Sync ng_nat with recent (r222806) ipfw_nat changes:

Make a behaviour of the libalias based in-kernel NAT a bit closer to
  how natd(8) does work. natd(8) drops packets only when libalias returns
  PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
  always did drop packets that were not aliased, even if they should
  not be aliased and just are going through.

Also add SCTP support: mark response packets to skip firewall processing.

MFC after:	1 month

sys/netgraph/ng_nat.c

@@ -43,6 +43,7 @@
 #include <machine/in_cksum.h>
 
 #include <netinet/libalias/alias.h>
+#include <netinet/libalias/alias_local.h>
 
 #include <netgraph/ng_message.h>
 #include <netgraph/ng_parse.h>
@@ -696,22 +697,35 @@ ng_nat_rcvdata(hook_p hook, item_p item )
 	KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len),
 	    ("ng_nat: ip_len != m_pkthdr.len"));
 
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *		PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
 	if (hook == priv->in) {
 		rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-		if (rval != PKT_ALIAS_OK &&
-		    rval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+		if (rval == PKT_ALIAS_ERROR ||
+		    rval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+		    (rval == PKT_ALIAS_IGNORED &&
+		     (priv->lib->packetAliasMode &
+		      PKT_ALIAS_DENY_INCOMING) != 0)) {
 			NG_FREE_ITEM(item);
 			return (EINVAL);
 		}
 	} else if (hook == priv->out) {
 		rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-		if (rval != PKT_ALIAS_OK) {
+		if (rval == PKT_ALIAS_ERROR) {
 			NG_FREE_ITEM(item);
 			return (EINVAL);
 		}
 	} else
 		panic("ng_nat: unknown hook!\n");
 
+	if (rval == PKT_ALIAS_RESPOND)
+		m->m_flags |= M_SKIP_FIREWALL;
 	m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len);
 
 	if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&