This patch attempts to take advantage of a newly added netfilter
module to correct for a problem with some guest DHCP client
implementations when used in conjunction with a DHCP server run on the
host systems with packet checksum offloading enabled.

The problem is that, when the guest uses a RAW socket to read the DHCP
response packets, the checksum hasn't yet been fixed by the IP stack,
so it is incorrect.

The fix implemented here is to add a rule to the POSTROUTING chain of
the mangle table in iptables that fixes up the checksum for packets on
the virtual network's bridge that are destined for the bootpc port (ie
"dhcpc", ie port 68) port on the guest.

Only very new versions of iptables will have this support (it will be
in the next upstream release), so a failure to add this rule only
results in a warning message. The iptables patch is here:

  http://patchwork.ozlabs.org/patch/58525/

A corresponding kernel module patch is also required (the backend of
the iptables patch) and that will be in the next release of the
kernel.

IPtables will seek to preserve the source port unchanged when
doing masquerading, if possible. NFS has a pseudo-security
option where it checks for the source port <= 1023 before
allowing a mount request. If an admin has used this to make the
host OS trusted for mounts, the default iptables behaviour will
potentially allow NAT'd guests access too. This needs to be
stopped.

With this change, the iptables -t nat -L -n -v rules for the
default network will be

Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14   840 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
   75  5752 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

* src/network/bridge_driver.c: Add masquerade rules for TCP
  and UDP protocols
* src/util/iptables.c, src/util/iptables.c: Add source port
  mappings for TCP & UDP protocols when masquerading.

* src/util/ebtables.c (ebtablesAddRemoveRule): Don't skip
va_end(args) on an error path.
* src/util/iptables.c (iptablesAddRemoveRule): Identical change.

* configure.ac: Drop sys/wait.h check.
* src/libvirt.c (includes): Use header unconditionally.
* src/remote/remote_driver.c (includes): Likewise.
* src/storage/storage_backend.c (includes): Likewise.
* src/util/ebtables.c (includes): Likewise.
* src/util/hooks.c (includes): Likewise.
* src/util/iptables.c (includes): Likewise.
* src/util/util.c (includes): Likewise.

* global: patch created by running:
for f in $(git ls-files '*.[ch]') ; do
    cppi $f > $f.t && mv $f.t $f
done

It was used for error reporting only.

We don't use this method of reloading rules anymore, so we can just
kill the code.

This simplifies things a lot because we no longer need to keep a
table of the rules we've added.

* src/util/iptables.c: kill iptablesReloadRules()

Long ago we tried to use Fedora's lokkit utility in order to register
our iptables rules so that 'service iptables restart' would
automatically load our rules.

There was one fatal flaw - if the user had configured iptables without
lokkit, then we would clobber that configuration by running lokkit.

We quickly disabled lokkit support, but never removed it. Let's do
that now.

The 'my virtual network stops working when I restart iptables' still
remains. For all the background on this saga, see:

  https://bugzilla.redhat.com/227011

* src/util/iptables.c: remove lokkit support

* configure.in: remove --enable-lokkit

* libvirt.spec.in: remove the dirs used only for saving rules for lokkit

* src/Makefile.am: ditto

* src/libvirt_private.syms, src/network/bridge_driver.c,
  src/util/iptables.h: remove references to iptablesSaveRules

* src/util/iptables.c: `--option !  this` is deprecated in favor of
  `! --option this` syntax, change the output command accordingly

* src/internal.h (ATTRIBUTE_SENTINEL): New, it's a ggc feature and
  protected as such
* src/util/buf.c (virBufferStrcat): Use it.
* src/util/ebtables.c (ebtablesAddRemoveRule): Use it.
* src/util/iptables.c (iptableAddRemoveRule: Use it.
* src/util/qparams.h (new_qparam_set, append_qparams): Use it.
* docs/apibuild.py: avoid breaking the API generator with that new
  internal keyword macro

* src/bridge.c, src/bridge.h, src/buf.c, src/buf.h, src/cgroup.c,
  src/cgroup.h, src/conf.c, src/conf.h, src/event.c, src/event.h,
  src/hash.c, src/hash.h, src/hostusb.c, src/hostusb.h,
  src/iptables.c, src/iptables.h, src/logging.c, src/logging.h,
  src/memory.c, src/memory.h, src/pci.c, src/pci.h, src/qparams.c,
  src/qparams.h, src/stats_linux.c, src/stats_linux.h,
  src/threads-pthread.c, src/threads-pthread.h, src/threads-win32.c,
  src/threads-win32.h, src/threads.c, src/threads.h, src/util.c,
  src/util.h, src/uuid.c, src/uuid.h, src/virterror.c,
  src/virterror_internal.h, src/xml.c, src/xml.h: Move all files
  into src/util/
* daemon/Makefile.am: Add -Isrc/util/ to build flags
* src/Makefile.am: Add -Isrc/util/ to build flags and update for
  moved files
* src/libvirt_private.syms: Export cgroup APIs since they're now
  in util rather than linking directly to drivers
* src/xen/xs_internal.c: Disable bogus virEventRemoveHandle call
  when built under PROXY
* proxy/Makefile.am: Update for changed file locations. Remove
  bogus build of event.c
* tools/Makefile.am, tests/Makefile.am: Add -Isrc/util/ to build flags

* src/iptables.c (iptablesAddRemoveRule): Remove dead store.

* src/iptables.c: Include "virterror_internal.h".
Use virStrerror, not strerror.
* src/iptables.c (notifyRulesUpdated): Use %s rather than
string-concatenation that made sc_unmarked_diagnostics report
a false-positive.

* Makefile.cfg (useless_free_options): Also check for VIR_FREE.
* src/iptables.c (iptRulesFree): Remove useless if-before-VIR_FREE.
* src/remote_internal.c (remoteAuthSASL): Likewise.
* src/test.c (testOpenFromFile): Likewise.

Avoid a build error when configuring --without-xen --without-qemu.
* src/iptables.c [WITH_QEMU]: Don't #ifdef-out.
* src/iptables.h [WITH_QEMU]: Don't #ifdef-out.
* src/util.c (virRun) [__MINGW32__]: Define a stub that always fails.

* src/domain_conf.c (virDomainChrDefParseXML)
(virDomainNetDefParseXML): Likewise.
* src/iptables.c (iptRuleFree): Likewise.
* src/storage_backend.c (virStorageBackendRunProgRegex): Likewise.
* src/test.c (testOpenFromFile): Likewise.
* src/xmlrpc.c (xmlRpcCallRaw): Likewise.

Done with these commands:
git grep -l Local.variab|xargs \
  perl -0x3b -pi -e 's,\n+/\*\n \* vim:(.|\n)*,\n,'

git grep -l Local.variab|xargs \
  perl -0x3b -pi -e 's,\n+/\*\n \* Local variables:\n(.|\n)*,\n,'

Avoid warnings like this:
file:nnn:format not a string literal and no format arguments

* qemud/qemud.c: Insert a "%s" format argument.
* qemud/remote.c: Likewise.
* src/iptables.c: Likewise.
* src/qemu_driver.c: Likewise.
* src/storage_backend.c: Likewise.
* src/storage_backend_fs.c: Likewise.
* src/storage_backend_iscsi.c Likewise.
* src/storage_backend_logical.c: Likewise.
* src/storage_conf.c: Likewise.
* src/storage_driver.c: Likewise.

* src/iptables.c (iptRulesSave) [!ENABLE_IPTABLES_LOKKIT]:
Mark parameter as used.

* po/POTFILES.in: Add names of many new files.
* Makefile.maint (err_func_re): Add qemudLog.
Mark diagnostics with _(...).  Split some long lines.
* qemud/qemud.c (remoteCheckCertFile, remoteInitializeGnuTLS):
(qemudDispatchSignalEvent, qemudSetCloseExec, qemudSetNonBlock):
(qemudWritePidFile, qemudListenUnix, remoteMakeSockets):
(remoteListenTCP, qemudInitPaths, qemudInitialize):
(qemudNetworkInit, remoteInitializeTLSSession, remoteCheckDN):
(remoteCheckCertificate, remoteCheckAccess, qemudDispatchServer):
(qemudClientReadBuf, qemudDispatchClientRead):
(qemudClientWriteBuf, qemudDispatchClientWrite, qemudOneLoop):
(remoteConfigGetStringList, checkType, GET_CONF_STR):
(remoteConfigGetAuth, remoteReadConfigFile, main):
* qemud/remote.c (remoteDispatchAuthSaslInit, remoteSASLCheckSSF):
(remoteSASLCheckAccess, remoteDispatchAuthSaslStart):
(remoteDispatchAuthSaslStep, remoteDispatchAuthSaslInit):
(remoteDispatchAuthSaslStart, remoteDispatchAuthSaslStep):
(qemudGetSocketIdentity, remoteDispatchAuthPolkit):
* src/iptables.c (notifyRulesUpdated, MAX_FILE_LEN, iptRulesSave):
(iptRulesReload):
* src/qemu_conf.c (qemudExtractVersionInfo, qemudLoadConfig):
(qemudLoadNetworkConfig, qemudScanConfigDir):
* src/qemu_driver.c (qemudSetCloseExec, qemudSetNonBlock):
(qemudAutostartConfigs, qemudStartup, qemudReload):
(qemudWaitForMonitor, qemudStartVMDaemon, qemudVMData):
(qemudShutdownVMDaemon, qemudStartNetworkDaemon):
(qemudShutdownNetworkDaemon, qemudMonitorCommand):
(qemudDomainUndefine, qemudNetworkUndefine):
* src/uuid.c (virUUIDGenerate):
* src/xm_internal.c (xenXMAttachInterface):

* Makefile.cfg (local-checks-to-skip): Remove sc_trailing_blank.
* .x-sc_trailing_blank: New file, to exempt the few binary files.

Use <config.h>, not "config.h", per autoconf documentation.
* Makefile.cfg (local-checks-to-skip) [sc_require_config_h]: Enable.
* .x-sc_require_config_h: New file, to list exempted files.
* Makefile.am (EXTRA_DIST): Add .x-sc_require_config_h.

Likewise, given if (foo != NULL) free (foo); remove the useless "if" test.

* proxy/libvirt_proxy.c: Remove unnecessary "if" test before free.
* python/generator.py: Likewise.
* qemud/qemud.c: Likewise.
* src/buf.c: Likewise.
* src/conf.c: Likewise.
* src/hash.c: Likewise.
* src/iptables.c: Likewise.
* src/libvirt.c: Likewise.
* src/openvz_conf.c: Likewise.
* src/qemu_conf.c: Likewise.
* src/qemu_driver.c: Likewise.
* src/remote_internal.c: Likewise.
* src/test.c: Likewise.
* src/virsh.c: Likewise.
* src/virterror.c: Likewise.
* src/xen_internal.c: Likewise.
* src/xen_unified.c: Likewise.
* src/xend_internal.c: Likewise.
* src/xm_internal.c: Likewise.
* src/xml.c: Likewise.
* src/xmlrpc.c: Likewise.
* src/xs_internal.c: Likewise.
* tests/testutils.c: Likewise.
* tests/xencapstest.c: Likewise.
* tests/xmconfigtest.c: Likewise.

and run lokkit each time a new rule is added.

need to add or delete them

longer useful, so let's remove it.

a proposed system for letting iptables know how to
reload our rules. The proposed system wasn't accepted
so, although there might be some other theoretical
use for this, let's just remove it.

iptables configuration using the lokkit --custom-rules command.

Basically, we write out our rules to /var/lib/libvirt/iptables
and run lokkit --custom-rules so that if e.g. iptables is
restarted or the user edits their firewall configuration, then
libvirt's rules get reloaded.