Special Port LIft and Forwarder (SPLIF)
---------------------------------------
Provides a jump-host access to private networks. Originally written for SSH the tool
contains 2 modules in 1 executable file. Which one it turns is defined by the syntax:

Usage in private VM: ./splif <Splif host:port> <Private host:port>
Usage in public  VM: ./splif <Splif port> <Public port>

Private VM
----------
Any host inside a private network that can access Internet via NAT, meaning that the host
can establish a TCP connection to a public host, whereas the private host is inaccessible
from Internet (public cloud).

Public VM
---------
Any public host under the user's control that has 2 spare TCP ports. The host will be
used as a jump-server.

ARCHITECTURE
------------
Private splif daemon (e.g. ./splif 45.45.45.45:3333 127.0.0.1:22) will keep a signalling
TCP connection actively opened to the corresponding public splif daemon at 45.45.45.45
port 3333. When a signal is received, the private splif daemon actively opens another
2 TCP links - to 45.45.45.45:3333 and to 127.0.0.1:22 - and splices data between them.

Public splif daemon (e.g. ./splif 3333 1887) accepts one signalling and many service
connections on port 3333 from the private splif daemon. The number of the service
connections will, of course, coincide with the number of client connections accepted
on port 1887. Data between corresponding client and splif connections are spliced.

In the example above a user connecting from the cloud to 45.45.45.45:1887 will be
perceived by sshd running at the private host as one connecting from localhost:
<ephemeral port>. Many users can be connected to the entry point (45.45.45.45:1887),
but the daemons must work back-to-back, that is, if two hosts in question are the same,
then 1887-3333-22 are reserved for two daemons - if another port is sought, then another
pair of daemons should be started with all different ports.

Header file (splif.h) contains a few definitions controlling low-level behaviour. Notably,
SIGNATUR represents a shared secret making the daemons a pair. It is advised that each
such pair has a unique string defined.

The daemons log errors with default application facility. Unless you fiddled with
rsyslog.conf, the messages could be found in /var/log/syslog.

Splif arguments are DNS/hosts/services resolvable and IPv4 and 6 conformant. Bear in
mind, however, that a resolving error will preclude the daemon from starting.

LIMITATIONS
-----------
I use epoll API, so the code can only be compiled and executed on Linux. Since high
performance throughput was never a target, splicing connections is done by copying data
between kernel space and user land, as opposed to splice().

EXAMPLARY USE
-------------
Extending the example above, PuTTY connecting to the jump host 45.45.45.45:1887 can
have dynamic port forwarding (Session->Connection->SSH->Tunnels), where only source
port is required (e.g. D5000). Having this configuration in place and the session
established allows your browser to use SOCKS proxy to localhost:5000. The final check
is that the browser using proxied DNS service. In Firefox, go to about:config page
and make sure that network.proxy.socks_remote_dns option is true. Subject to routes
set up at your private host, you may now be able to browse entire Intranet.

(C) 2016, Vitaly Zuevsky
License: BSD 2-Clause