (int fd);
static void	Usage (void);
static char*	FormatPacket (struct ip*);
static void	PrintPacket (struct ip*);
static void	SyslogPacket (struct ip*, int priority, const char *label);
static int	SetAliasAddressFromIfName (const char *ifName);
static void	InitiateShutdown (int);
static void	Shutdown (int);
static void	RefreshAddr (int);
static void	ParseOption (const char* option, const char* parms);
static void	ReadConfigFile (const char* fileName);
static void	SetupPortRedirect (const char* parms);
static void	SetupProtoRedirect(const char* parms);
static void	SetupAddressRedirect (const char* parms);
static void	StrToAddr (const char* str, struct in_addr* addr);
static u_short  StrToPort (const char* str, const char* proto);
static int      StrToPortRange (const char* str, const char* proto, port_range *portRange);
static int 	StrToProto (const char* str);
static int      StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange);
static void	ParseArgs (int argc, char** argv);
static void	SetupPunchFW(const char *strValue);
static void	SetupSkinnyPort(const char *strValue);
static void	NewInstance(const char *name);
static void	DoGlobal (int fd);
static int	CheckIpfwRulenum(unsigned int rnum);

/*
 * Globals.
 */

static	int			verbose;
static 	int			background;
static	int			running;
static	int			logFacility;

static 	int			dynamicMode;
static 	int			icmpSock;
static	int			logIpfwDenied;
static	const char*		pidName;
static	int			routeSock;
static	int			globalPort;
static	int			divertGlobal;
static	int			exitDelay;


int main (int argc, char** argv)
{
	struct sockaddr_in	addr;
	fd_set			readMask;
	int			fdMax;
	int			rval;
/*
 * Initialize packet aliasing software.
 * Done already here to be able to alter option bits
 * during command line and configuration file processing.
 */
	NewInstance("default");

/*
 * Parse options.
 */
	verbose 		= 0;
	background		= 0;
	running			= 1;
	dynamicMode		= 0;
 	logFacility		= LOG_DAEMON;
	logIpfwDenied		= -1;
	pidName			= PIDFILE;
	routeSock 		= -1;
	icmpSock 		= -1;
	fdMax	 		= -1;
	divertGlobal		= -1;
	exitDelay		= EXIT_DELAY;

	ParseArgs (argc, argv);
/*
 * Log ipfw(8) denied packets by default in verbose mode.
 */
	if (logIpfwDenied == -1)
		logIpfwDenied = verbose;
/*
 * Open syslog channel.
 */
	openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0),
		 logFacility);

	LIST_FOREACH(mip, &root, list) {
		mla = mip->la;
/*
 * If not doing the transparent proxying only,
 * check that valid aliasing address has been given.
 */
		if (mip->aliasAddr.s_addr == INADDR_NONE && mip->ifName == NULL &&
		    !(LibAliasSetMode(mla, 0,0) & PKT_ALIAS_PROXY_ONLY))
			errx (1, "instance %s: aliasing address not given", mip->name);

		if (mip->aliasAddr.s_addr != INADDR_NONE && mip->ifName != NULL)
			errx (1, "both alias address and interface "
				 "name are not allowed");
/*
 * Check that valid port number is known.
 */
		if (mip->inPort != 0 || mip->outPort != 0)
			if (mip->inPort == 0 || mip->outPort == 0)
				errx (1, "both input and output ports are required");

		if (mip->inPort == 0 && mip->outPort == 0 && mip->inOutPort == 0)
			ParseOption ("port", DEFAULT_SERVICE);

/*
 * Check if ignored packets should be dropped.
 */
		mip->dropIgnoredIncoming = LibAliasSetMode (mla, 0, 0);
		mip->dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING;
/*
 * Create divert sockets. Use only one socket if -p was specified
 * on command line. Otherwise, create separate sockets for
 * outgoing and incoming connections.
 */
		if (mip->inOutPort) {

			mip->divertInOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
			if (mip->divertInOut == -1)
				Quit ("Unable to create divert socket.");
			if (mip->divertInOut > fdMax)
				fdMax = mip->divertInOut;

			mip->divertIn  = -1;
			mip->divertOut = -1;
/*
 * Bind socket.
 */

			addr.sin_family		= AF_INET;
			addr.sin_addr.s_addr	= INADDR_ANY;
			addr.sin_port		= mip->inOutPort;

			if (bind (mip->divertInOut,
				  (struct sockaddr*) &addr,
				  sizeof addr) == -1)
				Quit ("Unable to bind divert socket.");
		}
		else {

			mip->divertIn = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
			if (mip->divertIn == -1)
				Quit ("Unable to create incoming divert socket.");
			if (mip->divertIn > fdMax)
				fdMax = mip->divertIn;


			mip->divertOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
			if (mip->divertOut == -1)
				Quit ("Unable to create outgoing divert socket.");
			if (mip->divertOut > fdMax)
				fdMax = mip->divertOut;

			mip->divertInOut = -1;

/*
 * Bind divert sockets.
 */

			addr.sin_family		= AF_INET;
			addr.sin_addr.s_addr	= INADDR_ANY;
			addr.sin_port		= mip->inPort;

			if (bind (mip->divertIn,
				  (struct sockaddr*) &addr,
				  sizeof addr) == -1)
				Quit ("Unable to bind incoming divert socket.");

			addr.sin_family		= AF_INET;
			addr.sin_addr.s_addr	= INADDR_ANY;
			addr.sin_port		= mip->outPort;

			if (bind (mip->divertOut,
				  (struct sockaddr*) &addr,
				  sizeof addr) == -1)
				Quit ("Unable to bind outgoing divert socket.");
		}
/*
 * Create routing socket if interface name specified and in dynamic mode.
 */
		if (mip->ifName) {
			if (dynamicMode) {

				if (routeSock == -1)
					routeSock = socket (PF_ROUTE, SOCK_RAW, 0);
				if (routeSock == -1)
					Quit ("Unable to create routing info socket.");
				if (routeSock > fdMax)
					fdMax = routeSock;

				mip->assignAliasAddr = 1;
			}
			else {
				do {
					rval = SetAliasAddressFromIfName (mip->ifName);
					if (background == 0 || dynamicMode == 0)
						break;
					if (rval == EAGAIN)
						sleep(1);
				} while (rval == EAGAIN);
				if (rval != 0)
					exit(1);
			}
		}

	}
	if (globalPort) {

		divertGlobal = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
		if (divertGlobal == -1)
			Quit ("Unable to create divert socket.");
		if (divertGlobal > fdMax)
			fdMax = divertGlobal;

/*
* Bind socket.
*/

		addr.sin_family		= AF_INET;
		addr.sin_addr.s_addr	= INADDR_ANY;
		addr.sin_port		= globalPort;

		if (bind (divertGlobal,
			  (struct sockaddr*) &addr,
			  sizeof addr) == -1)
			Quit ("Unable to bind global divert socket.");
	}
/*
 * Create socket for sending ICMP messages.
 */
	icmpSock = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP);
	if (icmpSock == -1)
		Quit ("Unable to create ICMP socket.");

/*
 * And disable reads for the socket, otherwise it slowly fills
 * up with received icmps which we do not use.
 */
	shutdown(icmpSock, SHUT_RD);

/*
 * Become a daemon unless verbose mode was requested.
 */
	if (!verbose)
		DaemonMode ();
/*
 * Catch signals to manage shutdown and
 * refresh of interface address.
 */
	siginterrupt(SIGTERM, 1);
	siginterrupt(SIGHUP, 1);
	if (exitDelay)
		signal(SIGTERM, InitiateShutdown);
	else
		signal(SIGTERM, Shutdown);
	signal (SIGHUP, RefreshAddr);
/*
 * Set alias address if it has been given.
 */
	mip = LIST_FIRST(&root);	/* XXX: simon */
	LIST_FOREACH(mip, &root, list) {
		mla = mip->la;
		if (mip->aliasAddr.s_addr != INADDR_NONE)
			LibAliasSetAddress (mla, mip->aliasAddr);
	}

	while (running) {
		mip = LIST_FIRST(&root);	/* XXX: simon */

		if (mip->divertInOut != -1 && !mip->ifName && ninstance == 1) {
/*
 * When using only one socket, just call
 * DoAliasing repeatedly to process packets.
 */
			DoAliasing (mip->divertInOut, DONT_KNOW);
			continue;
		}
/*
 * Build read mask from socket descriptors to select.
 */
		FD_ZERO (&readMask);
/*
 * Check if new packets are available.
 */
		LIST_FOREACH(mip, &root, list) {
			if (mip->divertIn != -1)
				FD_SET (mip->divertIn, &readMask);

			if (mip->divertOut != -1)
				FD_SET (mip->divertOut, &readMask);

			if (mip->divertInOut != -1)
				FD_SET (mip->divertInOut, &readMask);
		}
/*
 * Routing info is processed always.
 */
		if (routeSock != -1)
			FD_SET (routeSock, &readMask);

		if (divertGlobal != -1)
			FD_SET (divertGlobal, &readMask);

		if (select (fdMax + 1,
			    &readMask,
			    NULL,
			    NULL,
			    NULL) == -1) {

			if (errno == EINTR)
				continue;

			Quit ("Select failed.");
		}

		if (divertGlobal != -1)
			if (FD_ISSET (divertGlobal, &readMask))
				DoGlobal (divertGlobal);
		LIST_FOREACH(mip, &root, list) {
			mla = mip->la;
			if (mip->divertIn != -1)
				if (FD_ISSET (mip->divertIn, &readMask))
					DoAliasing (mip->divertIn, INPUT);

			if (mip->divertOut != -1)
				if (FD_ISSET (mip->divertOut, &readMask))
					DoAliasing (mip->divertOut, OUTPUT);

			if (mip->divertInOut != -1)
				if (FD_ISSET (mip->divertInOut, &readMask))
					DoAliasing (mip->divertInOut, DONT_KNOW);

		}
		if (routeSock != -1)
			if (FD_ISSET (routeSock, &readMask))
				HandleRoutingInfo (routeSock);
	}

	if (background)
		unlink (pidName);

	return 0;
}

static void DaemonMode(void)
{
	FILE*	pidFile;

	daemon (0, 0);
	background = 1;

	pidFile = fopen (pidName, "w");
	if (pidFile) {

		fprintf (pidFile, "%d\n", getpid ());
		fclose (pidFile);
	}
}

static void ParseArgs (int argc, char** argv)
{
	int		arg;
	char*		opt;
	char		parmBuf[256];
	int		len; /* bounds checking */

	for (arg = 1; arg < argc; arg++) {

		opt  = argv[arg];
		if (*opt != '-') {

			warnx ("invalid option %s", opt);
			Usage ();
		}

		parmBuf[0] = '\0';
		len = 0;

		while (arg < argc - 1) {

			if (argv[arg + 1][0] == '-')
				break;

			if (len) {
				strncat (parmBuf, " ", sizeof(parmBuf) - (len + 1));
				len += strlen(parmBuf + len);
			}

			++arg;
			strncat (parmBuf, argv[arg], sizeof(parmBuf) - (len + 1));
			len += strlen(parmBuf + len);

		}

		ParseOption (opt + 1, (len ? parmBuf : NULL));

	}
}

static void DoGlobal (int fd)
{
	int			bytes;
	int			origBytes;
	char			buf[IP_MAXPACKET];
	struct sockaddr_in	addr;
	int			wrote;
	socklen_t		addrSize;
	struct ip*		ip;
	char			msgBuf[80];

/*
 * Get packet from socket.
 */
	addrSize  = sizeof addr;
	origBytes = recvfrom (fd,
			      buf,
			      sizeof buf,
			      0,
			      (struct sockaddr*) &addr,
			      &addrSize);

	if (origBytes == -1) {

		if (errno != EINTR)
			Warn ("read from divert socket failed");

		return;
	}

#if 0
	if (mip->assignAliasAddr) {
		if (SetAliasAddressFromIfName (mip->ifName) != 0)
			exit(1);
		mip->assignAliasAddr = 0;
	}
#endif
/*
 * This is an IP packet.
 */
	ip = (struct ip*) buf;

	if (verbose) {
/*
 * Print packet direction and protocol type.
 */
		printf ("Glb ");

		switch (ip->ip_p) {
		case IPPROTO_TCP:
			printf ("[TCP]  ");
			break;

		case IPPROTO_UDP:
			printf ("[UDP]  ");
			break;

		case IPPROTO_ICMP:
			printf ("[ICMP] ");
			break;

		default:
			printf ("[%d]    ", ip->ip_p);
			break;
		}
/*
 * Print addresses.
 */
		PrintPacket (ip);
	}

	LIST_FOREACH(mip, &root, list) {
		mla = mip->la;
		if (LibAliasOutTry (mla, buf, IP_MAXPACKET, 0) != PKT_ALIAS_IGNORED)
			break;
	}
/*
 * Length might have changed during aliasing.
 */
	bytes = ntohs (ip->ip_len);
/*
 * Update alias overhead size for outgoing packets.
 */
	if (mip != NULL && bytes - origBytes > mip->aliasOverhead)
		mip->aliasOverhead = bytes - origBytes;

	if (verbose) {

/*
 * Print addresses after aliasing.
 */
		printf (" aliased to\n");
		printf ("           ");
		PrintPacket (ip);
		printf ("\n");
	}

/*
 * Put packet back for processing.
 */
	wrote = sendto (fd,
		        buf,
	    		bytes,
	    		0,
	    		(struct sockaddr*) &addr,
	    		sizeof addr);

	if (wrote != bytes) {

		if (errno == EMSGSIZE) {

			if (mip->ifMTU != -1)
				SendNeedFragIcmp (icmpSock,
						  (struct ip*) buf,
						  mip->ifMTU - mip->aliasOverhead);
		}
		else if (errno == EACCES && logIpfwDenied) {

			sprintf (msgBuf, "failed to write packet back");
			Warn (msgBuf);
		}
	}
}


static void DoAliasing (int fd, int direction)
{
	int			bytes;
	int			origBytes;
	char			buf[IP_MAXPACKET];
	struct sockaddr_in	addr;
	int			wrote;
	int			status;
	socklen_t		addrSize;
	struct ip*		ip;
	char			msgBuf[80];
	int			rval;

	if (mip->assignAliasAddr) {
		do {
			rval = SetAliasAddressFromIfName (mip->ifName);
			if (background == 0 || dynamicMode == 0)
				break;
			if (rval == EAGAIN)
				sleep(1);
		} while (rval == EAGAIN);
		if (rval != 0)
			exit(1);
		mip->assignAliasAddr = 0;
	}
/*
 * Get packet from socket.
 */
	addrSize  = sizeof addr;
	origBytes = recvfrom (fd,
			      buf,
			      sizeof buf,
			      0,
			      (struct sockaddr*) &addr,
			      &addrSize);

	if (origBytes == -1) {

		if (errno != EINTR)
			Warn ("read from divert socket failed");

		return;
	}
/*
 * This is an IP packet.
 */
	ip = (struct ip*) buf;
	if (direction == DONT_KNOW) {
		if (addr.sin_addr.s_addr == INADDR_ANY)
			direction = OUTPUT;
		else
			direction = INPUT;
	}

	if (verbose) {
/*
 * Print packet direction and protocol type.
 */
		printf (direction == OUTPUT ? "Out " : "In  ");
		if (ninstance > 1)
			printf ("{%s}", mip->name);

		switch (ip->ip_p) {
		case IPPROTO_TCP:
			printf ("[TCP]  ");
			break;

		case IPPROTO_UDP:
			printf ("[UDP]  ");
			break;

		case IPPROTO_ICMP:
			printf ("[ICMP] ");
			break;

		default:
			printf ("[%d]    ", ip->ip_p);
			break;
		}
/*
 * Print addresses.
 */
		PrintPacket (ip);
	}

	if (direction == OUTPUT) {
/*
 * Outgoing packets. Do aliasing.
 */
		LibAliasOut (mla, buf, IP_MAXPACKET);
	}
	else {

/*
 * Do aliasing.
 */
		status = LibAliasIn (mla, buf, IP_MAXPACKET);
		if (status == PKT_ALIAS_IGNORED &&
		    mip->dropIgnoredIncoming) {

			if (verbose)
				printf (" dropped.\n");

			if (mip->logDropped)
				SyslogPacket (ip, LOG_WARNING, "denied");

			return;
		}
	}
/*
 * Length might have changed during aliasing.
 */
	bytes = ntohs (ip->ip_len);
/*
 * Update alias overhead size for outgoing packets.
 */
	if (direction == OUTPUT &&
	    bytes - origBytes > mip->aliasOverhead)
		mip->aliasOverhead = bytes - origBytes;

	if (verbose) {

/*
 * Print addresses after aliasing.
 */
		printf (" aliased to\n");
		printf ("           ");
		PrintPacket (ip);
		printf ("\n");
	}

/*
 * Put packet back for processing.
 */
	wrote = sendto (fd,
		        buf,
	    		bytes,
	    		0,
	    		(struct sockaddr*) &addr,
	    		sizeof addr);

	if (wrote != bytes) {

		if (errno == EMSGSIZE) {

			if (direction == OUTPUT &&
			    mip->ifMTU != -1)
				SendNeedFragIcmp (icmpSock,
						  (struct ip*) buf,
						  mip->ifMTU - mip->aliasOverhead);
		}
		else if (errno == EACCES && logIpfwDenied) {

			sprintf (msgBuf, "failed to write packet back");
			Warn (msgBuf);
		}
	}
}

static void HandleRoutingInfo (int fd)
{
	int			bytes;
	struct if_msghdr	ifMsg;
/*
 * Get packet from socket.
 */
	bytes = read (fd, &ifMsg, sizeof ifMsg);
	if (bytes == -1) {

		Warn ("read from routing socket failed");
		return;
	}

	if (ifMsg.ifm_version != RTM_VERSION) {

		Warn ("unexpected packet read from routing socket");
		return;
	}

	if (verbose)
		printf ("Routing message %#x received.\n", ifMsg.ifm_type);

	if ((ifMsg.ifm_type == RTM_NEWADDR || ifMsg.ifm_type == RTM_IFINFO)) {
		LIST_FOREACH(mip, &root, list) {
			mla = mip->la;
			if (ifMsg.ifm_index == mip->ifIndex) {
				if (verbose)
					printf("Interface address/MTU has probably changed.\n");
				mip->assignAliasAddr = 1;
			}
		}
	}
}

static void PrintPacket (struct ip* ip)
{
	printf ("%s", FormatPacket (ip));
}

static void SyslogPacket (struct ip* ip, int priority, const char *label)
{
	syslog (priority, "%s %s", label, FormatPacket (ip));
}

static char* FormatPacket (struct ip* ip)
{
	static char	buf[256];
	struct tcphdr*	tcphdr;
	struct udphdr*	udphdr;
	struct icmp*	icmphdr;
	char		src[20];
	char		dst[20];

	strcpy (src, inet_ntoa (ip->ip_src));
	strcpy (dst, inet_ntoa (ip->ip_dst));

	switch (ip->ip_p) {
	case IPPROTO_TCP:
		tcphdr = (struct tcphdr*) ((char*) ip + (ip->ip_hl << 2));
		sprintf (buf, "[TCP] %s:%d -> %s:%d",
			      src,
			      ntohs (tcphdr->th_sport),
			      dst,
			      ntohs (tcphdr->th_dport));
		break;

	case IPPROTO_UDP:
		udphdr = (struct udphdr*) ((char*) ip + (ip->ip_hl << 2));
		sprintf (buf, "[UDP] %s:%d -> %s:%d",
			      src,
			      ntohs (udphdr->uh_sport),
			      dst,
			      ntohs (udphdr->uh_dport));
		break;

	case IPPROTO_ICMP:
		icmphdr = (struct icmp*) ((char*) ip + (ip->ip_hl << 2));
		sprintf (buf, "[ICMP] %s -> %s %u(%u)",
			      src,
			      dst,
			      icmphdr->icmp_type,
			      icmphdr->icmp_code);
		break;

	default:
		sprintf (buf, "[%d] %s -> %s ", ip->ip_p, src, dst);
		break;
	}

	return buf;
}

static int
SetAliasAddressFromIfName(const char *ifn)
{
	size_t needed;
	int mib[6];
	char *buf, *lim, *next;
	struct if_msghdr *ifm;
	struct ifa_msghdr *ifam;
	struct sockaddr_dl *sdl;
	struct sockaddr_in *sin;

	mib[0] = CTL_NET;
	mib[1] = PF_ROUTE;
	mib[2] = 0;
	mib[3] = AF_INET;	/* Only IP addresses please */
	mib[4] = NET_RT_IFLIST;
	mib[5] = 0;		/* ifIndex??? */
/*
 * Get interface data.
 */
	if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1)
		err(1, "iflist-sysctl-estimate");
	if ((buf = malloc(needed)) == NULL)
		errx(1, "malloc failed");
	if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1 && errno != ENOMEM)
		err(1, "iflist-sysctl-get");
	lim = buf + needed;
/*
 * Loop through interfaces until one with
 * given name is found. This is done to
 * find correct interface index for routing
 * message processing.
 */
	mip->ifIndex	= 0;
	next = buf;
	while (next < lim) {
		ifm = (struct if_msghdr *)next;
		next += ifm->ifm_msglen;
		if (ifm->ifm_version != RTM_VERSION) {
			if (verbose)
				warnx("routing message version %d "
				      "not understood", ifm->ifm_version);
			continue;
		}
		if (ifm->ifm_type == RTM_IFINFO) {
			sdl = (struct sockaddr_dl *)(ifm + 1);
			if (strlen(ifn) == sdl->sdl_nlen &&
			    strncmp(ifn, sdl->sdl_data, sdl->sdl_nlen) == 0) {
				mip->ifIndex = ifm->ifm_index;
				mip->ifMTU = ifm->ifm_data.ifi_mtu;
				break;
			}
		}
	}
	if (!mip->ifIndex)
		errx(1, "unknown interface name %s", ifn);
/*
 * Get interface address.
 */
	sin = NULL;
	while (next < lim) {
		ifam = (struct ifa_msghdr *)next;
		next += ifam->ifam_msglen;
		if (ifam->ifam_version != RTM_VERSION) {
			if (verbose)
				warnx("routing message version %d "
				      "not understood", ifam->ifam_version);
			continue;
		}
		if (ifam->ifam_type != RTM_NEWADDR)
			break;
		if (ifam->ifam_addrs & RTA_IFA) {
			int i;
			char *cp = (char *)(ifam + 1);

			for (i = 1; i < RTA_IFA; i <<= 1)
				if (ifam->ifam_addrs & i)
					cp += SA_SIZE((struct sockaddr *)cp);
			if (((struct sockaddr *)cp)->sa_family == AF_INET) {
				sin = (struct sockaddr_in *)cp;
				break;
			}
		}
	}
	if (sin == NULL) {
		warnx("%s: cannot get interface address", ifn);
		free(buf);
		return EAGAIN;
	}

	LibAliasSetAddress(mla, sin->sin_addr);
	syslog(LOG_INFO, "Aliasing to %s, mtu %d bytes",
	       inet_ntoa(sin->sin_addr), mip->ifMTU);

	free(buf);

	return 0;
}

void Quit (const char* msg)
{
	Warn (msg);
	exit (1);
}

void Warn (const char* msg)
{
	if (background)
		syslog (LOG_ALERT, "%s (%m)", msg);
	else
		warn ("%s", msg);
}

static void RefreshAddr (int sig __unused)
{
	LibAliasRefreshModules();
	if (mip != NULL && mip->ifName != NULL)
		mip->assignAliasAddr = 1;
}

static void InitiateShutdown (int sig __unused)
{
/*
 * Start timer to allow kernel gracefully
 * shutdown existing connections when system
 * is shut down.
 */
	siginterrupt(SIGALRM, 1);
	signal (SIGALRM, Shutdown);
	ualarm(exitDelay*1000, 1000);
}

static void Shutdown (int sig __unused)
{
	running = 0;
}

/*
 * Different options recognized by this program.
 */

enum Option {

	LibAliasOption,
	Instance,
	Verbose,
	InPort,
	OutPort,
	Port,
	GlobalPort,
	AliasAddress,
	TargetAddress,
	InterfaceName,
	RedirectPort,
	RedirectProto,
	RedirectAddress,
	ConfigFile,
	DynamicMode,
	ProxyRule,
 	LogDenied,
 	LogFacility,
	PunchFW,
	SkinnyPort,
	LogIpfwDenied,
	PidFile,
	ExitDelay
};

enum Param {

	YesNo,
	Numeric,
	String,
	None,
	Address,
	Service
};

/*
 * Option information structure (used by ParseOption).
 */

struct OptionInfo {

	enum Option		type;
	int			packetAliasOpt;
	enum Param		parm;
	const char*		parmDescription;
	const char*		description;
	const char*		name;
	const char*		shortName;
};

/*
 * Table of known options.
 */

static struct OptionInfo optionTable[] = {

	{ LibAliasOption,
		PKT_ALIAS_UNREGISTERED_ONLY,
		YesNo,
		"[yes|no]",
		"alias only unregistered addresses",
		"unregistered_only",
		"u" },

	{ LibAliasOption,
		PKT_ALIAS_LOG,
		YesNo,
		"[yes|no]",
		"enable logging",
		"log",
		"l" },

	{ LibAliasOption,
		PKT_ALIAS_PROXY_ONLY,
		YesNo,
		"[yes|no]",
		"proxy only",
		"proxy_only",
		NULL },

	{ LibAliasOption,
		PKT_ALIAS_REVERSE,
		YesNo,
		"[yes|no]",
		"operate in reverse mode",
		"reverse",
		NULL },

	{ LibAliasOption,
		PKT_ALIAS_DENY_INCOMING,
		YesNo,
		"[yes|no]",
		"allow incoming connections",
		"deny_incoming",
		"d" },

	{ LibAliasOption,
		PKT_ALIAS_USE_SOCKETS,
		YesNo,
		"[yes|no]",
		"use sockets to inhibit port conflict",
		"use_sockets",
		"s" },

	{ LibAliasOption,
		PKT_ALIAS_SAME_PORTS,
		YesNo,
		"[yes|no]",
		"try to keep original port numbers for connections",
		"same_ports",
		"m" },

	{ Verbose,
		0,
		YesNo,
		"[yes|no]",
		"verbose mode, dump packet information",
		"verbose",
		"v" },

	{ DynamicMode,
		0,
		YesNo,
		"[yes|no]",
		"dynamic mode, automatically detect interface address changes",
		"dynamic",
		NULL },

	{ InPort,
		0,
		Service,
		"number|service_name",
		"set port for incoming packets",
		"in_port",
		"i" },

	{ OutPort,
		0,
		Service,
		"number|service_name",
		"set port for outgoing packets",
		"out_port",
		"o" },

	{ Port,
		0,
		Service,
		"number|service_name",
		"set port (defaults to natd/divert)",
		"port",
		"p" },

	{ GlobalPort,
		0,
		Service,
		"number|service_name",
		"set globalport",
		"globalport",
		NULL },

	{ AliasAddress,
		0,
		Address,
		"x.x.x.x",
		"address to use for aliasing",
		"alias_address",
		"a" },

	{ TargetAddress,
		0,
		Address,
		"x.x.x.x",
		"address to use for incoming sessions",
		"target_address",
		"t" },

	{ InterfaceName,
		0,
		String,
	        "network_if_name",
		"take aliasing address from interface",
		"interface",
		"n" },

	{ ProxyRule,
		0,
		String,
	        "[type encode_ip_hdr|encode_tcp_stream] port xxxx server "
		"a.b.c.d:yyyy",
		"add transparent proxying / destination NAT",
		"proxy_rule",
		NULL },

	{ RedirectPort,
		0,
		String,
	        "tcp|udp local_addr:local_port_range[,...] [public_addr:]public_port_range"
	 	" [remote_addr[:remote_port_range]]",
		"redirect a port (or ports) for incoming traffic",
		"redirect_port",
		NULL },

	{ RedirectProto,
		0,
		String,
	        "proto local_addr [public_addr] [remote_addr]",
		"redirect packets of a given proto",
		"redirect_proto",
		NULL },

	{ RedirectAddress,
		0,
		String,
	        "local_addr[,...] public_addr",
		"define mapping between local and public addresses",
		"redirect_address",
		NULL },

	{ ConfigFile,
		0,
		String,
		"file_name",
		"read options from configuration file",
		"config",
		"f" },

	{ LogDenied,
		0,
		YesNo,
	        "[yes|no]",
		"enable logging of denied incoming packets",
		"log_denied",
		NULL },

	{ LogFacility,
		0,
		String,
	        "facility",
		"name of syslog facility to use for logging",
		"log_facility",
		NULL },

	{ PunchFW,
		0,
		String,
	        "basenumber:count",
		"punch holes in the firewall for incoming FTP/IRC DCC connections",
		"punch_fw",
		NULL },

	{ SkinnyPort,
		0,
		String,
		"port",
		"set the TCP port for use with the Skinny Station protocol",
		"skinny_port",
		NULL },

	{ LogIpfwDenied,
		0,
		YesNo,
	        "[yes|no]",
		"log packets converted by natd, but denied by ipfw",
		"log_ipfw_denied",
		NULL },

	{ PidFile,
		0,
		String,
		"file_name",
		"store PID in an alternate file",
		"pid_file",
		"P" },
	{ Instance,
		0,
		String,
		"instance name",
		"name of aliasing engine instance",
		"instance",
		NULL },
	{ ExitDelay,
		0,
		Numeric,
		"ms",
		"delay in ms before daemon exit after signal",
		"exit_delay",
		NULL },
};

static void ParseOption (const char* option, const char* parms)
{
	int			i;
	struct OptionInfo*	info;
	int			yesNoValue;
	int			aliasValue;
	int			numValue;
	u_short			uNumValue;
	const char*		strValue;
	struct in_addr		addrValue;
	int			max;
	char*			end;
	const CODE* 		fac_record = NULL;
/*
 * Find option from table.
 */
	max = sizeof (optionTable) / sizeof (struct OptionInfo);
	for (i = 0, info = optionTable; i < max; i++, info++) {

		if (!strcmp (info->name, option))
			break;

		if (info->shortName)
			if (!strcmp (info->shortName, option))
				break;
	}

	if (i >= max) {

		warnx ("unknown option %s", option);
		Usage ();
	}

	uNumValue	= 0;
	yesNoValue	= 0;
	numValue	= 0;
	strValue	= NULL;
/*
 * Check parameters.
 */
	switch (info->parm) {
	case YesNo:
		if (!parms)
			parms = "yes";

		if (!strcmp (parms, "yes"))
			yesNoValue = 1;
		else
			if (!strcmp (parms, "no"))
				yesNoValue = 0;
			else
				errx (1, "%s needs yes/no parameter", option);
		break;

	case Service:
		if (!parms)
			errx (1, "%s needs service name or "
				 "port number parameter",
				 option);

		uNumValue = StrToPort (parms, "divert");
		break;

	case Numeric:
		if (parms)
			numValue = strtol (parms, &end, 10);
		else
			end = NULL;

		if (end == parms)
			errx (1, "%s needs numeric parameter", option);
		break;

	case String:
		strValue = parms;
		if (!strValue)
			errx (1, "%s needs parameter", option);
		break;

	case None:
		if (parms)
			errx (1, "%s does not take parameters", option);
		break;

	case Address:
		if (!parms)
			errx (1, "%s needs address/host parameter", option);

		StrToAddr (parms, &addrValue);
		break;
	}

	switch (info->type) {
	case LibAliasOption:

		aliasValue = yesNoValue ? info->packetAliasOpt : 0;
		LibAliasSetMode (mla, aliasValue, info->packetAliasOpt);
		break;

	case Verbose:
		verbose = yesNoValue;
		break;

	case DynamicMode:
		dynamicMode = yesNoValue;
		break;

	case InPort:
		mip->inPort = uNumValue;
		break;

	case OutPort:
		mip->outPort = uNumValue;
		break;

	case Port:
		mip->inOutPort = uNumValue;
		break;

	case GlobalPort:
		globalPort = uNumValue;
		break;

	case AliasAddress:
		memcpy (&mip->aliasAddr, &addrValue, sizeof (struct in_addr));
		break;

	case TargetAddress:
		LibAliasSetTarget(mla, addrValue);
		break;

	case RedirectPort:
		SetupPortRedirect (strValue);
		break;

	case RedirectProto:
		SetupProtoRedirect(strValue);
		break;

	case RedirectAddress:
		SetupAddressRedirect (strValue);
		break;

	case ProxyRule:
		LibAliasProxyRule (mla, strValue);
		break;

	case InterfaceName:
		if (mip->ifName)
			free (mip->ifName);

		mip->ifName = strdup (strValue);
		break;

	case ConfigFile:
		ReadConfigFile (strValue);
		break;

	case LogDenied:
		mip->logDropped = yesNoValue;
		break;

	case LogFacility:

		fac_record = facilitynames;
		while (fac_record->c_name != NULL) {

			if (!strcmp (fac_record->c_name, strValue)) {

				logFacility = fac_record->c_val;
				break;

			}
			else
				fac_record++;
		}

		if(fac_record->c_name == NULL)
			errx(1, "Unknown log facility name: %s", strValue);

		break;

	case PunchFW:
		SetupPunchFW(strValue);
		break;

	case SkinnyPort:
		SetupSkinnyPort(strValue);
		break;

	case LogIpfwDenied:
		logIpfwDenied = yesNoValue;
		break;

	case PidFile:
		pidName = strdup (strValue);
		break;
	case Instance:
		NewInstance(strValue);
		break;
	case ExitDelay:
		if (numValue < 0 || numValue > MAX_EXIT_DELAY)
			errx(1, "Incorrect exit delay: %d", numValue);
		exitDelay = numValue;
		break;
	}
}

void ReadConfigFile (const char* fileName)
{
	FILE*	file;
	char	*buf;
	size_t	len;
	char	*ptr, *p;
	char*	option;

	file = fopen (fileName, "r");
	if (!file)
		err(1, "cannot open config file %s", fileName);

	while ((buf = fgetln(file, &len)) != NULL) {
		if (buf[len - 1] == '\n')
			buf[len - 1] = '\0';
		else
			errx(1, "config file format error: "
				"last line should end with newline");

/*
 * Check for comments, strip off trailing spaces.
 */
		if ((ptr = strchr(buf, '#')))
			*ptr = '\0';
		for (ptr = buf; isspace(*ptr); ++ptr)
			continue;
		if (*ptr == '\0')
			continue;
		for (p = strchr(buf, '\0'); isspace(*--p);)
			continue;
		*++p = '\0';

/*
 * Extract option name.
 */
		option = ptr;
		while (*ptr && !isspace (*ptr))
			++ptr;

		if (*ptr != '\0') {

			*ptr = '\0';
			++ptr;
		}
/*
 * Skip white space between name and parms.
 */
		while (*ptr && isspace (*ptr))
			++ptr;

		ParseOption (option, *ptr ? ptr : NULL);
	}

	fclose (file);
}

static void Usage(void)
{
	int			i;
	int			max;
	struct OptionInfo*	info;

	fprintf (stderr, "Recognized options:\n\n");

	max = sizeof (optionTable) / sizeof (struct OptionInfo);
	for (i = 0, info = optionTable; i < max; i++, info++) {

		fprintf (stderr, "-%-20s %s\n", info->name,
						info->parmDescription);

		if (info->shortName)
			fprintf (stderr, "-%-20s %s\n", info->shortName,
							info->parmDescription);

		fprintf (stderr, "      %s\n\n", info->description);
	}

	exit (1);
}

void SetupPortRedirect (const char* parms)
{
	char		*buf;
	char*		ptr;
	char*		serverPool;
	struct in_addr	localAddr;
	struct in_addr	publicAddr;
	struct in_addr	remoteAddr;
	port_range      portRange;
	u_short         localPort      = 0;
	u_short         publicPort     = 0;
	u_short         remotePort     = 0;
	u_short         numLocalPorts  = 0;
	u_short         numPublicPorts = 0;
	u_short         numRemotePorts = 0;
	int		proto;
	char*		protoName;
	char*		separator;
	int             i;
	struct alias_link *aliaslink = NULL;

	buf = strdup (parms);
	if (!buf)
		errx (1, "redirect_port: strdup() failed");
/*
 * Extract protocol.
 */
	protoName = strtok (buf, " \t");
	if (!protoName)
		errx (1, "redirect_port: missing protocol");

	proto = StrToProto (protoName);
/*
 * Extract local address.
 */
	ptr = strtok (NULL, " \t");
	if (!ptr)
		errx (1, "redirect_port: missing local address");

	separator = strchr(ptr, ',');
	if (separator) {		/* LSNAT redirection syntax. */
		localAddr.s_addr = INADDR_NONE;
		localPort = ~0;
		numLocalPorts = 1;
		serverPool = ptr;
	} else {
		if ( StrToAddrAndPortRange (ptr, &localAddr, protoName, &portRange) != 0 )
			errx (1, "redirect_port: invalid local port range");

		localPort     = GETLOPORT(portRange);
		numLocalPorts = GETNUMPORTS(portRange);
		serverPool = NULL;
	}

/*
 * Extract public port and optionally address.
 */
	ptr = strtok (NULL, " \t");
	if (!ptr)
		errx (1, "redirect_port: missing public port");

	separator = strchr (ptr, ':');
	if (separator) {
	        if (StrToAddrAndPortRange (ptr, &publicAddr, protoName, &portRange) != 0 )
		        errx (1, "redirect_port: invalid public port range");
	}
	else {
		publicAddr.s_addr = INADDR_ANY;
		if (StrToPortRange (ptr, protoName, &portRange) != 0)
		        errx (1, "redirect_port: invalid public port range");
	}

	publicPort     = GETLOPORT(portRange);
	numPublicPorts = GETNUMPORTS(portRange);

/*
 * Extract remote address and optionally port.
 */
	ptr = strtok (NULL, " \t");
	if (ptr) {
		separator = strchr (ptr, ':');
		if (separator) {
		        if (StrToAddrAndPortRange (ptr, &remoteAddr, protoName, &portRange) != 0)
			        errx (1, "redirect_port: invalid remote port range");
		} else {
		        SETLOPORT(portRange, 0);
			SETNUMPORTS(portRange, 1);
			StrToAddr (ptr, &remoteAddr);
		}
	}
	else {
	        SETLOPORT(portRange, 0);
		SETNUMPORTS(portRange, 1);
		remoteAddr.s_addr = INADDR_ANY;
	}

	remotePort     = GETLOPORT(portRange);
	numRemotePorts = GETNUMPORTS(portRange);

/*
 * Make sure port ranges match up, then add the redirect ports.
 */
	if (numLocalPorts != numPublicPorts)
	        errx (1, "redirect_port: port ranges must be equal in size");

	/* Remote port range is allowed to be '0' which means all ports. */
	if (numRemotePorts != numLocalPorts && (numRemotePorts != 1 || remotePort != 0))
	        errx (1, "redirect_port: remote port must be 0 or equal to local port range in size");

	for (i = 0 ; i < numPublicPorts ; ++i) {
	        /* If remotePort is all ports, set it to 0. */
	        u_short remotePortCopy = remotePort + i;
	        if (numRemotePorts == 1 && remotePort == 0)
		        remotePortCopy = 0;

		aliaslink = LibAliasRedirectPort (mla, localAddr,
						htons(localPort + i),
						remoteAddr,
						htons(remotePortCopy),
						publicAddr,
						htons(publicPort + i),
						proto);
	}

/*
 * Setup LSNAT server pool.
 */
	if (serverPool != NULL && aliaslink != NULL) {
		ptr = strtok(serverPool, ",");
		while (ptr != NULL) {
			if (StrToAddrAndPortRange(ptr, &localAddr, protoName, &portRange) != 0)
				errx(1, "redirect_port: invalid local port range");

			localPort = GETLOPORT(portRange);
			if (GETNUMPORTS(portRange) != 1)
				errx(1, "redirect_port: local port must be single in this context");
			LibAliasAddServer(mla, aliaslink, localAddr, htons(localPort));
			ptr = strtok(NULL, ",");
		}
	}

	free (buf);
}

void
SetupProtoRedirect(const char* parms)
{
	char		*buf;
	char*		ptr;
	struct in_addr	localAddr;
	struct in_addr	publicAddr;
	struct in_addr	remoteAddr;
	int		proto;
	char*		protoName;
	struct protoent *protoent;

	buf = strdup (parms);
	if (!buf)
		errx (1, "redirect_port: strdup() failed");
/*
 * Extract protocol.
 */
	protoName = strtok(buf, " \t");
	if (!protoName)
		errx(1, "redirect_proto: missing protocol");

	protoent = getprotobyname(protoName);
	if (protoent == NULL)
		errx(1, "redirect_proto: unknown protocol %s", protoName);
	else
		proto = protoent->p_proto;
/*
 * Extract local address.
 */
	ptr = strtok(NULL, " \t");
	if (!ptr)
		errx(1, "redirect_proto: missing local address");
	else
		StrToAddr(ptr, &localAddr);
/*
 * Extract optional public address.
 */
	ptr = strtok(NULL, " \t");
	if (ptr)
		StrToAddr(ptr, &publicAddr);
	else
		publicAddr.s_addr = INADDR_ANY;
/*
 * Extract optional remote address.
 */
	ptr = strtok(NULL, " \t");
	if (ptr)
		StrToAddr(ptr, &remoteAddr);
	else
		remoteAddr.s_addr = INADDR_ANY;
/*
 * Create aliasing link.
 */
	(void)LibAliasRedirectProto(mla, localAddr, remoteAddr, publicAddr,
				       proto);

	free (buf);
}

void SetupAddressRedirect (const char* parms)
{
	char		*buf;
	char*		ptr;
	char*		separator;
	struct in_addr	localAddr;
	struct in_addr	publicAddr;
	char*		serverPool;
	struct alias_link *aliaslink;

	buf = strdup (parms);
	if (!buf)
		errx (1, "redirect_port: strdup() failed");
/*
 * Extract local address.
 */
	ptr = strtok (buf, " \t");
	if (!ptr)
		errx (1, "redirect_address: missing local address");

	separator = strchr(ptr, ',');
	if (separator) {		/* LSNAT redirection syntax. */
		localAddr.s_addr = INADDR_NONE;
		serverPool = ptr;
	} else {
		StrToAddr (ptr, &localAddr);
		serverPool = NULL;
	}
/*
 * Extract public address.
 */
	ptr = strtok (NULL, " \t");
	if (!ptr)
		errx (1, "redirect_address: missing public address");

	StrToAddr (ptr, &publicAddr);
	aliaslink = LibAliasRedirectAddr(mla, localAddr, publicAddr);

/*
 * Setup LSNAT server pool.
 */
	if (serverPool != NULL && aliaslink != NULL) {
		ptr = strtok(serverPool, ",");
		while (ptr != NULL) {
			StrToAddr(ptr, &localAddr);
			LibAliasAddServer(mla, aliaslink, localAddr, htons(~0));
			ptr = strtok(NULL, ",");
		}
	}

	free (buf);
}

void StrToAddr (const char* str, struct in_addr* addr)
{
	struct hostent* hp;

	if (inet_aton (str, addr))
		return;

	hp = gethostbyname (str);
	if (!hp)
		errx (1, "unknown host %s", str);

	memcpy (addr, hp->h_addr, sizeof (struct in_addr));
}

u_short StrToPort (const char* str, const char* proto)
{
	u_short		port;
	struct servent*	sp;
	char*		end;

	port = strtol (str, &end, 10);
	if (end != str)
		return htons (port);

	sp = getservbyname (str, proto);
	if (!sp)
		errx (1, "%s/%s: unknown service", str, proto);

	return sp->s_port;
}

int StrToPortRange (const char* str, const char* proto, port_range *portRange)
{
	char*           sep;
	struct servent*	sp;
	char*		end;
	u_short         loPort;
	u_short         hiPort;

	/* First see if this is a service, return corresponding port if so. */
	sp = getservbyname (str,proto);
	if (sp) {
	        SETLOPORT(*portRange, ntohs(sp->s_port));
		SETNUMPORTS(*portRange, 1);
		return 0;
	}

	/* Not a service, see if it's a single port or port range. */
	sep = strchr (str, '-');
	if (sep == NULL) {
	        SETLOPORT(*portRange, strtol(str, &end, 10));
		if (end != str) {
		        /* Single port. */
		        SETNUMPORTS(*portRange, 1);
			return 0;
		}

		/* Error in port range field. */
		errx (1, "%s/%s: unknown service", str, proto);
	}

	/* Port range, get the values and sanity check. */
	sscanf (str, "%hu-%hu", &loPort, &hiPort);
	SETLOPORT(*portRange, loPort);
	SETNUMPORTS(*portRange, 0);	/* Error by default */
	if (loPort <= hiPort)
	        SETNUMPORTS(*portRange, hiPort - loPort + 1);

	if (GETNUMPORTS(*portRange) == 0)
	        errx (1, "invalid port range %s", str);

	return 0;
}


int StrToProto (const char* str)
{
	if (!strcmp (str, "tcp"))
		return IPPROTO_TCP;

	if (!strcmp (str, "udp"))
		return IPPROTO_UDP;

	errx (1, "unknown protocol %s. Expected tcp or udp", str);
}

int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange)
{
	char*	ptr;

	ptr = strchr (str, ':');
	if (!ptr)
		errx (1, "%s is missing port number", str);

	*ptr = '\0';
	++ptr;

	StrToAddr (str, addr);
	return StrToPortRange (ptr, proto, portRange);
}

static void
SetupPunchFW(const char *strValue)
{
	unsigned int base, num;

	if (sscanf(strValue, "%u:%u", &base, &num) != 2)
		errx(1, "punch_fw: basenumber:count parameter required");

	if (CheckIpfwRulenum(base + num - 1) == -1)
		errx(1, "punch_fw: basenumber:count parameter should fit "
			"the maximum allowed rule numbers");

	LibAliasSetFWBase(mla, base, num);
	(void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
}

static void
SetupSkinnyPort(const char *strValue)
{
	unsigned int port;

	if (sscanf(strValue, "%u", &port) != 1)
		errx(1, "skinny_port: port parameter required");

	LibAliasSetSkinnyPort(mla, port);
}

static void
NewInstance(const char *name)
{
	struct instance *ip;

	LIST_FOREACH(ip, &root, list) {
		if (!strcmp(ip->name, name)) {
			mla = ip->la;
			mip = ip;
			return;
		}
	}
	ninstance++;
	ip = calloc(sizeof *ip, 1);
	ip->name = strdup(name);
	ip->la = LibAliasInit (ip->la);
	ip->assignAliasAddr	= 0;
	ip->ifName		= NULL;
 	ip->logDropped		= 0;
	ip->inPort		= 0;
	ip->outPort		= 0;
	ip->inOutPort		= 0;
	ip->aliasAddr.s_addr	= INADDR_NONE;
	ip->ifMTU		= -1;
	ip->aliasOverhead	= 12;
	LIST_INSERT_HEAD(&root, ip, list);
	mla = ip->la;
	mip = ip;
}

static int
CheckIpfwRulenum(unsigned int rnum)
{
	unsigned int default_rule;
	size_t len = sizeof(default_rule);

	if (sysctlbyname("net.inet.ip.fw.default_rule", &default_rule, &len,
		NULL, 0) == -1) {
		warn("Failed to get the default ipfw rule number, using "
		     "default historical value 65535.  The reason was");
		default_rule = 65535;
	}
	if (rnum >= default_rule) {
		return -1;
	}

	return 0;
}