devip: implement network address translation routes

This adds a new route "t"-flag that enables network address translation,
replacing the source address (and local port) of a forwarded packet to
one of the outgoing interface.

The state for a translation is kept in a new Translation structure,
which contains two Iphash entries, so it can be inserted into the
per protocol 4-tuple hash table, requiering no extra lookups.

Translations have a low overhead (~200 bytes on amd64),
so we can have many of them. They get reused after 5 minutes
of inactivity or when the per protocol limit of 1000 entries
is reached (then the one with longest inactivity is reused).

The protocol needs to export a "forward" function that is responsible
for modifying the forwarded packet, and then handle translations in
its input function for iphash hits with Iphash.trans != 0.

This patch also fixes a few minor things found during development:

- Include the Iphash in the Conv structure, avoiding estra malloc
- Fix ttl exceeded check (ttl < 1 -> ttl <= 1)
- Router should not reply with ttl exceeded for multicast flows
- Extra checks for icmp advice to avoid protocol confusions.

1 files changed, 2 insertions, 3 deletions

diff --git a/sys/src/9/ip/ipv6.c b/sys/src/9/ip/ipv6.c
index 0ad8d8e86..bfe652d47 100644
--- a/sys/src/9/ip/ipv6.c
+++ b/sys/src/9/ip/ipv6.c
@@ -278,7 +278,7 @@ ipiput6(Fs *f, Ipifc *ifc, Block *bp)
 
 		/* don't forward if packet has timed out */
 		hop = h->ttl;
-		if(hop < 1) {
+		if(hop <= 1) {
 			ip->stats[InHdrErrors]++;
 			icmpttlexceeded6(f, ifc, bp);
 			goto drop;
@@ -292,8 +292,7 @@ ipiput6(Fs *f, Ipifc *ifc, Block *bp)
 		ip->stats[ForwDatagrams]++;
 		h = (Ip6hdr*)bp->rp;
 		tos = (h->vcf[0]&0x0F)<<2 | (h->vcf[1]&0xF0)>>2;
-		hop = h->ttl;
-		ipoput6(f, bp, 1, hop-1, tos, &rh);
+		ipoput6(f, bp, 1, hop - 1, tos, &rh);
 		return;
 	}