src/usr.sbin/natd -> src/sbin/natd (after a repo-copy by jdp)

10 files changed, 1 insertions, 2371 deletions

diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index e071446..afe09bd 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -1,5 +1,5 @@
 #	From: @(#)Makefile	5.20 (Berkeley) 6/12/93
-#	$Id: Makefile,v 1.147 1999/01/11 18:03:54 msmith Exp $
+#	$Id: Makefile,v 1.148 1999/02/21 21:30:13 rnordier Exp $
 
 # XXX MISSING:		mkproto
 SUBDIR=	IPXrouted \
@@ -46,7 +46,6 @@ SUBDIR=	IPXrouted \
 	named \
 	named.reload \
 	named.restart \
-	natd \
 	ndc \
 	newsyslog \
 	nslookup \
diff --git a/usr.sbin/natd/HISTORY b/usr.sbin/natd/HISTORY
deleted file mode 100644
index f929e80..0000000
--- a/usr.sbin/natd/HISTORY
+++ /dev/null
@@ -1,146 +0,0 @@
-* Version 0.1
-
-	Initial version of natd.
-
-* Version 0.2
-
-	- Alias address can now be set by giving interface name with 
-	  new (-n) command-line option.
-
-	- New Makefile based on bsd.prog.mk.
-	  
-	- Error messages are written to syslog
-	  after natd has become a daemon.
-
-* Version 1.0
-
-	- Support for using only single socket (-p option)
-
-* Version 1.1
-
-	- -a option now understands a hostname also.
-	- -a option no longer dumps core.
-	- Packet aliasing software upgraded to v. 1.9
-  	- added long option names (like -address)
-
-* Version 1.2
-
-	- Fixed core dump with -port option.
-	- Added -Wall to CFLAGS and some headers added to natd.c
-	  to get clean compile by Brian Somers [brian@awfulhak.org].
-
-* Version 1.3
-
-	- Aliasing address initialization is delayed until first
-	  packet arrives. This allows natd to start up before
-	  interface address is set.
-	- SIGTERM is now catched to allow kernel to close
-	  existing connections when system is shutting down.
-	- SIGHUP is now catched to allow natd to refresh aliasing
-	  address from interface, which might be useful to tun devices.
-
-* Version 1.4
-
-	- Changed command line options to be compatible with
-	  command names used in ppp+packetAlias package (which is the
-	  original application using aliasing routines). 
-
-	  The options which map directly to packet aliasing options are:
-
-		-unregistered_only [yes|no]
-		-log [yes|no]
-		-deny_incoming [yes|no]
-		-use_sockets [yes|no]
-		-same_ports [yes|no]
-
-	  The short option names are the same as in previous
-	  releases.
-
-	- Command line parser rewritten to provide more flexible
-	  way to support new packet aliasing options.
-
-	- Support for natd.cf configuration file has been added.
-	  
-	- SIGHUP no longer causes problems when running without
-	  interface name option.
-
-	- When using -interface command line option, routing socket
-	  is optionally listened for interface address changes. This
-	  mode is activated by -dynamic option.
-
-	- Directory tree reorganized, alias package is now a library.
-
-	- Manual page written by Brian Somers <brian@awfulhak.org> added.
-	- README file updated.
-
-* Version 1.5
-
-	- Support for sending ICMP 'need fragmentation' messages
- 	  when packet size exceeds mtu size of outgoing network interface.
-
-	- ipfw rule example in manual page fixed.
-
-* Version 1.6
-
-	- Upgrade to new packet aliasing engine (2.1)
-	- redirect_port and redirect_address configuration
-	  parameters added.
-	- It is no longer necessary to quote complex parameter values
-	  in command line.
-	- Manual page fixed (same_port -> same_ports).
-
-* Version 1.7
-
-	- A bug in command-line parsing fixed (it appeared due
-	  to changes made in 1.6).
-
-* Version 1.8
-
-	- Fixed problems with -dynamic option.
-	- Added /var/run/natd.pid
-
-* Version 1.9
-
-	- Changes to manual page by
-	  Brian Somers <brian@awfulhak.org> integrated.
-	- Checksum for incoming packets is always recalculated
-	  for FreeBSD 2.2 and never recalculated for newer
-	  versions. This should fix the problem with wrong
- 	  checksum of fragmented packets.
-	- Buffer space problem found by Sergio Lenzi <lenzi@bsi.com.br>
-	  fixed. Natd now waits with select(2) for buffer space
-	  to become available if write fails.
-	- Packet aliasing library upgraded to 2.2.
-
-* Version 1.10
-
-	- Ignored incoming packets are now dropped when
-	  deny_incoming option is set to yes.
-	- Packet aliasing library upgraded to 2.4.
-
-* Version 1.11
-
-	- Code cleanup work done in FreeBSD-current development merged.
-	- Port numbers are now unsigned as they should always have been.
-
-* Version 1.12
-
-	- Typos in comment fixed. Copyright message added to 
-	  source & header files that were missing it.
-	- A small patch to libalias to make static NAT work correctly.
-
-* Version 2.0
-
-	- Upgrade to libalias 3.0 which gives:
-	- Transparent proxy support.
-	- permanent_link is now obsolete, use redirect_port instead.
-	- Drop support for early FreeBSD 2.2 versions
-	- If separate input & output sockets are being used
-	  use them to find out packet direction instead of
-	  normal mechanism. This can be handy in complex environments
-	  with multiple interfaces.
-	- libalias is no longer part of this distribution.
-	- New sample configuration file
-          from Ted Mittelstaedt <tedm@portsoft.com>.
-	- PPTP redirect support by Dru Nelson <dnelson@redwoodsoft.com> added.
-	- Logging enhancements from Martin Machacek <mm@i.cz> added.
diff --git a/usr.sbin/natd/Makefile b/usr.sbin/natd/Makefile
deleted file mode 100644
index b947158..0000000
--- a/usr.sbin/natd/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PROG		= natd
-SRCS		= natd.c icmp.c
-CFLAGS	       += -Wall
-LDADD		= -lalias
-DPADD		= ${LIBALIAS}
-MAN8		= natd.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/natd/README b/usr.sbin/natd/README
deleted file mode 100644
index 6c158d5..0000000
--- a/usr.sbin/natd/README
+++ /dev/null
@@ -1,53 +0,0 @@
-
-	A Network Address Translation Daemon for FreeBSD
-
-
-1. WHAT IS NATD ?
-
-	This is a simple daemon based on FreeBSD divert sockets
-	which performs network address translation (or masquerading)
-	for IP packets (see related RFCs 1631 and 1918).
-	It is based on packet aliasing package (see README.alias)
-	written by Charles Mott (cmott@srv.net).
-
-	This package works with any network interface (doesn't have
-	to be ppp). I run it on a computer having two ethernet cards,
-	one connected to internet and the other one to local network.
-
-2. GETTING IT RUNNING
-
-	1) Get FreeBSD 2.2 - I think the divert sockets are
-	   not available on earlier versions,
-
-	2) Compile this software by executing "make".
-
-	3) Install the software by executing "make install".
-
-	4) See man natd for further instructions.
-
-3. FTP SITES FOR NATD
-
-	This package is available at ftp://ftp.suutari.iki.fi/pub/natd.
-
-4. AUTHORS
-
-	This program is the result of the efforts of many people
-	at different times:
-
-	Archie Cobbs <archie@whistle.com>	Divert sockets
-	Charles Mott <cmott@srv.net>		Packet aliasing engine
-	Eivind Eklund <eivind@dimaga.com>	Packet aliasing engine
-	Ari Suutari <suutari@iki.fi>		Natd
-	Brian Somers <brian@awfulhak.org>	Manual page, glue and
-						bunch of good ideas.
-				
-	The original package written by Charles Mott 
-	is available at http://www.srv.net/~cmott.
-	It is described in README.alias.
-
-	Happy Networking - comments and fixes are welcome!
-
-	Ari S.	(suutari@iki.fi)
-   
-	
-
diff --git a/usr.sbin/natd/icmp.c b/usr.sbin/natd/icmp.c
deleted file mode 100644
index 1a144c2..0000000
--- a/usr.sbin/natd/icmp.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * natd - Network Address Translation Daemon for FreeBSD.
- *
- * This software is provided free of charge, with no 
- * warranty of any kind, either expressed or implied.
- * Use at your own risk.
- * 
- * You may copy, modify and distribute this software (icmp.c) freely.
- *
- * Ari Suutari <suutari@iki.fi>
- *
- *	$Id:$
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <errno.h>
-#include <signal.h>
-
-#include <netdb.h>
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
-#include <machine/in_cksum.h>
-
-#include <alias.h>
-
-#include "natd.h"
-
-int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu)
-{
-	char			icmpBuf[IP_MAXPACKET];
-	struct ip*		ip;
-	struct icmp*		icmp;
-	int			icmpLen;
-	int			failBytes;
-	int			failHdrLen;
-	struct sockaddr_in	addr;
-	int			wrote;
-	struct in_addr		swap;
-/*
- * Don't send error if packet is
- * not the first fragment.
- */
-	if (ntohs (failedDgram->ip_off) & ~(IP_MF | IP_DF))
-		return 0;
-/*
- * Dont respond if failed datagram is ICMP.
- */
-	if (failedDgram->ip_p == IPPROTO_ICMP)
-		return 0;
-/*
- * Start building the message.
- */
-	ip   = (struct ip*) icmpBuf;
-	icmp = (struct icmp*) (icmpBuf + sizeof (struct ip));
-/*
- * Complete ICMP part.
- */
-	icmp->icmp_type  	= ICMP_UNREACH;
-	icmp->icmp_code		= ICMP_UNREACH_NEEDFRAG;
-	icmp->icmp_cksum	= 0;
-	icmp->icmp_void		= 0;
-	icmp->icmp_nextmtu	= htons (mtu);
-/*
- * Copy header + 64 bits of original datagram.
- */
-	failHdrLen = (failedDgram->ip_hl << 2);
-	failBytes  = failedDgram->ip_len - failHdrLen;
-	if (failBytes > 8)
-		failBytes = 8;
-
-	failBytes += failHdrLen;
-	icmpLen    = ICMP_MINLEN + failBytes;
-
-	memcpy (&icmp->icmp_ip, failedDgram, failBytes);
-/*
- * Calculate checksum.
- */
-	icmp->icmp_cksum = PacketAliasInternetChecksum ((u_short*) icmp,
-							icmpLen);
-/*
- * Add IP header using old IP header as template.
- */
-	memcpy (ip, failedDgram, sizeof (struct ip));
-
-	ip->ip_v	= 4;
-	ip->ip_hl	= 5;
-	ip->ip_len	= htons (sizeof (struct ip) + icmpLen);
-	ip->ip_p	= IPPROTO_ICMP;
-	ip->ip_tos	= 0;
-
-	swap = ip->ip_dst;
-	ip->ip_dst = ip->ip_src;
-	ip->ip_src = swap;
-
-	PacketAliasIn ((char*) ip, IP_MAXPACKET);
-
-	addr.sin_family		= AF_INET;
-	addr.sin_addr		= ip->ip_dst;
-	addr.sin_port		= 0;
-/*
- * Put packet into processing queue.
- */
-	wrote = sendto (sock, 
-		        icmp,
-	    		icmpLen,
-	    		0,
-	    		(struct sockaddr*) &addr,
-	    		sizeof addr);
-	
-	if (wrote != icmpLen)
-		Warn ("Cannot send ICMP message.");
-
-	return 1;
-}
-
-
diff --git a/usr.sbin/natd/natd.8 b/usr.sbin/natd/natd.8
deleted file mode 100644
index 6202a94..0000000
--- a/usr.sbin/natd/natd.8
+++ /dev/null
@@ -1,426 +0,0 @@
-.\" manual page [] for natd 1.4
-.\"	$Id:$
-.Dd 15 April 1997
-.Os FreeBSD
-.Dt NATD 8
-.Sh NAME
-.Nm natd
-.Nd
-Network Address Translation Daemon
-.Sh SYNOPSIS
-.Nm
-.Op Fl ldsmvu
-.Op Fl dynamic
-.Op Fl i Ar inport
-.Op Fl o Ar outport
-.Op Fl p Ar port
-.Op Fl a Ar address
-.Op Fl n Ar interface
-.Op Fl f Ar configfile
-
-.Nm
-.Op Fl log
-.Op Fl deny_incoming
-.Op Fl log_denied
-.Op Fl use_sockets
-.Op Fl same_ports
-.Op Fl verbose
-.Op Fl log_facility Ar facility_name
-.Op Fl unregistered_only
-.Op Fl dynamic
-.Op Fl inport Ar inport
-.Op Fl outport Ar outport
-.Op Fl port Ar port
-.Op Fl alias_address Ar address
-.Op Fl interface Ar interface
-.Op Fl config Ar configfile
-.Op Fl redirect_port Ar linkspec
-.Op Fl redirect_address Ar localIP publicIP
-.Op Fl reverse
-.Op Fl proxy_only
-.Op Fl proxy_rule Ar proxyspec
-.Op Fl pptpalias Ar localIP
-
-.Sh DESCRIPTION
-This program provides a Network Address Translation facility for use
-with
-.Xr divert 4
-sockets under FreeBSD.  Most of the command line options are available
-in a single character short form or in a long form.  Use of the long
-form is encouraged as it makes things clearer to the casual observer.
-
-.Pp
-.Nm Natd
-normally runs in the background as a daemon.  It is passed raw IP packets
-as they travel into and out of the machine, and will possibly change these
-before re-injecting them back into the IP packet stream.
-
-.Pp
-.Nm Natd
-changes all packets destined for another host so that their source
-IP number is that of the current machine.  For each packet changed
-in this manner, an internal table entry is created to record this
-fact.  The source port number is also changed to indicate the
-table entry applying to the packet.  Packets that are received with
-a target IP of the current host are checked against this internal
-table.  If an entry is found, it is used to determine the correct
-target IP number and port to place in the packet.
-
-.Pp
-The following command line options are available.
-.Bl -tag -width Fl
-
-.It Fl log | l
-Log various aliasing statistics and information to the file
-.Pa /var/log/alias.log .
-This file is truncated each time natd is started.
-
-.It Fl deny_incoming | d
-Reject packets destined for the current IP number that have no entry
-in the internal translation table.
-
-.It Fl log_denied
-Log denied incoming packets via syslog (see also log_facility)
-
-.It Fl log_facility Ar facility_name
-Use specified log facility when logging information via syslog.
-Facility names are as in
-.Xr syslog.conf 5
-
-.It Fl use_sockets | s
-Allocate a
-.Xr socket 2
-in order to establish an FTP data or IRC DCC send connection.  This
-option uses more system resources, but guarantees successful connections
-when port numbers conflict.
-
-.It Fl same_ports | m
-Try to keep the same port number when altering outgoing packets.
-With this option, protocols such as RPC will have a better chance
-of working.  If it is not possible to maintain the port number, it
-will be silently changed as per normal.
-
-.It Fl verbose | v
-Don't call
-.Xr fork 2
-or
-.Xr daemon 3
-on startup.  Instead, stay attached to the controling terminal and
-display all packet alterations to the standard output.  This option
-should only be used for debugging purposes.
-
-.It Fl unregistered_only | u
-Only alter outgoing packets with an unregistered source address.
-According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
-172.16.0.0/12 and 192.168.0.0/16.
-
-.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
-Redirect incoming connections arriving to given port to another host and port.
-Proto is either tcp or udp, targetIP is the desired target IP
-number, targetPORT is the desired target PORT number, aliasPORT
-is the requested PORT number and aliasIP is the aliasing address.
-RemoteIP and remotePORT can be used to specify the connection
-more accurately if necessary.
-For example, the argument
-
-.Ar tcp inside1:telnet 6666
-
-means that tcp packets destined for port 6666 on this machine will
-be sent to the telnet port on the inside1 machine.
-
-.It Fl redirect_address Ar localIP publicIP
-Redirect traffic for public IP address to a machine on the local
-network. This function is known as "static NAT". Normally static NAT
-is useful if your ISP has allocated a small block of IP addresses to you,
-but it can even be used in the case of single address:
-
-  redirect_address 10.0.0.8 0.0.0.0
-
-The above command would redirect all incoming traffic
-to machine 10.0.0.8.
-
-If several address aliases specify the same public address
-as follows
-
-  redirect_address 192.168.0.2 public_addr
-  redirect_address 192.168.0.3 public_addr
-  redirect_address 192.168.0.4 public_addr
-  
-the incoming traffic will be directed to the last
-translated local address (192.168.0.4), but outgoing
-traffic to the first two addresses will still be aliased
-to specified public address.
-
-.It Fl dynamic
-If the
-.Fl n
-or
-.Fl interface
-option is used,
-.Nm
-will monitor the routing socket for alterations to the
-.Ar interface
-passed.  If the interfaces IP number is changed,
-.Nm
-will dynamically alter its concept of the alias address.
-
-.It Fl i | inport Ar inport
-Read from and write to
-.Ar inport ,
-treating all packets as packets coming into the machine.
-
-.It Fl o | outport Ar outport
-Read from and write to
-.Ar outport ,
-treating all packets as packets going out of the machine.
-
-.It Fl p | port Ar port
-Read from and write to
-.Ar port ,
-distinguishing packets as incoming our outgoing using the rules specified in
-.Xr divert 4 .
-If
-.Ar port
-is not numeric, it is searched for in the
-.Pa /etc/services
-database using the
-.Xr getservbyname 3
-function.  If this flag is not specified, the divert port named natd will
-be used as a default.  An example entry in the
-.Pa /etc/services
-database would be:
-
-  natd   8668/divert  # Network Address Translation socket
-
-Refer to
-.Xr services 5
-for further details.
-
-.It Fl a | alias_address Ar address
-Use
-.Ar address
-as the alias address.  If this option is not specified, the
-.Fl n
-or
-.Fl interface
-option must be used.  The specified address should be the address assigned
-to the public network interface.
-.Pp
-All data passing out through this addresses interface will be rewritten
-with a source address equal to
-.Ar address .
-All data arriving at the interface from outside will be checked to
-see if it matches any already-aliased outgoing connection.  If it does,
-the packet is altered accordingly.  If not, all
-.Fl redirect_port
-and
-.Fl redirect_address
-assignments are checked and actioned.  If no other action can be made,
-and if
-.Fl deny_incoming
-is not specified, the packet is delivered to the local machine and port
-as specified in the packet.
-
-.It Fl n | interface Ar interface
-Use
-.Ar interface
-to determine the alias address.  If there is a possibility that the
-IP number associated with
-.Ar interface
-may change, the
-.Fl dynamic
-flag should also be used.  If this option is not specified, the
-.Fl a
-or
-.Fl alias_address
-flag must be used.
-.Pp
-The specified
-.Ar interface
-must be the public network interface.
-.It Fl f | config Ar configfile
-Read configuration from
-.Ar configfile .
-.Ar Configfile
-contains a list of options, one per line in the same form as the
-long form of the above command line flags.  For example, the line
-
-  alias_address 158.152.17.1
-
-would specify an alias address of 158.152.17.1.  Options that don't
-take an argument are specified with an option of
-.Ar yes
-or
-.Ar no
-in the configuration file.  For example, the line
-
-  log yes
-
-is synonomous with
-.Fl log .
-Empty lines and lines beginning with '#' are ignored.
-
-.It Fl reverse
-Reverse operation of natd. This can be useful in some 
-transparent proxying situations when outgoing traffic
-is redirected to the local machine and natd is running on the
-incoming interface (it usually runs on the outgoing interface).
-
-.It Fl proxy_only
-Force natd to perform transparent proxying
-only. Normal address translation is not performed.
-
-.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
-Enable transparent proxying. Packets with the given port going through this
-host to any other host are redirected to the given server and port.
-Optionally, the original target address can be encoded into the packet. Use 
-.Dq encode_ip_hdr
-to put this information into the IP option field or
-.Dq encode_tcp_stream
-to inject the data into the beginning of the TCP stream.
-
-.It Fl pptpalias Ar localIP
-Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
-IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
-it uses an old IP encapsulation protocol called GRE (47). This
-natd option will translate any traffic of this protocol to a
-single, specified IP address. This would allow either one client or one server 
-to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
-for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.
-
-.El
-
-.Sh RUNNING NATD
-The following steps are necessary before attempting to run
-.Nm natd :
-
-.Bl -enum
-.It
-Get FreeBSD version 2.2 or higher.  Versions before this do not support
-.Xr divert 4
-sockets.
-
-.It
-Build a custom kernel with the following options:
-
-  options IPFIREWALL
-  options IPDIVERT
-
-Refer to the handbook for detailed instructions on building a custom
-kernel.
-
-.It
-Ensure that your machine is acting as a gateway.  This can be done by
-specifying the line
-
-  gateway_enable=YES
-
-in
-.Pa /etc/rc.conf ,
-or using the command
-
-  sysctl -w net.inet.ip.forwarding=1
-
-.It
-If you wish to use the
-.Fl n
-or
-.Fl interface
-flags, make sure that your interface is already configured.  If, for
-example, you wish to specify tun0 as your
-.Ar interface ,
-and you're using
-.Xr ppp 8
-on that interface, you must make sure that you start
-.Nm ppp
-prior to starting
-.Nm natd .
-
-.It
-Create an entry in
-.Pa /etc/services :
-
-  natd          8668/divert  # Network Address Translation socket
-
-This gives a default for the
-.Fl p
-or
-.Fl port
-flag.
-
-.El
-.Pp
-Running
-.Nm
-is fairly straight forward.  The line
-
-  natd -interface ed0
-
-should suffice in most cases (substituting the correct interface name).  Once
-.Nm
-is running, you must ensure that traffic is diverted to natd:
-
-.Bl -enum
-.It
-You will need to adjust the
-.Pa /etc/rc.firewall
-script to taste.  If you're not interested in having a firewall, the
-following lines will do:
-
-  /sbin/ipfw -f flush
-  /sbin/ipfw add divert natd all from any to any via ed0
-  /sbin/ipfw add pass all from any to any
-
-The second line depends on your interface (change ed0 as appropriate)
-and assumes that you've updated
-.Pa /etc/services
-with the natd entry as above.  If you specify real firewall rules, it's
-best to specify line 2 at the start of the script so that
-.Nm
-sees all packets before they are dropped by the firewall.  The firewall
-rules will be run again on each packet after translation by
-.Nm natd ,
-minus any divert rules.
-
-.It
-Enable your firewall by setting
-
-  firewall_enable=YES
-
-in
-.Pa /etc/rc.conf .
-This tells the system startup scripts to run the
-.Pa /etc/rc.firewall
-script.  If you don't wish to reboot now, just run this by hand from the
-console.  NEVER run this from a virtual session unless you put it into
-the background.  If you do, you'll lock yourself out after the flush
-takes place, and execution of
-.Pa /etc/rc.firewall
-will stop at this point - blocking all accesses permanently.  Running
-the script in the background should be enough to prevent this disaster.
-
-.El
-
-.Sh SEE ALSO
-.Xr getservbyname 2 ,
-.Xr socket 2 ,
-.Xr divert 4 ,
-.Xr services 5 ,
-.Xr ipfw 8
-
-.Sh AUTHORS
-This program is the result of the efforts of many people at different
-times:
-
-.An Archie Cobbs Aq archie@whistle.com
-(divert sockets)
-.An Charles Mott Aq cmott@srv.net
-(packet aliasing)
-.An Eivind Eklund Aq perhaps@yes.no
-(IRC support & misc additions)
-.An Ari Suutari Aq suutari@iki.fi
-(natd)
-.An Dru Nelson Aq dnelson@redwoodsoft.com
-(PPTP support)
-.An Brian Somers Aq brian@awfulhak.org
-(glue)
diff --git a/usr.sbin/natd/natd.c b/usr.sbin/natd/natd.c
deleted file mode 100644
index 5dab03e..0000000
--- a/usr.sbin/natd/natd.c
+++ /dev/null
@@ -1,1477 +0,0 @@
-/*
- * natd - Network Address Translation Daemon for FreeBSD.
- *
- * This software is provided free of charge, with no 
- * warranty of any kind, either expressed or implied.
- * Use at your own risk.
- * 
- * You may copy, modify and distribute this software (natd.c) freely.
- *
- * Ari Suutari <suutari@iki.fi>
- *
- *	$Id: natd.c,v 1.10 1999/03/07 18:23:56 brian Exp $
- */
-
-#define SYSLOG_NAMES
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <machine/in_cksum.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <sys/ioctl.h>
-#include <net/if.h>
-#include <net/route.h>
-#include <arpa/inet.h>
-
-#include <alias.h>
-#include <ctype.h>
-#include <err.h>
-#include <errno.h>
-#include <netdb.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-
-#include "natd.h"
-
-/* 
- * Default values for input and output
- * divert socket ports.
- */
-
-#define	DEFAULT_SERVICE	"natd"
-
-/*
- * Function prototypes.
- */
-
-static void	DoAliasing (int fd, int direction);
-static void	DaemonMode ();
-static void	HandleRoutingInfo (int fd);
-static void	Usage ();
-static char*	FormatPacket (struct ip*);
-static void	PrintPacket (struct ip*);
-static void	SyslogPacket (struct ip*, int priority, char *label);
-static void	SetAliasAddressFromIfName (char* ifName);
-static void	InitiateShutdown ();
-static void	Shutdown ();
-static void	RefreshAddr ();
-static void	ParseOption (char* option, char* parms, int cmdLine);
-static void	ReadConfigFile (char* fileName);
-static void	SetupPortRedirect (char* parms);
-static void	SetupAddressRedirect (char* parms);
-static void	SetupPptpAlias (char* parms);
-static void	StrToAddr (char* str, struct in_addr* addr);
-static u_short  StrToPort (char* str, char* proto);
-static int 	StrToProto (char* str);
-static u_short  StrToAddrAndPort (char* str, struct in_addr* addr, char* proto);
-static void	ParseArgs (int argc, char** argv);
-static void	FlushPacketBuffer (int fd);
-
-/*
- * Globals.
- */
-
-static	int			verbose;
-static 	int			background;
-static	int			running;
-static	int			assignAliasAddr;
-static	char*			ifName;
-static  int			ifIndex;
-static	u_short			inPort;
-static	u_short			outPort;
-static	u_short			inOutPort;
-static	struct in_addr		aliasAddr;
-static 	int			dynamicMode;
-static  int			ifMTU;
-static	int			aliasOverhead;
-static 	int			icmpSock;
-static	char			packetBuf[IP_MAXPACKET];
-static 	int			packetLen;
-static	struct sockaddr_in	packetAddr;
-static 	int			packetSock;
-static 	int			packetDirection;
-static  int			dropIgnoredIncoming;
-static  int			logDropped;
-static	int			logFacility;
-
-int main (int argc, char** argv)
-{
-	int			divertIn;
-	int			divertOut;
-	int			divertInOut;
-	int			routeSock;
-	struct sockaddr_in	addr;
-	fd_set			readMask;
-	fd_set			writeMask;
-	int			fdMax;
-/* 
- * Initialize packet aliasing software.
- * Done already here to be able to alter option bits
- * during command line and configuration file processing.
- */
-	PacketAliasInit ();
-/*
- * Parse options.
- */
-	inPort			= 0;
-	outPort			= 0;
-	verbose 		= 0;
-	inOutPort		= 0;
-	ifName			= NULL;
-	ifMTU			= -1;
-	background		= 0;
-	running			= 1;
-	assignAliasAddr		= 0;
-	aliasAddr.s_addr	= INADDR_NONE;
-	aliasOverhead		= 12;
-	dynamicMode		= 0;
- 	logDropped		= 0;
- 	logFacility		= LOG_DAEMON;
-/*
- * Mark packet buffer empty.
- */
-	packetSock		= -1;
-	packetDirection		= DONT_KNOW;
-
-	ParseArgs (argc, argv);
-/*
- * Open syslog channel.
- */
-	openlog ("natd", LOG_CONS | LOG_PID, logFacility);
-/*
- * Check that valid aliasing address has been given.
- */
-	if (aliasAddr.s_addr == INADDR_NONE && ifName == NULL)
-		errx (1, "aliasing address not given");
-
-	if (aliasAddr.s_addr != INADDR_NONE && ifName != NULL)
-		errx (1, "both alias address and interface "
-			 "name are not allowed");
-/*
- * Check that valid port number is known.
- */
-	if (inPort != 0 || outPort != 0)
-		if (inPort == 0 || outPort == 0)
-			errx (1, "both input and output ports are required");
-
-	if (inPort == 0 && outPort == 0 && inOutPort == 0)
-		ParseOption ("port", DEFAULT_SERVICE, 0);
-
-/*
- * Check if ignored packets should be dropped.
- */
-	dropIgnoredIncoming = PacketAliasSetMode (0, 0);
-	dropIgnoredIncoming &= PKT_ALIAS_DENY_INCOMING;
-/*
- * Create divert sockets. Use only one socket if -p was specified
- * on command line. Otherwise, create separate sockets for
- * outgoing and incoming connnections.
- */
-	if (inOutPort) {
-
-		divertInOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
-		if (divertInOut == -1)
-			Quit ("Unable to create divert socket.");
-
-		divertIn  = -1;
-		divertOut = -1;
-/*
- * Bind socket.
- */
-
-		addr.sin_family		= AF_INET;
-		addr.sin_addr.s_addr	= INADDR_ANY;
-		addr.sin_port		= inOutPort;
-
-		if (bind (divertInOut,
-			  (struct sockaddr*) &addr,
-			  sizeof addr) == -1)
-			Quit ("Unable to bind divert socket.");
-	}
-	else {
-
-		divertIn = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
-		if (divertIn == -1)
-			Quit ("Unable to create incoming divert socket.");
-
-		divertOut = socket (PF_INET, SOCK_RAW, IPPROTO_DIVERT);
-		if (divertOut == -1)
-			Quit ("Unable to create outgoing divert socket.");
-
-		divertInOut = -1;
-
-/*
- * Bind divert sockets.
- */
-
-		addr.sin_family		= AF_INET;
-		addr.sin_addr.s_addr	= INADDR_ANY;
-		addr.sin_port		= inPort;
-
-		if (bind (divertIn,
-			  (struct sockaddr*) &addr,
-			  sizeof addr) == -1)
-			Quit ("Unable to bind incoming divert socket.");
-
-		addr.sin_family		= AF_INET;
-		addr.sin_addr.s_addr	= INADDR_ANY;
-		addr.sin_port		= outPort;
-
-		if (bind (divertOut,
-			  (struct sockaddr*) &addr,
-			  sizeof addr) == -1)
-			Quit ("Unable to bind outgoing divert socket.");
-	}
-/*
- * Create routing socket if interface name specified.
- */
-	if (ifName && dynamicMode) {
-
-		routeSock = socket (PF_ROUTE, SOCK_RAW, 0);
-		if (routeSock == -1)
-			Quit ("Unable to create routing info socket.");
-	}
-	else
-		routeSock = -1;
-/*
- * Create socket for sending ICMP messages.
- */
-	icmpSock = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP);
-	if (icmpSock == -1)
-		Quit ("Unable to create ICMP socket.");
-/*
- * Become a daemon unless verbose mode was requested.
- */
-	if (!verbose)
-		DaemonMode ();
-/*
- * Catch signals to manage shutdown and
- * refresh of interface address.
- */
-	signal (SIGTERM, InitiateShutdown);
-	signal (SIGHUP, RefreshAddr);
-/*
- * Set alias address if it has been given.
- */
-	if (aliasAddr.s_addr != INADDR_NONE)
-		PacketAliasSetAddress (aliasAddr);
-/*
- * We need largest descriptor number for select.
- */
-
-	fdMax = -1;
-
-	if (divertIn > fdMax)
-		fdMax = divertIn;
-
-	if (divertOut > fdMax)
-		fdMax = divertOut;
-
-	if (divertInOut > fdMax)
-		fdMax = divertInOut;
-
-	if (routeSock > fdMax)
-		fdMax = routeSock;
-
-	while (running) {
-
-		if (divertInOut != -1 && !ifName && packetSock == -1) {
-/*
- * When using only one socket, just call 
- * DoAliasing repeatedly to process packets.
- */
-			DoAliasing (divertInOut, DONT_KNOW);
-			continue;
-		}
-/* 
- * Build read mask from socket descriptors to select.
- */
-		FD_ZERO (&readMask);
-		FD_ZERO (&writeMask);
-
-/*
- * If there is unsent packet in buffer, use select
- * to check when socket comes writable again.
- */
-		if (packetSock != -1) {
-
-			FD_SET (packetSock, &writeMask);
-		}
-		else {
-/*
- * No unsent packet exists - safe to check if
- * new ones are available.
- */
-			if (divertIn != -1)
-				FD_SET (divertIn, &readMask);
-
-			if (divertOut != -1)
-				FD_SET (divertOut, &readMask);
-
-			if (divertInOut != -1)
-				FD_SET (divertInOut, &readMask);
-		}
-/*
- * Routing info is processed always.
- */
-		if (routeSock != -1)
-			FD_SET (routeSock, &readMask);
-
-		if (select (fdMax + 1,
-			    &readMask,
-			    &writeMask,
-			    NULL,
-			    NULL) == -1) {
-
-			if (errno == EINTR)
-				continue;
-
-			Quit ("Select failed.");
-		}
-
-		if (packetSock != -1)
-			if (FD_ISSET (packetSock, &writeMask))
-				FlushPacketBuffer (packetSock);
-
-		if (divertIn != -1)
-			if (FD_ISSET (divertIn, &readMask))
-				DoAliasing (divertIn, INPUT);
-
-		if (divertOut != -1)
-			if (FD_ISSET (divertOut, &readMask))
-				DoAliasing (divertOut, OUTPUT);
-
-		if (divertInOut != -1) 
-			if (FD_ISSET (divertInOut, &readMask))
-				DoAliasing (divertInOut, DONT_KNOW);
-
-		if (routeSock != -1)
-			if (FD_ISSET (routeSock, &readMask))
-				HandleRoutingInfo (routeSock);
-	}
-
-	if (background)
-		unlink (PIDFILE);
-
-	return 0;
-}
-
-static void DaemonMode ()
-{
-	FILE*	pidFile;
-
-	daemon (0, 0);
-	background = 1;
-
-	pidFile = fopen (PIDFILE, "w");
-	if (pidFile) {
-
-		fprintf (pidFile, "%d\n", getpid ());
-		fclose (pidFile);
-	}
-}
-
-static void ParseArgs (int argc, char** argv)
-{
-	int		arg;
-	char*		parm;
-	char*		opt;
-	char		parmBuf[256];
-
-	for (arg = 1; arg < argc; arg++) {
-
-		opt  = argv[arg];
-		if (*opt != '-') {
-
-			warnx ("invalid option %s", opt);
-			Usage ();
-		}
-
-		parm = NULL;
-		parmBuf[0] = '\0';
-
-		while (arg < argc - 1) {
-
-			if (argv[arg + 1][0] == '-')
-				break;
-
-			if (parm)
-				strcat (parmBuf, " ");
-
-			++arg;
-			parm = parmBuf;
-			strcat (parmBuf, argv[arg]);
-		}
-
-		ParseOption (opt + 1, parm, 1);
-	}
-}
-
-static void DoAliasing (int fd, int direction)
-{
-	int			bytes;
-	int			origBytes;
-	int			status;
-	int			addrSize;
-	struct ip*		ip;
-
-	if (assignAliasAddr) {
-
-		SetAliasAddressFromIfName (ifName);
-		assignAliasAddr = 0;
-	}
-/*
- * Get packet from socket.
- */
-	addrSize  = sizeof packetAddr;
-	origBytes = recvfrom (fd,
-			      packetBuf,
-			      sizeof packetBuf,
-			      0,
-			      (struct sockaddr*) &packetAddr,
-			      &addrSize);
-
-	if (origBytes == -1) {
-
-		if (errno != EINTR)
-			Warn ("read from divert socket failed");
-
-		return;
-	}
-/*
- * This is a IP packet.
- */
-	ip = (struct ip*) packetBuf;
-	if (direction == DONT_KNOW)
-		if (packetAddr.sin_addr.s_addr == INADDR_ANY)
-			direction = OUTPUT;
-		else
-			direction = INPUT;
-
-	if (verbose) {
-		
-/*
- * Print packet direction and protocol type.
- */
-		printf (direction == OUTPUT ? "Out " : "In  ");
-
-		switch (ip->ip_p) {
-		case IPPROTO_TCP:
-			printf ("[TCP]  ");
-			break;
-
-		case IPPROTO_UDP:
-			printf ("[UDP]  ");
-			break;
-
-		case IPPROTO_ICMP:
-			printf ("[ICMP] ");
-			break;
-
-		default:
-			printf ("[%d]    ", ip->ip_p);
-			break;
-		}
-/*
- * Print addresses.
- */
-		PrintPacket (ip);
-	}
-
-	if (direction == OUTPUT) {
-/*
- * Outgoing packets. Do aliasing.
- */
-		PacketAliasOut (packetBuf, IP_MAXPACKET);
-	}
-	else {
-
-/*
- * Do aliasing.
- */	
-		status = PacketAliasIn (packetBuf, IP_MAXPACKET);
-		if (status == PKT_ALIAS_IGNORED &&
-		    dropIgnoredIncoming) {
-
-			if (verbose)
-				printf (" dropped.\n");
-
-			if (logDropped)
-				SyslogPacket (ip, LOG_WARNING, "denied");
-
-			return;
-		}
-	}
-/*
- * Length might have changed during aliasing.
- */
-	bytes = ntohs (ip->ip_len);
-/*
- * Update alias overhead size for outgoing packets.
- */
-	if (direction == OUTPUT &&
-	    bytes - origBytes > aliasOverhead)
-		aliasOverhead = bytes - origBytes;
-
-	if (verbose) {
-		
-/*
- * Print addresses after aliasing.
- */
-		printf (" aliased to\n");
-		printf ("           ");
-		PrintPacket (ip);
-		printf ("\n");
-	}
-
-	packetLen  	= bytes;
-	packetSock 	= fd;
-	packetDirection = direction;
-
-	FlushPacketBuffer (fd);
-}
-
-static void FlushPacketBuffer (int fd)
-{
-	int			wrote;
-	char			msgBuf[80];
-/*
- * Put packet back for processing.
- */
-	wrote = sendto (fd, 
-		        packetBuf,
-	    		packetLen,
-	    		0,
-	    		(struct sockaddr*) &packetAddr,
-	    		sizeof packetAddr);
-	
-	if (wrote != packetLen) {
-/*
- * If buffer space is not available,
- * just return. Main loop will take care of 
- * retrying send when space becomes available.
- */
-		if (errno == ENOBUFS)
-			return;
-
-		if (errno == EMSGSIZE) {
-
-			if (packetDirection == OUTPUT &&
-			    ifMTU != -1)
-				SendNeedFragIcmp (icmpSock,
-						  (struct ip*) packetBuf,
-						  ifMTU - aliasOverhead);
-		}
-		else {
-
-			sprintf (msgBuf, "failed to write packet back");
-			Warn (msgBuf);
-		}
-	}
-
-	packetSock = -1;
-}
-
-static void HandleRoutingInfo (int fd)
-{
-	int			bytes;
-	struct if_msghdr	ifMsg;
-/*
- * Get packet from socket.
- */
-	bytes = read (fd, &ifMsg, sizeof ifMsg);
-	if (bytes == -1) {
-
-		Warn ("read from routing socket failed");
-		return;
-	}
-
-	if (ifMsg.ifm_version != RTM_VERSION) {
-
-		Warn ("unexpected packet read from routing socket");
-		return;
-	}
-
-	if (verbose)
-		printf ("Routing message %X received.\n", ifMsg.ifm_type);
-
-	if (ifMsg.ifm_type != RTM_NEWADDR)
-		return;
-
-	if (verbose && ifMsg.ifm_index == ifIndex)
-		printf ("Interface address has changed.\n");
-
-	if (ifMsg.ifm_index == ifIndex)
-		assignAliasAddr = 1;
-}
-
-static void PrintPacket (struct ip* ip)
-{
-	printf ("%s", FormatPacket (ip));
-}
-
-static void SyslogPacket (struct ip* ip, int priority, char *label)
-{
-	syslog (priority, "%s %s", label, FormatPacket (ip));
-}
-
-static char* FormatPacket (struct ip* ip)
-{
-	static char	buf[256];
-	struct tcphdr*	tcphdr;
-	struct udphdr*	udphdr;
-	struct icmp*	icmphdr;
-	char		src[20];
-	char		dst[20];
-
-	strcpy (src, inet_ntoa (ip->ip_src));
-	strcpy (dst, inet_ntoa (ip->ip_dst));
-
-	switch (ip->ip_p) {
-	case IPPROTO_TCP:
-		tcphdr = (struct tcphdr*) ((char*) ip + (ip->ip_hl << 2));
-		sprintf (buf, "[TCP] %s:%d -> %s:%d",
-			      src,
-			      ntohs (tcphdr->th_sport),
-			      dst,
-			      ntohs (tcphdr->th_dport));
-		break;
-
-	case IPPROTO_UDP:
-		udphdr = (struct udphdr*) ((char*) ip + (ip->ip_hl << 2));
-		sprintf (buf, "[UDP] %s:%d -> %s:%d",
-			      src,
-			      ntohs (udphdr->uh_sport),
-			      dst,
-			      ntohs (udphdr->uh_dport));
-		break;
-
-	case IPPROTO_ICMP:
-		icmphdr = (struct icmp*) ((char*) ip + (ip->ip_hl << 2));
-		sprintf (buf, "[ICMP] %s -> %s %u(%u)",
-			      src,
-			      dst,
-			      icmphdr->icmp_type,
-			      icmphdr->icmp_code);
-		break;
-
-	default:
-		sprintf (buf, "[%d] %s -> %s ", ip->ip_p, src, dst);
-		break;
-	}
-
-	return buf;
-}
-
-static void SetAliasAddressFromIfName (char* ifName)
-{
-	struct ifconf		cf;
-	struct ifreq		buf[32];
-	char			msg[80];
-	struct ifreq*		ifPtr;
-	int			extra;
-	int			helperSock;
-	int			bytes;
-	struct sockaddr_in*	addr;
-	int			found;
-	struct ifreq		req;
-	char			last[10];
-/*
- * Create a dummy socket to access interface information.
- */
-	helperSock = socket (AF_INET, SOCK_DGRAM, 0);
-	if (helperSock == -1) {
-
-		Quit ("Failed to create helper socket.");
-		exit (1);
-	}
-
-	cf.ifc_len = sizeof (buf);
-	cf.ifc_req = buf;
-/*
- * Get interface data.
- */
-	if (ioctl (helperSock, SIOCGIFCONF, &cf) == -1) {
-
-		Quit ("Ioctl SIOCGIFCONF failed.");
-		exit (1);
-	}
-
-	ifIndex	= 0;
-	ifPtr	= buf;
-	bytes	= cf.ifc_len;
-	found   = 0;
-	last[0] = '\0';
-/*
- * Loop through interfaces until one with
- * given name is found. This is done to
- * find correct interface index for routing
- * message processing.
- */
-	while (bytes) {
-
-		if (ifPtr->ifr_addr.sa_family == AF_INET &&
-                    !strcmp (ifPtr->ifr_name, ifName)) {
-
-			found = 1;
-			break;
-		}
-
-		if (strcmp (last, ifPtr->ifr_name)) {
-
-			strcpy (last, ifPtr->ifr_name);
-			++ifIndex;
-		}
-
-		extra = ifPtr->ifr_addr.sa_len - sizeof (struct sockaddr);
-
-		ifPtr++;
-		ifPtr = (struct ifreq*) ((char*) ifPtr + extra);
-		bytes -= sizeof (struct ifreq) + extra;
-	}
-
-	if (!found) {
-
-		close (helperSock);
-		sprintf (msg, "Unknown interface name %s.\n", ifName);
-		Quit (msg);
-	}
-/*
- * Get MTU size.
- */
-	strcpy (req.ifr_name, ifName);
-
-	if (ioctl (helperSock, SIOCGIFMTU, &req) == -1)
-		Quit ("Cannot get interface mtu size.");
-
-	ifMTU = req.ifr_mtu;
-/*
- * Get interface address.
- */
-	if (ioctl (helperSock, SIOCGIFADDR, &req) == -1)
-		Quit ("Cannot get interface address.");
-
-	addr = (struct sockaddr_in*) &req.ifr_addr;
-	PacketAliasSetAddress (addr->sin_addr);
-	syslog (LOG_INFO, "Aliasing to %s, mtu %d bytes",
-			  inet_ntoa (addr->sin_addr),
-			  ifMTU);
-
-	close (helperSock);
-}
-
-void Quit (char* msg)
-{
-	Warn (msg);
-	exit (1);
-}
-
-void Warn (char* msg)
-{
-	if (background)
-		syslog (LOG_ALERT, "%s (%m)", msg);
-	else
-		warn (msg);
-}
-
-static void RefreshAddr ()
-{
-	signal (SIGHUP, RefreshAddr);
-	if (ifName)
-		assignAliasAddr = 1;
-}
-
-static void InitiateShutdown ()
-{
-/*
- * Start timer to allow kernel gracefully
- * shutdown existing connections when system
- * is shut down.
- */
-	signal (SIGALRM, Shutdown);
-	alarm (10);
-}
-
-static void Shutdown ()
-{
-	running = 0;
-}
-
-/* 
- * Different options recognized by this program.
- */
-
-enum Option {
-
-	PacketAliasOption,
-	Verbose,
-	InPort,
-	OutPort,
-	Port,
-	AliasAddress,
-	InterfaceName,
-	RedirectPort,
-	RedirectAddress,
-	ConfigFile,
-	DynamicMode,
-	PptpAlias,
-	ProxyRule,
- 	LogDenied,
- 	LogFacility
-};
-
-enum Param {
-	
-	YesNo,
-	Numeric,
-	String,
-	None,
-	Address,
-	Service
-};
-
-/*
- * Option information structure (used by ParseOption).
- */
-
-struct OptionInfo {
-	
-	enum Option		type;
-	int			packetAliasOpt;
-	enum Param		parm;
-	char*			parmDescription;
-	char*			description;
-	char*			name; 
-	char*			shortName;
-};
-
-/*
- * Table of known options.
- */
-
-static struct OptionInfo optionTable[] = {
-
-	{ PacketAliasOption,
-		PKT_ALIAS_UNREGISTERED_ONLY,
-		YesNo,
-		"[yes|no]",
-		"alias only unregistered addresses",
-		"unregistered_only",
-		"u" },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_LOG,
-		YesNo,
-		"[yes|no]",
-		"enable logging",
-		"log",
-		"l" },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_PROXY_ONLY,
-		YesNo,
-		"[yes|no]",
-		"proxy only",
-		"proxy_only",
-		NULL },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_REVERSE,
-		YesNo,
-		"[yes|no]",
-		"operate in reverse mode",
-		"reverse",
-		NULL },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_DENY_INCOMING,
-		YesNo,
-		"[yes|no]",
-		"allow incoming connections",
-		"deny_incoming",
-		"d" },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_USE_SOCKETS,
-		YesNo,
-		"[yes|no]",
-		"use sockets to inhibit port conflict",
-		"use_sockets",
-		"s" },
-
-	{ PacketAliasOption,
-		PKT_ALIAS_SAME_PORTS,
-		YesNo,
-		"[yes|no]",
-		"try to keep original port numbers for connections",
-		"same_ports",
-		"m" },
-
-	{ Verbose,
-		0,
-		YesNo,
-		"[yes|no]",
-		"verbose mode, dump packet information",
-		"verbose",
-		"v" },
-	
-	{ DynamicMode,
-		0,
-		YesNo,
-		"[yes|no]",
-		"dynamic mode, automatically detect interface address changes",
-		"dynamic",
-		NULL },
-	
-	{ InPort,
-		0,
-		Service,
-		"number|service_name",
-		"set port for incoming packets",
-		"in_port",
-		"i" },
-	
-	{ OutPort,
-		0,
-		Service,
-		"number|service_name",
-		"set port for outgoing packets",
-		"out_port",
-		"o" },
-	
-	{ Port,
-		0,
-		Service,
-		"number|service_name",
-		"set port (defaults to natd/divert)",
-		"port",
-		"p" },
-	
-	{ AliasAddress,
-		0,
-		Address,
-		"x.x.x.x",
-		"address to use for aliasing",
-		"alias_address",
-		"a" },
-	
-	{ InterfaceName,
-		0,
-		String,
-	        "network_if_name",
-		"take aliasing address from interface",
-		"interface",
-		"n" },
-
-	{ ProxyRule,
-		0,
-		String,
-	        "[type encode_ip_hdr|encode_tcp_stream] port xxxx server "
-		"a.b.c.d:yyyy",
-		"add transparent proxying / destination NAT",
-		"proxy_rule",
-		NULL },
-
-	{ RedirectPort,
-		0,
-		String,
-	        "tcp|udp local_addr:local_port [public_addr:]public_port"
-	 	" [remote_addr[:remote_port]]",
-		"redirect a port for incoming traffic",
-		"redirect_port",
-		NULL },
-
-	{ RedirectAddress,
-		0,
-		String,
-	        "local_addr public_addr",
-		"define mapping between local and public addresses",
-		"redirect_address",
-		NULL },
-
-       { PptpAlias,
-		0,
-		String,
-		"src",
-		"define inside machine for PPTP traffic",
-		"pptpalias",
-		NULL },
-
-	{ ConfigFile,
-		0,
-		String,
-		"file_name",
-		"read options from configuration file",
-		"config",
-		"f" },
-
-	{ LogDenied,
-		0,
-		YesNo,
-	        "[yes|no]",
-		"enable logging of denied incoming packets",
-		"log_denied",
-		NULL },
-
-	{ LogFacility,
-		0,
-		String,
-	        "facility",
-		"name of syslog facility to use for logging",
-		"log_facility",
-		NULL }
-
-};
-	
-static void ParseOption (char* option, char* parms, int cmdLine)
-{
-	int			i;
-	struct OptionInfo*	info;
-	int			yesNoValue;
-	int			aliasValue;
-	int			numValue;
-	u_short			uNumValue;
-	char*			strValue;
-	struct in_addr		addrValue;
-	int			max;
-	char*			end;
-	CODE* 			fac_record = NULL;
-/*
- * Find option from table.
- */
-	max = sizeof (optionTable) / sizeof (struct OptionInfo);
-	for (i = 0, info = optionTable; i < max; i++, info++) {
-
-		if (!strcmp (info->name, option))
-			break;
-
-		if (info->shortName)
-			if (!strcmp (info->shortName, option))
-				break;
-	}
-
-	if (i >= max) {
-
-		warnx ("unknown option %s", option);
-		Usage ();
-	}
-
-	uNumValue	= 0;
-	yesNoValue	= 0;
-	numValue	= 0;
-	strValue	= NULL;
-/*
- * Check parameters.
- */
-	switch (info->parm) {
-	case YesNo:
-		if (!parms)
-			parms = "yes";
-
-		if (!strcmp (parms, "yes"))
-			yesNoValue = 1;
-		else
-			if (!strcmp (parms, "no"))
-				yesNoValue = 0;
-			else
-				errx (1, "%s needs yes/no parameter", option);
-		break;
-
-	case Service:
-		if (!parms)
-			errx (1, "%s needs service name or "
-				 "port number parameter",
-				 option);
-
-		uNumValue = StrToPort (parms, "divert");
-		break;
-
-	case Numeric:
-		if (parms)
-			numValue = strtol (parms, &end, 10);
-		else
-			end = parms;
-
-		if (end == parms)
-			errx (1, "%s needs numeric parameter", option);
-		break;
-
-	case String:
-		strValue = parms;
-		if (!strValue)
-			errx (1, "%s needs parameter", option);
-		break;
-
-	case None:
-		if (parms)
-			errx (1, "%s does not take parameters", option);
-		break;
-
-	case Address:
-		if (!parms)
-			errx (1, "%s needs address/host parameter", option);
-
-		StrToAddr (parms, &addrValue);
-		break;
-	}
-
-	switch (info->type) {
-	case PacketAliasOption:
-	
-		aliasValue = yesNoValue ? info->packetAliasOpt : 0;
-		PacketAliasSetMode (aliasValue, info->packetAliasOpt);
-		break;
-
-	case Verbose:
-		verbose = yesNoValue;
-		break;
-
-	case DynamicMode:
-		dynamicMode = yesNoValue;
-		break;
-
-	case InPort:
-		inPort = uNumValue;
-		break;
-
-	case OutPort:
-		outPort = uNumValue;
-		break;
-
-	case Port:
-		inOutPort = uNumValue;
-		break;
-
-	case AliasAddress:
-		memcpy (&aliasAddr, &addrValue, sizeof (struct in_addr));
-		break;
-
-	case RedirectPort:
-		SetupPortRedirect (strValue);
-		break;
-
-	case RedirectAddress:
-		SetupAddressRedirect (strValue);
-		break;
-
-	case PptpAlias:
-		SetupPptpAlias (strValue);
-		break;
-
-	case ProxyRule:
-		PacketAliasProxyRule (strValue);
-		break;
-
-	case InterfaceName:
-		if (ifName)
-			free (ifName);
-
-		ifName = strdup (strValue);
-		assignAliasAddr = 1;
-		break;
-
-	case ConfigFile:
-		ReadConfigFile (strValue);
-		break;
-
-	case LogDenied:
-		logDropped = 1;
-		break;
-
-	case LogFacility:
-
-		fac_record = facilitynames;
-		while (fac_record->c_name != NULL) {
-
-			if (!strcmp (fac_record->c_name, strValue)) {
-
-				logFacility = fac_record->c_val;
-				break;
-
-			}
-			else
-				fac_record++;
-		}
-
-		if(fac_record->c_name == NULL)
-			errx(1, "Unknown log facility name: %s", strValue);	
-
-		break;
-	}
-}
-
-void ReadConfigFile (char* fileName)
-{
-	FILE*	file;
-	char	buf[128];
-	char*	ptr;
-	char*	option;
-
-	file = fopen (fileName, "r");
-	if (!file) {
-
-		sprintf (buf, "Cannot open config file %s.\n", fileName);
-		Quit (buf);
-	}
-
-	while (fgets (buf, sizeof (buf), file)) {
-
-		ptr = strchr (buf, '\n');
-		if (!ptr)
-			errx (1, "config line too long: %s", buf);
-
-		*ptr = '\0';
-		if (buf[0] == '#')
-			continue;
-
-		ptr = buf;
-/*
- * Skip white space at beginning of line.
- */
-		while (*ptr && isspace (*ptr))
-			++ptr;
-
-		if (*ptr == '\0')
-			continue;
-/*
- * Extract option name.
- */
-		option = ptr;
-		while (*ptr && !isspace (*ptr))
-			++ptr;
-
-		if (*ptr != '\0') {
-
-			*ptr = '\0';
-			++ptr;
-		}
-/*
- * Skip white space between name and parms.
- */
-		while (*ptr && isspace (*ptr))
-			++ptr;
-
-		ParseOption (option, *ptr ? ptr : NULL, 0);
-	}
-
-	fclose (file);
-}
-
-static void Usage ()
-{
-	int			i;
-	int			max;
-	struct OptionInfo*	info;
-
-	fprintf (stderr, "Recognized options:\n\n");
-
-	max = sizeof (optionTable) / sizeof (struct OptionInfo);
-	for (i = 0, info = optionTable; i < max; i++, info++) {
-
-		fprintf (stderr, "-%-20s %s\n", info->name,
-						info->parmDescription);
-
-		if (info->shortName)
-			fprintf (stderr, "-%-20s %s\n", info->shortName,
-							info->parmDescription);
-
-		fprintf (stderr, "      %s\n\n", info->description);
-	}
-
-	exit (1);
-}
-
-void SetupPptpAlias (char* parms)
-{
-	char		buf[128];
-	char*		ptr;
-	struct in_addr	srcAddr;
-
-	strcpy (buf, parms);
-
-/*
- * Extract source address.
- */
-	ptr = strtok (buf, " \t");
-	if (!ptr)
-		errx(1, "pptpalias: missing src address");
-
-	StrToAddr (ptr, &srcAddr);
-	PacketAliasPptp (srcAddr);
-}
-
-void SetupPortRedirect (char* parms)
-{
-	char		buf[128];
-	char*		ptr;
-	struct in_addr	localAddr;
-	struct in_addr	publicAddr;
-	struct in_addr	remoteAddr;
-	u_short		localPort;
-	u_short		publicPort;
-	u_short		remotePort;
-	int		proto;
-	char*		protoName;
-	char*		separator;
-
-	strcpy (buf, parms);
-/*
- * Extract protocol.
- */
-	protoName = strtok (buf, " \t");
-	if (!protoName)
-		errx (1, "redirect_port: missing protocol");
-
-	proto = StrToProto (protoName);
-/*
- * Extract local address.
- */
-	ptr = strtok (NULL, " \t");
-	if (!ptr)
-		errx (1, "redirect_port: missing local address");
-
-	localPort = StrToAddrAndPort (ptr, &localAddr, protoName);
-/*
- * Extract public port and optinally address.
- */
-	ptr = strtok (NULL, " \t");
-	if (!ptr)
-		errx (1, "redirect_port: missing public port");
-
-	separator = strchr (ptr, ':');
-	if (separator)
-		publicPort = StrToAddrAndPort (ptr, &publicAddr, protoName);
-	else {
-
-		publicAddr.s_addr = INADDR_ANY;
-		publicPort = StrToPort (ptr, protoName);
-	}
-
-/*
- * Extract remote address and optionally port.
- */
-	ptr = strtok (NULL, " \t");
-	if (ptr) {
-
-
-		separator = strchr (ptr, ':');
-		if (separator)
-			remotePort = StrToAddrAndPort (ptr,
-						       &remoteAddr,
-						       protoName);
-		else {
-
-			remotePort = 0;
-			StrToAddr (ptr, &remoteAddr);
-		}
-	}
-	else {
-
-		remotePort = 0;
-		remoteAddr.s_addr = INADDR_ANY;
-	}
-
-	PacketAliasRedirectPort (localAddr,
-				 localPort,
-				 remoteAddr,
-				 remotePort,
-				 publicAddr,
-				 publicPort,
-				 proto);
-}
-
-void SetupAddressRedirect (char* parms)
-{
-	char		buf[128];
-	char*		ptr;
-	struct in_addr	localAddr;
-	struct in_addr	publicAddr;
-
-	strcpy (buf, parms);
-/*
- * Extract local address.
- */
-	ptr = strtok (buf, " \t");
-	if (!ptr)
-		errx (1, "redirect_address: missing local address");
-
-	StrToAddr (ptr, &localAddr);
-/*
- * Extract public address.
- */
-	ptr = strtok (NULL, " \t");
-	if (!ptr)
-		errx (1, "redirect_address: missing public address");
-
-	StrToAddr (ptr, &publicAddr);
-	PacketAliasRedirectAddr (localAddr, publicAddr);
-}
-
-void StrToAddr (char* str, struct in_addr* addr)
-{
-	struct hostent* hp;
-
-	if (inet_aton (str, addr))
-		return;
-
-	hp = gethostbyname (str);
-	if (!hp)
-		errx (1, "unknown host %s", str);
-
-	memcpy (addr, hp->h_addr, sizeof (struct in_addr));
-}
-
-u_short StrToPort (char* str, char* proto)
-{
-	u_short		port;
-	struct servent*	sp;
-	char*		end;
-
-	port = strtol (str, &end, 10);
-	if (end != str)
-		return htons (port);
-
-	sp = getservbyname (str, proto);
-	if (!sp)
-		errx (1, "unknown service %s/%s", str, proto);
-
-	return sp->s_port;
-}
-
-int StrToProto (char* str)
-{
-	if (!strcmp (str, "tcp"))
-		return IPPROTO_TCP;
-
-	if (!strcmp (str, "udp"))
-		return IPPROTO_UDP;
-
-	errx (1, "unknown protocol %s. Expected tcp or udp", str);
-}
-
-u_short StrToAddrAndPort (char* str, struct in_addr* addr, char* proto)
-{
-	char*	ptr;
-
-	ptr = strchr (str, ':');
-	if (!ptr)
-		errx (1, "%s is missing port number", str);
-
-	*ptr = '\0';
-	++ptr;
-
-	StrToAddr (str, addr);
-	return StrToPort (ptr, proto);
-}
-
diff --git a/usr.sbin/natd/natd.h b/usr.sbin/natd/natd.h
deleted file mode 100644
index b45048e..0000000
--- a/usr.sbin/natd/natd.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * natd - Network Address Translation Daemon for FreeBSD.
- *
- * This software is provided free of charge, with no 
- * warranty of any kind, either expressed or implied.
- * Use at your own risk.
- * 
- * You may copy, modify and distribute this software (natd.h) freely.
- *
- * Ari Suutari <suutari@iki.fi>
- *
- *	$Id:$
- */
-
-#define PIDFILE	"/var/run/natd.pid"
-#define	INPUT		1
-#define	OUTPUT		2
-#define	DONT_KNOW	3
-
-extern void Quit (char* msg);
-extern void Warn (char* msg);
-extern int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu);
-
-
diff --git a/usr.sbin/natd/samples/natd.cf.sample b/usr.sbin/natd/samples/natd.cf.sample
deleted file mode 100644
index df1018b..0000000
--- a/usr.sbin/natd/samples/natd.cf.sample
+++ /dev/null
@@ -1,94 +0,0 @@
-#
-# $Id:$
-#
-#
-# Configuration file for natd.
-#
-#
-# Enable logging to file /var/log/alias.log
-#
-log		no
-#
-# Incoming connections.  Should NEVER be set to "yes" if redirect_port,
-# redirect_address, or permanent_link statements are activated in this file!
-#
-# Setting to yes provides additional anti-crack protection
-#
-deny_incoming	no
-#
-# Use sockets to avoid port clashes.  Uses additional system resources, but
-# guarantees successful connections when port numbers conflict
-#
-use_sockets	no
-#
-# Avoid port changes if possible when altering outbound packets. Makes rlogin
-# work in most cases.
-#
-same_port	yes
-#
-# Verbose mode. Enables dumping of packets and disables
-# forking to background.  Only set to yes for debugging.
-#
-verbose		no
-#
-# Divert port. Can be a name in /etc/services or numeric value.
-#
-port		32000
-#
-# Interface name or address being aliased. Either one,
-# not both is required.
-#
-# Obtain interface name from the command output of "ifconfig -a"
-#
-# alias_address	192.168.0.1
-interface	ep0
-#
-# Alias unregistered addresses or all addresses.  Set this to yes if
-# the inside network is all RFC1918 addresses. 
-#
-unregistered_only	no
-#
-# Configure permanent links. If you use host names instead
-# of addresses here, be sure that name server works BEFORE
-# natd is up - this is usually not the case. So either use
-# numeric addresses or hosts that are in /etc/hosts.
-#
-# Note:  Current versions of FreeBSD all call /etc/rc.firewall
-# BEFORE running named, so if the DNS server and NAT are on the same 
-# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
-#
-# Map connections coming to port 30000 to telnet in my_private_host.
-# Remember to allow the connection /etc/rc.firewall also.
-#
-#  The following permanent_link and redirect_port statements are equivalent
-#permanent_link		tcp my_private_host:telnet 0.0.0.0:0 30000
-#redirect_port		tcp my_private_host:telnet 30000
-#
-# Map connections coming from host.xyz.com to port 30001 to 
-# telnet in another_host.
-#permanent_link		tcp another_host:telnet host.xyz.com:0 30001
-#
-# Static NAT address mapping:
-#
-#  ipconfig must apply any legal IP numbers that inside hosts
-# will be known by to the outside interface.  These are sometimes known as
-# virtual IP numbers.  It's suggested to use the "interface" directive
-# instead of the "alias_address" directive to make it more clear what is
-# going on. (although both will work)
-#
-# DNS in this situation can get hairy.  For example, an inside host
-# named aweb.company.com is located at 192.168.1.56, and needs to be 
-# accessible through a legal IP number like 198.105.232.1.  If both
-# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
-# for aweb.company.com, then external hosts attempting to access
-# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
-#
-# The obvious solution is to use only a single address for the name, the
-# outside address.  However, this creates needless traffic through the
-# NAT, because inside hosts will go through the NAT to get to the legal
-# number, even when the inside number is on the same subnet as they are!
-#
-# It's probably not a good idea to use DNS names in redirect_address statements
-#
-#The following mapping points outside address 198.105.232.1 to 192.168.1.56
-#redirect_address  192.168.1.56		198.105.232.1
diff --git a/usr.sbin/natd/samples/natd.test b/usr.sbin/natd/samples/natd.test
deleted file mode 100644
index cfdbd15..0000000
--- a/usr.sbin/natd/samples/natd.test
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-	if [ $# != 1 ]
-	then
-		echo "usage: natd.test ifname"
-		exit 1
-	fi
-
-	ipfw flush
-	ipfw add divert 32000 ip from any to any via $1 
-	ipfw add pass ip from any to any
-
-	./natd -port 32000 -interface $1 -verbose
-