xref: /freebsd/sbin/natd/natd.8 (revision db33c6f3ae9d1231087710068ee4ea5398aacca7)
1.Dd December 6, 2024
2.Dt NATD 8
3.Os
4.Sh NAME
5.Nm natd
6.Nd Network Address Translation daemon
7.Sh SYNOPSIS
8.Nm
9.Bk -words
10.Op Fl unregistered_only | u
11.Op Fl log | l
12.Op Fl proxy_only
13.Op Fl reverse
14.Op Fl deny_incoming | d
15.Op Fl use_sockets | s
16.Op Fl same_ports | m
17.Op Fl udp_eim
18.Op Fl verbose | v
19.Op Fl dynamic
20.Op Fl in_port | i Ar port
21.Op Fl out_port | o Ar port
22.Op Fl port | p Ar port
23.Op Fl alias_address | a Ar address
24.Op Fl target_address | t Ar address
25.Op Fl interface | n Ar interface
26.Op Fl proxy_rule Ar proxyspec
27.Op Fl redirect_port Ar linkspec
28.Op Fl redirect_proto Ar linkspec
29.Op Fl redirect_address Ar linkspec
30.Op Fl config | f Ar configfile
31.Op Fl instance Ar instancename
32.Op Fl globalport Ar port
33.Op Fl log_denied
34.Op Fl log_facility Ar facility_name
35.Op Fl punch_fw Ar firewall_range
36.Op Fl skinny_port Ar port
37.Op Fl log_ipfw_denied
38.Op Fl pid_file | P Ar pidfile
39.Op Fl exit_delay | P Ar ms
40.Ek
41.Sh DESCRIPTION
42The
43.Nm
44utility provides a Network Address Translation facility for use
45with
46.Xr divert 4
47sockets under
48.Fx .
49.Pp
50(If you need NAT on a PPP link,
51.Xr ppp 8
52provides the
53.Fl nat
54option that gives most of the
55.Nm
56functionality, and uses the same
57.Xr libalias 3
58library.)
59.Pp
60The
61.Nm
62utility normally runs in the background as a daemon.
63It is passed raw IP packets as they travel into and out of the machine,
64and will possibly change these before re-injecting them back into the
65IP packet stream.
66.Pp
67It changes all packets destined for another host so that their source
68IP address is that of the current machine.
69For each packet changed in this manner, an internal table entry is
70created to record this fact.
71The source port number is also changed to indicate the table entry
72applying to the packet.
73Packets that are received with a target IP of the current host are
74checked against this internal table.
75If an entry is found, it is used to determine the correct target IP
76address and port to place in the packet.
77.Pp
78The following command line options are available:
79.Bl -tag -width Fl
80.It Fl log | l
81Log various aliasing statistics and information to the file
82.Pa /var/log/alias.log .
83This file is truncated each time
84.Nm
85is started.
86.It Fl deny_incoming | d
87Do not pass incoming packets that have no
88entry in the internal translation table.
89.Pp
90If this option is not used, then such a packet will be altered
91using the rules in
92.Fl target_address
93below, and the entry will be made in the internal translation table.
94.It Fl log_denied
95Log denied incoming packets via
96.Xr syslog 3
97(see also
98.Fl log_facility ) .
99.It Fl log_facility Ar facility_name
100Use specified log facility when logging information via
101.Xr syslog 3 .
102Argument
103.Ar facility_name
104is one of the keywords specified in
105.Xr syslog.conf 5 .
106.It Fl use_sockets | s
107Allocate a
108.Xr socket 2
109in order to establish an FTP data or IRC DCC send connection.
110This option uses more system resources, but guarantees successful
111connections when port numbers conflict.
112.It Fl same_ports | m
113Try to keep the same port number when altering outgoing packets.
114With this option, protocols such as RPC will have a better chance
115of working.
116If it is not possible to maintain the port number, it will be silently
117changed as per normal.
118.It Fl udp_eim
119When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
120("full cone" NAT of RFC 3489).
121All packets from the same internal address:port are mapped to the same NAT
122address:port, regardless of their destination address:port.
123If filtering rules allow, and if
124.Em deny_incoming
125is disabled, any other external address:port can
126also send to the internal address:port through its mapped NAT address:port.
127This is more compatible with applications, and can reduce the need for port
128forwarding, but less scalable as each NAT address:port can only be
129concurrently used by at most one internal address:port.
130.Pp
131When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
132NAT).
133Each connection from a particular internal address:port to different
134external addresses:ports is mapped to a random and unpredictable NAT
135address:port.
136Two appplications behind EDM NATs can only connect to each other
137by port forwarding on the NAT, or tunnelling through an in-between server.
138.It Fl verbose | v
139Do not call
140.Xr daemon 3
141on startup.
142Instead, stay attached to the controlling terminal and display all packet
143alterations to the standard output.
144This option should only be used for debugging purposes.
145.It Fl unregistered_only | u
146Only alter outgoing packets with an
147.Em unregistered
148source address.
149According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
150172.16.0.0/12 and 192.168.0.0/16.
151.It Fl redirect_port Ar proto Xo
152.Ar targetIP Ns : Ns Xo
153.Ar targetPORT Ns Oo - Ns Ar targetPORT Oc Xc
154.Oo Ar aliasIP Ns : Oc Ns Xo
155.Ar aliasPORT Ns Oo - Ns Ar aliasPORT Oc Xc
156.Oo Ar remoteIP Ns Oo : Ns
157.Ar remotePORT Ns Op - Ns Ar remotePORT
158.Oc Oc
159.Xc
160Redirect incoming connections arriving to given port(s) to another host
161and port(s).
162Argument
163.Ar proto
164is either
165.Ar tcp
166or
167.Ar udp ,
168.Ar targetIP
169is the desired target IP address,
170.Ar targetPORT
171is the desired target port number or range,
172.Ar aliasPORT
173is the requested port number or range, and
174.Ar aliasIP
175is the aliasing address.
176Arguments
177.Ar remoteIP
178and
179.Ar remotePORT
180can be used to specify the connection more accurately if necessary.
181If
182.Ar remotePORT
183is not specified, it is assumed to be all ports.
184.Pp
185Arguments
186.Ar targetIP , aliasIP
187and
188.Ar remoteIP
189can be given as IP addresses or as hostnames.
190The
191.Ar targetPORT , aliasPORT
192and
193.Ar remotePORT
194ranges need not be the same numerically, but must have the same size.
195When
196.Ar targetPORT , aliasPORT
197or
198.Ar remotePORT
199specifies a singular value (not a range), it can be given as a service
200name that is searched for in the
201.Xr services 5
202database.
203.Pp
204For example, the argument
205.Pp
206.Dl Ar tcp inside1:telnet 6666
207.Pp
208means that incoming TCP packets destined for port 6666 on this machine
209will be sent to the telnet port on the inside1 machine.
210.Pp
211.Dl Ar tcp inside2:2300-2399 3300-3399
212.Pp
213will redirect incoming connections on ports 3300-3399 to host
214inside2, ports 2300-2399.
215The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
216.It Fl redirect_proto Ar proto localIP Oo
217.Ar publicIP Op Ar remoteIP
218.Oc
219Redirect incoming IP packets of protocol
220.Ar proto
221(see
222.Xr protocols 5 )
223destined for
224.Ar publicIP
225address to a
226.Ar localIP
227address and vice versa.
228.Pp
229If
230.Ar publicIP
231is not specified, then the default aliasing address is used.
232If
233.Ar remoteIP
234is specified, then only packets coming from/to
235.Ar remoteIP
236will match the rule.
237.It Fl redirect_address Ar localIP publicIP
238Redirect traffic for public IP address to a machine on the local
239network.
240This function is known as
241.Em static NAT .
242Normally static NAT is useful if your ISP has allocated a small block
243of IP addresses to you, but it can even be used in the case of single
244address:
245.Pp
246.Dl Ar redirect_address 10.0.0.8 0.0.0.0
247.Pp
248The above command would redirect all incoming traffic
249to machine 10.0.0.8.
250.Pp
251If several address aliases specify the same public address
252as follows
253.Bd -literal -offset indent
254redirect_address 192.168.0.2 public_addr
255redirect_address 192.168.0.3 public_addr
256redirect_address 192.168.0.4 public_addr
257.Ed
258.Pp
259the incoming traffic will be directed to the last
260translated local address (192.168.0.4), but outgoing
261traffic from the first two addresses will still be aliased
262to appear from the specified
263.Ar public_addr .
264.It Fl redirect_port Ar proto Xo
265.Ar targetIP Ns : Ns Xo
266.Ar targetPORT Ns Oo , Ns
267.Ar targetIP Ns : Ns Xo
268.Ar targetPORT Ns Oo , Ns
269.Ar ...\&
270.Oc Xc Oc Xc
271.Oo Ar aliasIP Ns : Oc Ns Xo
272.Ar aliasPORT
273.Xc
274.Oo Ar remoteIP Ns
275.Op : Ns Ar remotePORT
276.Oc
277.Xc
278.It Fl redirect_address Xo
279.Ar localIP Ns Oo , Ns
280.Ar localIP Ns Oo , Ns
281.Ar ...\&
282.Oc Oc
283.Ar publicIP
284.Xc
285These forms of
286.Fl redirect_port
287and
288.Fl redirect_address
289are used to transparently offload network load on a single server and
290distribute the load across a pool of servers.
291This function is known as
292.Em LSNAT
293(RFC 2391).
294For example, the argument
295.Pp
296.Dl Ar tcp www1:http,www2:http,www3:http www:http
297.Pp
298means that incoming HTTP requests for host www will be transparently
299redirected to one of the www1, www2 or www3, where a host is selected
300simply on a round-robin basis, without regard to load on the net.
301.It Fl dynamic
302If the
303.Fl n
304or
305.Fl interface
306option is used,
307.Nm
308will monitor the routing socket for alterations to the
309.Ar interface
310passed.
311If the interface's IP address is changed,
312.Nm
313will dynamically alter its concept of the alias address.
314.It Fl in_port | i Ar port
315Read from and write to
316.Xr divert 4
317port
318.Ar port ,
319treating all packets as
320.Dq incoming .
321.It Fl out_port | o Ar port
322Read from and write to
323.Xr divert 4
324port
325.Ar port ,
326treating all packets as
327.Dq outgoing .
328.It Fl port | p Ar port
329Read from and write to
330.Xr divert 4
331port
332.Ar port ,
333distinguishing packets as
334.Dq incoming
335or
336.Dq outgoing
337using the rules specified in
338.Xr divert 4 .
339If
340.Ar port
341is not numeric, it is searched for in the
342.Xr services 5
343database.
344If this option is not specified, the divert port named
345.Ar natd
346will be used as a default.
347.It Fl alias_address | a Ar address
348Use
349.Ar address
350as the aliasing address.
351Either this or the
352.Fl interface
353option must be used (but not both),
354if the
355.Fl proxy_only
356option is not specified.
357The specified address is usually the address assigned to the
358.Dq public
359network interface.
360.Pp
361All data passing
362.Em out
363will be rewritten with a source address equal to
364.Ar address .
365All data coming
366.Em in
367will be checked to see if it matches any already-aliased outgoing
368connection.
369If it does, the packet is altered accordingly.
370If not, all
371.Fl redirect_port ,
372.Fl redirect_proto
373and
374.Fl redirect_address
375assignments are checked and actioned.
376If no other action can be made and if
377.Fl deny_incoming
378is not specified, the packet is delivered to the local machine
379using the rules specified in
380.Fl target_address
381option below.
382.It Fl t | target_address Ar address
383Set the target address.
384When an incoming packet not associated with any pre-existing link
385arrives at the host machine, it will be sent to the specified
386.Ar address .
387.Pp
388The target address may be set to
389.Ar 255.255.255.255 ,
390in which case all new incoming packets go to the alias address set by
391.Fl alias_address
392or
393.Fl interface .
394.Pp
395If this option is not used, or called with the argument
396.Ar 0.0.0.0 ,
397then all new incoming packets go to the address specified in
398the packet.
399This allows external machines to talk directly to internal machines if
400they can route packets to the machine in question.
401.It Fl interface | n Ar interface
402Use
403.Ar interface
404to determine the aliasing address.
405If there is a possibility that the IP address associated with
406.Ar interface
407may change, the
408.Fl dynamic
409option should also be used.
410If this option is not specified, the
411.Fl alias_address
412option must be used.
413.Pp
414The specified
415.Ar interface
416is usually the
417.Dq public
418(or
419.Dq external )
420network interface.
421.It Fl config | f Ar file
422Read configuration from
423.Ar file .
424A
425.Ar file
426should contain a list of options, one per line, in the same form
427as the long form of the above command line options.
428For example, the line
429.Pp
430.Dl alias_address 158.152.17.1
431.Pp
432would specify an alias address of 158.152.17.1.
433Options that do not take an argument are specified with an argument of
434.Ar yes
435or
436.Ar no
437in the configuration file.
438For example, the line
439.Pp
440.Dl log yes
441.Pp
442is synonymous with
443.Fl log .
444.Pp
445Options can be divided to several sections.
446Each section applies to own
447.Nm
448instance.
449This ability allows the configuration of one
450.Nm
451process for several NAT instances.
452The first instance that always exists is a "default" instance.
453Each another instance should begin with
454.Pp
455.Dl instance Ar instance_name
456.Pp
457At the next should be placed a configuration option.
458Example:
459.Pp
460.Dl \&# default instance
461.Dl port 8668
462.Dl alias_address 158.152.17.1
463.Pp
464.Dl \&# second instance
465.Dl instance dsl1
466.Dl port 8888
467.Dl alias_address 192.168.0.1
468.Pp
469Trailing spaces and empty lines are ignored.
470A
471.Ql \&#
472sign will mark the rest of the line as a comment.
473.It Fl instance Ar instancename
474This option switches command line options processing to configure instance
475.Ar instancename
476(creating it if necessary) till the next
477.Fl instance
478option or end of command line.
479It is easier to set up multiple instances in the configuration file
480specified with the
481.Fl config
482option rather than on a command line.
483.It Fl globalport Ar port
484Read from and write to
485.Xr divert 4
486port
487.Ar port ,
488treating all packets as
489.Dq outgoing .
490This option is intended to be used with multiple instances:
491packets received on this port are checked against
492internal translation tables of every configured instance.
493If an entry is found, packet is aliased according to that entry.
494If no entry was found in any of the instances, packet is passed
495unchanged, and no new entry will be created.
496See the section
497.Sx MULTIPLE INSTANCES
498for more details.
499.It Fl reverse
500This option makes
501.Nm
502reverse the way it handles
503.Dq incoming
504and
505.Dq outgoing
506packets, allowing it to operate on the
507.Dq internal
508network interface rather than the
509.Dq external
510one.
511.Pp
512This can be useful in some transparent proxying situations
513when outgoing traffic is redirected to the local machine
514and
515.Nm
516is running on the internal interface (it usually runs on the
517external interface).
518.It Fl proxy_only
519Force
520.Nm
521to perform transparent proxying only.
522Normal address translation is not performed.
523.It Fl proxy_rule Xo
524.Op Ar type encode_ip_hdr | encode_tcp_stream
525.Ar port xxxx
526.Ar server a.b.c.d:yyyy
527.Xc
528Enable transparent proxying.
529Outgoing TCP packets with the given port going through this
530host to any other host are redirected to the given server and port.
531Optionally, the original target address can be encoded into the packet.
532Use
533.Ar encode_ip_hdr
534to put this information into the IP option field or
535.Ar encode_tcp_stream
536to inject the data into the beginning of the TCP stream.
537.It Fl punch_fw Xo
538.Ar basenumber Ns : Ns Ar count
539.Xc
540This option directs
541.Nm
542to
543.Dq punch holes
544in an
545.Xr ipfirewall 4
546based firewall for FTP/IRC DCC connections.
547This is done dynamically by installing temporary firewall rules which
548allow a particular connection (and only that connection) to go through
549the firewall.
550The rules are removed once the corresponding connection terminates.
551.Pp
552A maximum of
553.Ar count
554rules starting from the rule number
555.Ar basenumber
556will be used for punching firewall holes.
557The range will be cleared for all rules on startup.
558This option has no effect when the kernel is in security
559level 3, see
560.Xr init 8
561for more information.
562.It Fl skinny_port Ar port
563This option allows you to specify the TCP port used for
564the Skinny Station protocol.
565Skinny is used by Cisco IP phones to communicate with
566Cisco Call Managers to set up voice over IP calls.
567By default, Skinny aliasing is not performed.
568The typical port value for Skinny is 2000.
569.It Fl log_ipfw_denied
570Log when a packet cannot be re-injected because an
571.Xr ipfw 8
572rule blocks it.
573This is the default with
574.Fl verbose .
575.It Fl pid_file | P Ar file
576Specify an alternate file in which to store the process ID.
577The default is
578.Pa /var/run/natd.pid .
579.It Fl exit_delay Ar ms
580Specify delay in ms before daemon exit after signal.
581The default is
582.Pa 10000 .
583.El
584.Sh RUNNING NATD
585The following steps are necessary before attempting to run
586.Nm :
587.Bl -enum
588.It
589Build a custom kernel with the following options:
590.Bd -literal -offset indent
591options IPFIREWALL
592options IPDIVERT
593.Ed
594.Pp
595Refer to the handbook for detailed instructions on building a custom
596kernel.
597.It
598Ensure that your machine is acting as a gateway.
599This can be done by specifying the line
600.Pp
601.Dl gateway_enable=YES
602.Pp
603in the
604.Pa /etc/rc.conf
605file or using the command
606.Pp
607.Dl "sysctl net.inet.ip.forwarding=1"
608.It
609If you use the
610.Fl interface
611option, make sure that your interface is already configured.
612If, for example, you wish to specify
613.Ql tun0
614as your
615.Ar interface ,
616and you are using
617.Xr ppp 8
618on that interface, you must make sure that you start
619.Nm ppp
620prior to starting
621.Nm .
622.El
623.Pp
624Running
625.Nm
626is fairly straight forward.
627The line
628.Pp
629.Dl natd -interface ed0
630.Pp
631should suffice in most cases (substituting the correct interface name).
632Please check
633.Xr rc.conf 5
634on how to configure it to be started automatically during boot.
635Once
636.Nm
637is running, you must ensure that traffic is diverted to
638.Nm :
639.Bl -enum
640.It
641You will need to adjust the
642.Pa /etc/rc.firewall
643script to taste.
644If you are not interested in having a firewall, the
645following lines will do:
646.Bd -literal -offset indent
647/sbin/ipfw -f flush
648/sbin/ipfw add divert natd all from any to any via ed0
649/sbin/ipfw add pass all from any to any
650.Ed
651.Pp
652The second line depends on your interface (change
653.Ql ed0
654as appropriate).
655.Pp
656You should be aware of the fact that, with these firewall settings,
657everyone on your local network can fake his source-address using your
658host as gateway.
659If there are other hosts on your local network, you are strongly
660encouraged to create firewall rules that only allow traffic to and
661from trusted hosts.
662.Pp
663If you specify real firewall rules, it is best to specify line 2 at
664the start of the script so that
665.Nm
666sees all packets before they are dropped by the firewall.
667.Pp
668After translation by
669.Nm ,
670packets re-enter the firewall at the rule number following the rule number
671that caused the diversion (not the next rule if there are several at the
672same number).
673.It
674Enable your firewall by setting
675.Pp
676.Dl firewall_enable=YES
677.Pp
678in
679.Pa /etc/rc.conf .
680This tells the system startup scripts to run the
681.Pa /etc/rc.firewall
682script.
683If you do not wish to reboot now, just run this by hand from the console.
684NEVER run this from a remote session unless you put it into the background.
685If you do, you will lock yourself out after the flush takes place, and
686execution of
687.Pa /etc/rc.firewall
688will stop at this point - blocking all accesses permanently.
689Running the script in the background should be enough to prevent this
690disaster.
691.El
692.Sh MULTIPLE INSTANCES
693It is not so uncommon to have a need of aliasing to several external IP
694addresses.
695While this traditionally was achieved by running several
696.Nm
697processes with independent configurations,
698.Nm
699can have multiple aliasing instances in a single process,
700also allowing them to be not so independent of each other.
701For example, let us see a common task of load balancing two
702channels to different providers on a machine with two external
703interfaces
704.Ql sis0
705(with IP 1.2.3.4) and
706.Ql sis2
707(with IP 2.3.4.5):
708.Bd -literal -offset indent
709          net 1.2.3.0/24
7101.2.3.1 ------------------ sis0
711(router)                (1.2.3.4)
712                                         net 10.0.0.0/24
713                                  sis1 ------------------- 10.0.0.2
714                               (10.0.0.1)
715          net 2.3.4.0/24
7162.3.4.1 ------------------ sis2
717(router)                (2.3.4.5)
718.Ed
719.Pp
720Default route is out via
721.Ql sis0 .
722.Pp
723Interior machine (10.0.0.2) is accessible on TCP port 122 through
724both exterior IPs, and outgoing connections choose a path randomly
725between
726.Ql sis0
727and
728.Ql sis2 .
729.Pp
730The way this works is that
731.Pa natd.conf
732builds two instances of the aliasing engine.
733.Pp
734In addition to these instances' private
735.Xr divert 4
736sockets, a third socket called the
737.Dq globalport
738is created; packets sent to
739.Nm
740via this one will be matched against all instances and translated
741if an existing entry is found, and unchanged if no entry is found.
742The following lines are placed into
743.Pa /etc/natd.conf :
744.Bd -literal -offset indent
745log
746deny_incoming
747verbose
748
749instance default
750interface sis0
751port 1000
752redirect_port tcp 10.0.0.2:122 122
753
754instance sis2
755interface sis2
756port 2000
757redirect_port tcp 10.0.0.2:122 122
758
759globalport 3000
760.Ed
761.Pp
762And the following
763.Xr ipfw 8
764rules are used:
765.Bd -literal -offset indent
766ipfw -f flush
767
768ipfw add      allow ip from any to any via sis1
769
770ipfw add      skipto 1000 ip from any to any in via sis0
771ipfw add      skipto 2000 ip from any to any out via sis0
772ipfw add      skipto 3000 ip from any to any in via sis2
773ipfw add      skipto 4000 ip from any to any out via sis2
774
775ipfw add 1000 count ip from any to any
776
777ipfw add      divert 1000 ip from any to any
778ipfw add      allow ip from any to any
779
780ipfw add 2000 count ip from any to any
781
782ipfw add      divert 3000 ip from any to any
783
784ipfw add      allow ip from 1.2.3.4 to any
785ipfw add      skipto 5000 ip from 2.3.4.5 to any
786
787ipfw add      prob .5 skipto 4000 ip from any to any
788
789ipfw add      divert 1000 ip from any to any
790ipfw add      allow ip from any to any
791
792ipfw add 3000 count ip from any to any
793
794ipfw add      divert 2000 ip from any to any
795ipfw add      allow ip from any to any
796
797ipfw add 4000 count ip from any to any
798
799ipfw add      divert 2000 ip from any to any
800
801ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24
802ipfw add      allow ip from any to any
803.Ed
804.Pp
805Here the packet from internal network to Internet goes out via
806.Ql sis0
807(rule number 2000) and gets caught by the
808.Ic globalport
809socket (3000).
810After that, either a match is found in a translation table
811of one of the two instances, or the packet is passed to one
812of the two other
813.Xr divert 4
814ports (1000 or 2000), with equal probability.
815This ensures that load balancing is done on a per-flow basis
816(i.e., packets from a single TCP connection always flow through the
817same interface).
818Translated packets with source IP of a non-default interface
819.Pq Ql sis2
820are forwarded to the appropriate router on that interface.
821.Sh SEE ALSO
822.Xr libalias 3 ,
823.Xr divert 4 ,
824.Xr protocols 5 ,
825.Xr rc.conf 5 ,
826.Xr services 5 ,
827.Xr syslog.conf 5 ,
828.Xr init 8 ,
829.Xr ipfw 8 ,
830.Xr ppp 8
831.Sh HISTORY
832The
833.Nm
834utility appeared in
835.Fx 3.0 .
836.Sh AUTHORS
837This program is the result of the efforts of many people at different
838times:
839.Pp
840.An Archie Cobbs Aq Mt archie@FreeBSD.org
841(divert sockets)
842.An Charles Mott Aq Mt cm@linktel.net
843(packet aliasing)
844.An Eivind Eklund Aq Mt perhaps@yes.no
845(IRC support & misc additions)
846.An Ari Suutari Aq Mt suutari@iki.fi
847(natd)
848.An Dru Nelson Aq Mt dnelson@redwoodsoft.com
849(early PPTP support)
850.An Brian Somers Aq Mt brian@awfulhak.org
851(glue)
852.An Ruslan Ermilov Aq Mt ru@FreeBSD.org
853(natd, packet aliasing, glue)
854.An Poul-Henning Kamp Aq Mt phk@FreeBSD.org
855(multiple instances)
856