1.Dd December 6, 2024 2.Dt NATD 8 3.Os 4.Sh NAME 5.Nm natd 6.Nd Network Address Translation daemon 7.Sh SYNOPSIS 8.Nm 9.Bk -words 10.Op Fl unregistered_only | u 11.Op Fl log | l 12.Op Fl proxy_only 13.Op Fl reverse 14.Op Fl deny_incoming | d 15.Op Fl use_sockets | s 16.Op Fl same_ports | m 17.Op Fl udp_eim 18.Op Fl verbose | v 19.Op Fl dynamic 20.Op Fl in_port | i Ar port 21.Op Fl out_port | o Ar port 22.Op Fl port | p Ar port 23.Op Fl alias_address | a Ar address 24.Op Fl target_address | t Ar address 25.Op Fl interface | n Ar interface 26.Op Fl proxy_rule Ar proxyspec 27.Op Fl redirect_port Ar linkspec 28.Op Fl redirect_proto Ar linkspec 29.Op Fl redirect_address Ar linkspec 30.Op Fl config | f Ar configfile 31.Op Fl instance Ar instancename 32.Op Fl globalport Ar port 33.Op Fl log_denied 34.Op Fl log_facility Ar facility_name 35.Op Fl punch_fw Ar firewall_range 36.Op Fl skinny_port Ar port 37.Op Fl log_ipfw_denied 38.Op Fl pid_file | P Ar pidfile 39.Op Fl exit_delay | P Ar ms 40.Ek 41.Sh DESCRIPTION 42The 43.Nm 44utility provides a Network Address Translation facility for use 45with 46.Xr divert 4 47sockets under 48.Fx . 49.Pp 50(If you need NAT on a PPP link, 51.Xr ppp 8 52provides the 53.Fl nat 54option that gives most of the 55.Nm 56functionality, and uses the same 57.Xr libalias 3 58library.) 59.Pp 60The 61.Nm 62utility normally runs in the background as a daemon. 63It is passed raw IP packets as they travel into and out of the machine, 64and will possibly change these before re-injecting them back into the 65IP packet stream. 66.Pp 67It changes all packets destined for another host so that their source 68IP address is that of the current machine. 69For each packet changed in this manner, an internal table entry is 70created to record this fact. 71The source port number is also changed to indicate the table entry 72applying to the packet. 73Packets that are received with a target IP of the current host are 74checked against this internal table. 75If an entry is found, it is used to determine the correct target IP 76address and port to place in the packet. 77.Pp 78The following command line options are available: 79.Bl -tag -width Fl 80.It Fl log | l 81Log various aliasing statistics and information to the file 82.Pa /var/log/alias.log . 83This file is truncated each time 84.Nm 85is started. 86.It Fl deny_incoming | d 87Do not pass incoming packets that have no 88entry in the internal translation table. 89.Pp 90If this option is not used, then such a packet will be altered 91using the rules in 92.Fl target_address 93below, and the entry will be made in the internal translation table. 94.It Fl log_denied 95Log denied incoming packets via 96.Xr syslog 3 97(see also 98.Fl log_facility ) . 99.It Fl log_facility Ar facility_name 100Use specified log facility when logging information via 101.Xr syslog 3 . 102Argument 103.Ar facility_name 104is one of the keywords specified in 105.Xr syslog.conf 5 . 106.It Fl use_sockets | s 107Allocate a 108.Xr socket 2 109in order to establish an FTP data or IRC DCC send connection. 110This option uses more system resources, but guarantees successful 111connections when port numbers conflict. 112.It Fl same_ports | m 113Try to keep the same port number when altering outgoing packets. 114With this option, protocols such as RPC will have a better chance 115of working. 116If it is not possible to maintain the port number, it will be silently 117changed as per normal. 118.It Fl udp_eim 119When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787 120("full cone" NAT of RFC 3489). 121All packets from the same internal address:port are mapped to the same NAT 122address:port, regardless of their destination address:port. 123If filtering rules allow, and if 124.Em deny_incoming 125is disabled, any other external address:port can 126also send to the internal address:port through its mapped NAT address:port. 127This is more compatible with applications, and can reduce the need for port 128forwarding, but less scalable as each NAT address:port can only be 129concurrently used by at most one internal address:port. 130.Pp 131When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric" 132NAT). 133Each connection from a particular internal address:port to different 134external addresses:ports is mapped to a random and unpredictable NAT 135address:port. 136Two appplications behind EDM NATs can only connect to each other 137by port forwarding on the NAT, or tunnelling through an in-between server. 138.It Fl verbose | v 139Do not call 140.Xr daemon 3 141on startup. 142Instead, stay attached to the controlling terminal and display all packet 143alterations to the standard output. 144This option should only be used for debugging purposes. 145.It Fl unregistered_only | u 146Only alter outgoing packets with an 147.Em unregistered 148source address. 149According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 150172.16.0.0/12 and 192.168.0.0/16. 151.It Fl redirect_port Ar proto Xo 152.Ar targetIP Ns : Ns Xo 153.Ar targetPORT Ns Oo - Ns Ar targetPORT Oc Xc 154.Oo Ar aliasIP Ns : Oc Ns Xo 155.Ar aliasPORT Ns Oo - Ns Ar aliasPORT Oc Xc 156.Oo Ar remoteIP Ns Oo : Ns 157.Ar remotePORT Ns Op - Ns Ar remotePORT 158.Oc Oc 159.Xc 160Redirect incoming connections arriving to given port(s) to another host 161and port(s). 162Argument 163.Ar proto 164is either 165.Ar tcp 166or 167.Ar udp , 168.Ar targetIP 169is the desired target IP address, 170.Ar targetPORT 171is the desired target port number or range, 172.Ar aliasPORT 173is the requested port number or range, and 174.Ar aliasIP 175is the aliasing address. 176Arguments 177.Ar remoteIP 178and 179.Ar remotePORT 180can be used to specify the connection more accurately if necessary. 181If 182.Ar remotePORT 183is not specified, it is assumed to be all ports. 184.Pp 185Arguments 186.Ar targetIP , aliasIP 187and 188.Ar remoteIP 189can be given as IP addresses or as hostnames. 190The 191.Ar targetPORT , aliasPORT 192and 193.Ar remotePORT 194ranges need not be the same numerically, but must have the same size. 195When 196.Ar targetPORT , aliasPORT 197or 198.Ar remotePORT 199specifies a singular value (not a range), it can be given as a service 200name that is searched for in the 201.Xr services 5 202database. 203.Pp 204For example, the argument 205.Pp 206.Dl Ar tcp inside1:telnet 6666 207.Pp 208means that incoming TCP packets destined for port 6666 on this machine 209will be sent to the telnet port on the inside1 machine. 210.Pp 211.Dl Ar tcp inside2:2300-2399 3300-3399 212.Pp 213will redirect incoming connections on ports 3300-3399 to host 214inside2, ports 2300-2399. 215The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. 216.It Fl redirect_proto Ar proto localIP Oo 217.Ar publicIP Op Ar remoteIP 218.Oc 219Redirect incoming IP packets of protocol 220.Ar proto 221(see 222.Xr protocols 5 ) 223destined for 224.Ar publicIP 225address to a 226.Ar localIP 227address and vice versa. 228.Pp 229If 230.Ar publicIP 231is not specified, then the default aliasing address is used. 232If 233.Ar remoteIP 234is specified, then only packets coming from/to 235.Ar remoteIP 236will match the rule. 237.It Fl redirect_address Ar localIP publicIP 238Redirect traffic for public IP address to a machine on the local 239network. 240This function is known as 241.Em static NAT . 242Normally static NAT is useful if your ISP has allocated a small block 243of IP addresses to you, but it can even be used in the case of single 244address: 245.Pp 246.Dl Ar redirect_address 10.0.0.8 0.0.0.0 247.Pp 248The above command would redirect all incoming traffic 249to machine 10.0.0.8. 250.Pp 251If several address aliases specify the same public address 252as follows 253.Bd -literal -offset indent 254redirect_address 192.168.0.2 public_addr 255redirect_address 192.168.0.3 public_addr 256redirect_address 192.168.0.4 public_addr 257.Ed 258.Pp 259the incoming traffic will be directed to the last 260translated local address (192.168.0.4), but outgoing 261traffic from the first two addresses will still be aliased 262to appear from the specified 263.Ar public_addr . 264.It Fl redirect_port Ar proto Xo 265.Ar targetIP Ns : Ns Xo 266.Ar targetPORT Ns Oo , Ns 267.Ar targetIP Ns : Ns Xo 268.Ar targetPORT Ns Oo , Ns 269.Ar ...\& 270.Oc Xc Oc Xc 271.Oo Ar aliasIP Ns : Oc Ns Xo 272.Ar aliasPORT 273.Xc 274.Oo Ar remoteIP Ns 275.Op : Ns Ar remotePORT 276.Oc 277.Xc 278.It Fl redirect_address Xo 279.Ar localIP Ns Oo , Ns 280.Ar localIP Ns Oo , Ns 281.Ar ...\& 282.Oc Oc 283.Ar publicIP 284.Xc 285These forms of 286.Fl redirect_port 287and 288.Fl redirect_address 289are used to transparently offload network load on a single server and 290distribute the load across a pool of servers. 291This function is known as 292.Em LSNAT 293(RFC 2391). 294For example, the argument 295.Pp 296.Dl Ar tcp www1:http,www2:http,www3:http www:http 297.Pp 298means that incoming HTTP requests for host www will be transparently 299redirected to one of the www1, www2 or www3, where a host is selected 300simply on a round-robin basis, without regard to load on the net. 301.It Fl dynamic 302If the 303.Fl n 304or 305.Fl interface 306option is used, 307.Nm 308will monitor the routing socket for alterations to the 309.Ar interface 310passed. 311If the interface's IP address is changed, 312.Nm 313will dynamically alter its concept of the alias address. 314.It Fl in_port | i Ar port 315Read from and write to 316.Xr divert 4 317port 318.Ar port , 319treating all packets as 320.Dq incoming . 321.It Fl out_port | o Ar port 322Read from and write to 323.Xr divert 4 324port 325.Ar port , 326treating all packets as 327.Dq outgoing . 328.It Fl port | p Ar port 329Read from and write to 330.Xr divert 4 331port 332.Ar port , 333distinguishing packets as 334.Dq incoming 335or 336.Dq outgoing 337using the rules specified in 338.Xr divert 4 . 339If 340.Ar port 341is not numeric, it is searched for in the 342.Xr services 5 343database. 344If this option is not specified, the divert port named 345.Ar natd 346will be used as a default. 347.It Fl alias_address | a Ar address 348Use 349.Ar address 350as the aliasing address. 351Either this or the 352.Fl interface 353option must be used (but not both), 354if the 355.Fl proxy_only 356option is not specified. 357The specified address is usually the address assigned to the 358.Dq public 359network interface. 360.Pp 361All data passing 362.Em out 363will be rewritten with a source address equal to 364.Ar address . 365All data coming 366.Em in 367will be checked to see if it matches any already-aliased outgoing 368connection. 369If it does, the packet is altered accordingly. 370If not, all 371.Fl redirect_port , 372.Fl redirect_proto 373and 374.Fl redirect_address 375assignments are checked and actioned. 376If no other action can be made and if 377.Fl deny_incoming 378is not specified, the packet is delivered to the local machine 379using the rules specified in 380.Fl target_address 381option below. 382.It Fl t | target_address Ar address 383Set the target address. 384When an incoming packet not associated with any pre-existing link 385arrives at the host machine, it will be sent to the specified 386.Ar address . 387.Pp 388The target address may be set to 389.Ar 255.255.255.255 , 390in which case all new incoming packets go to the alias address set by 391.Fl alias_address 392or 393.Fl interface . 394.Pp 395If this option is not used, or called with the argument 396.Ar 0.0.0.0 , 397then all new incoming packets go to the address specified in 398the packet. 399This allows external machines to talk directly to internal machines if 400they can route packets to the machine in question. 401.It Fl interface | n Ar interface 402Use 403.Ar interface 404to determine the aliasing address. 405If there is a possibility that the IP address associated with 406.Ar interface 407may change, the 408.Fl dynamic 409option should also be used. 410If this option is not specified, the 411.Fl alias_address 412option must be used. 413.Pp 414The specified 415.Ar interface 416is usually the 417.Dq public 418(or 419.Dq external ) 420network interface. 421.It Fl config | f Ar file 422Read configuration from 423.Ar file . 424A 425.Ar file 426should contain a list of options, one per line, in the same form 427as the long form of the above command line options. 428For example, the line 429.Pp 430.Dl alias_address 158.152.17.1 431.Pp 432would specify an alias address of 158.152.17.1. 433Options that do not take an argument are specified with an argument of 434.Ar yes 435or 436.Ar no 437in the configuration file. 438For example, the line 439.Pp 440.Dl log yes 441.Pp 442is synonymous with 443.Fl log . 444.Pp 445Options can be divided to several sections. 446Each section applies to own 447.Nm 448instance. 449This ability allows the configuration of one 450.Nm 451process for several NAT instances. 452The first instance that always exists is a "default" instance. 453Each another instance should begin with 454.Pp 455.Dl instance Ar instance_name 456.Pp 457At the next should be placed a configuration option. 458Example: 459.Pp 460.Dl \&# default instance 461.Dl port 8668 462.Dl alias_address 158.152.17.1 463.Pp 464.Dl \&# second instance 465.Dl instance dsl1 466.Dl port 8888 467.Dl alias_address 192.168.0.1 468.Pp 469Trailing spaces and empty lines are ignored. 470A 471.Ql \&# 472sign will mark the rest of the line as a comment. 473.It Fl instance Ar instancename 474This option switches command line options processing to configure instance 475.Ar instancename 476(creating it if necessary) till the next 477.Fl instance 478option or end of command line. 479It is easier to set up multiple instances in the configuration file 480specified with the 481.Fl config 482option rather than on a command line. 483.It Fl globalport Ar port 484Read from and write to 485.Xr divert 4 486port 487.Ar port , 488treating all packets as 489.Dq outgoing . 490This option is intended to be used with multiple instances: 491packets received on this port are checked against 492internal translation tables of every configured instance. 493If an entry is found, packet is aliased according to that entry. 494If no entry was found in any of the instances, packet is passed 495unchanged, and no new entry will be created. 496See the section 497.Sx MULTIPLE INSTANCES 498for more details. 499.It Fl reverse 500This option makes 501.Nm 502reverse the way it handles 503.Dq incoming 504and 505.Dq outgoing 506packets, allowing it to operate on the 507.Dq internal 508network interface rather than the 509.Dq external 510one. 511.Pp 512This can be useful in some transparent proxying situations 513when outgoing traffic is redirected to the local machine 514and 515.Nm 516is running on the internal interface (it usually runs on the 517external interface). 518.It Fl proxy_only 519Force 520.Nm 521to perform transparent proxying only. 522Normal address translation is not performed. 523.It Fl proxy_rule Xo 524.Op Ar type encode_ip_hdr | encode_tcp_stream 525.Ar port xxxx 526.Ar server a.b.c.d:yyyy 527.Xc 528Enable transparent proxying. 529Outgoing TCP packets with the given port going through this 530host to any other host are redirected to the given server and port. 531Optionally, the original target address can be encoded into the packet. 532Use 533.Ar encode_ip_hdr 534to put this information into the IP option field or 535.Ar encode_tcp_stream 536to inject the data into the beginning of the TCP stream. 537.It Fl punch_fw Xo 538.Ar basenumber Ns : Ns Ar count 539.Xc 540This option directs 541.Nm 542to 543.Dq punch holes 544in an 545.Xr ipfirewall 4 546based firewall for FTP/IRC DCC connections. 547This is done dynamically by installing temporary firewall rules which 548allow a particular connection (and only that connection) to go through 549the firewall. 550The rules are removed once the corresponding connection terminates. 551.Pp 552A maximum of 553.Ar count 554rules starting from the rule number 555.Ar basenumber 556will be used for punching firewall holes. 557The range will be cleared for all rules on startup. 558This option has no effect when the kernel is in security 559level 3, see 560.Xr init 8 561for more information. 562.It Fl skinny_port Ar port 563This option allows you to specify the TCP port used for 564the Skinny Station protocol. 565Skinny is used by Cisco IP phones to communicate with 566Cisco Call Managers to set up voice over IP calls. 567By default, Skinny aliasing is not performed. 568The typical port value for Skinny is 2000. 569.It Fl log_ipfw_denied 570Log when a packet cannot be re-injected because an 571.Xr ipfw 8 572rule blocks it. 573This is the default with 574.Fl verbose . 575.It Fl pid_file | P Ar file 576Specify an alternate file in which to store the process ID. 577The default is 578.Pa /var/run/natd.pid . 579.It Fl exit_delay Ar ms 580Specify delay in ms before daemon exit after signal. 581The default is 582.Pa 10000 . 583.El 584.Sh RUNNING NATD 585The following steps are necessary before attempting to run 586.Nm : 587.Bl -enum 588.It 589Build a custom kernel with the following options: 590.Bd -literal -offset indent 591options IPFIREWALL 592options IPDIVERT 593.Ed 594.Pp 595Refer to the handbook for detailed instructions on building a custom 596kernel. 597.It 598Ensure that your machine is acting as a gateway. 599This can be done by specifying the line 600.Pp 601.Dl gateway_enable=YES 602.Pp 603in the 604.Pa /etc/rc.conf 605file or using the command 606.Pp 607.Dl "sysctl net.inet.ip.forwarding=1" 608.It 609If you use the 610.Fl interface 611option, make sure that your interface is already configured. 612If, for example, you wish to specify 613.Ql tun0 614as your 615.Ar interface , 616and you are using 617.Xr ppp 8 618on that interface, you must make sure that you start 619.Nm ppp 620prior to starting 621.Nm . 622.El 623.Pp 624Running 625.Nm 626is fairly straight forward. 627The line 628.Pp 629.Dl natd -interface ed0 630.Pp 631should suffice in most cases (substituting the correct interface name). 632Please check 633.Xr rc.conf 5 634on how to configure it to be started automatically during boot. 635Once 636.Nm 637is running, you must ensure that traffic is diverted to 638.Nm : 639.Bl -enum 640.It 641You will need to adjust the 642.Pa /etc/rc.firewall 643script to taste. 644If you are not interested in having a firewall, the 645following lines will do: 646.Bd -literal -offset indent 647/sbin/ipfw -f flush 648/sbin/ipfw add divert natd all from any to any via ed0 649/sbin/ipfw add pass all from any to any 650.Ed 651.Pp 652The second line depends on your interface (change 653.Ql ed0 654as appropriate). 655.Pp 656You should be aware of the fact that, with these firewall settings, 657everyone on your local network can fake his source-address using your 658host as gateway. 659If there are other hosts on your local network, you are strongly 660encouraged to create firewall rules that only allow traffic to and 661from trusted hosts. 662.Pp 663If you specify real firewall rules, it is best to specify line 2 at 664the start of the script so that 665.Nm 666sees all packets before they are dropped by the firewall. 667.Pp 668After translation by 669.Nm , 670packets re-enter the firewall at the rule number following the rule number 671that caused the diversion (not the next rule if there are several at the 672same number). 673.It 674Enable your firewall by setting 675.Pp 676.Dl firewall_enable=YES 677.Pp 678in 679.Pa /etc/rc.conf . 680This tells the system startup scripts to run the 681.Pa /etc/rc.firewall 682script. 683If you do not wish to reboot now, just run this by hand from the console. 684NEVER run this from a remote session unless you put it into the background. 685If you do, you will lock yourself out after the flush takes place, and 686execution of 687.Pa /etc/rc.firewall 688will stop at this point - blocking all accesses permanently. 689Running the script in the background should be enough to prevent this 690disaster. 691.El 692.Sh MULTIPLE INSTANCES 693It is not so uncommon to have a need of aliasing to several external IP 694addresses. 695While this traditionally was achieved by running several 696.Nm 697processes with independent configurations, 698.Nm 699can have multiple aliasing instances in a single process, 700also allowing them to be not so independent of each other. 701For example, let us see a common task of load balancing two 702channels to different providers on a machine with two external 703interfaces 704.Ql sis0 705(with IP 1.2.3.4) and 706.Ql sis2 707(with IP 2.3.4.5): 708.Bd -literal -offset indent 709 net 1.2.3.0/24 7101.2.3.1 ------------------ sis0 711(router) (1.2.3.4) 712 net 10.0.0.0/24 713 sis1 ------------------- 10.0.0.2 714 (10.0.0.1) 715 net 2.3.4.0/24 7162.3.4.1 ------------------ sis2 717(router) (2.3.4.5) 718.Ed 719.Pp 720Default route is out via 721.Ql sis0 . 722.Pp 723Interior machine (10.0.0.2) is accessible on TCP port 122 through 724both exterior IPs, and outgoing connections choose a path randomly 725between 726.Ql sis0 727and 728.Ql sis2 . 729.Pp 730The way this works is that 731.Pa natd.conf 732builds two instances of the aliasing engine. 733.Pp 734In addition to these instances' private 735.Xr divert 4 736sockets, a third socket called the 737.Dq globalport 738is created; packets sent to 739.Nm 740via this one will be matched against all instances and translated 741if an existing entry is found, and unchanged if no entry is found. 742The following lines are placed into 743.Pa /etc/natd.conf : 744.Bd -literal -offset indent 745log 746deny_incoming 747verbose 748 749instance default 750interface sis0 751port 1000 752redirect_port tcp 10.0.0.2:122 122 753 754instance sis2 755interface sis2 756port 2000 757redirect_port tcp 10.0.0.2:122 122 758 759globalport 3000 760.Ed 761.Pp 762And the following 763.Xr ipfw 8 764rules are used: 765.Bd -literal -offset indent 766ipfw -f flush 767 768ipfw add allow ip from any to any via sis1 769 770ipfw add skipto 1000 ip from any to any in via sis0 771ipfw add skipto 2000 ip from any to any out via sis0 772ipfw add skipto 3000 ip from any to any in via sis2 773ipfw add skipto 4000 ip from any to any out via sis2 774 775ipfw add 1000 count ip from any to any 776 777ipfw add divert 1000 ip from any to any 778ipfw add allow ip from any to any 779 780ipfw add 2000 count ip from any to any 781 782ipfw add divert 3000 ip from any to any 783 784ipfw add allow ip from 1.2.3.4 to any 785ipfw add skipto 5000 ip from 2.3.4.5 to any 786 787ipfw add prob .5 skipto 4000 ip from any to any 788 789ipfw add divert 1000 ip from any to any 790ipfw add allow ip from any to any 791 792ipfw add 3000 count ip from any to any 793 794ipfw add divert 2000 ip from any to any 795ipfw add allow ip from any to any 796 797ipfw add 4000 count ip from any to any 798 799ipfw add divert 2000 ip from any to any 800 801ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24 802ipfw add allow ip from any to any 803.Ed 804.Pp 805Here the packet from internal network to Internet goes out via 806.Ql sis0 807(rule number 2000) and gets caught by the 808.Ic globalport 809socket (3000). 810After that, either a match is found in a translation table 811of one of the two instances, or the packet is passed to one 812of the two other 813.Xr divert 4 814ports (1000 or 2000), with equal probability. 815This ensures that load balancing is done on a per-flow basis 816(i.e., packets from a single TCP connection always flow through the 817same interface). 818Translated packets with source IP of a non-default interface 819.Pq Ql sis2 820are forwarded to the appropriate router on that interface. 821.Sh SEE ALSO 822.Xr libalias 3 , 823.Xr divert 4 , 824.Xr protocols 5 , 825.Xr rc.conf 5 , 826.Xr services 5 , 827.Xr syslog.conf 5 , 828.Xr init 8 , 829.Xr ipfw 8 , 830.Xr ppp 8 831.Sh HISTORY 832The 833.Nm 834utility appeared in 835.Fx 3.0 . 836.Sh AUTHORS 837This program is the result of the efforts of many people at different 838times: 839.Pp 840.An Archie Cobbs Aq Mt archie@FreeBSD.org 841(divert sockets) 842.An Charles Mott Aq Mt cm@linktel.net 843(packet aliasing) 844.An Eivind Eklund Aq Mt perhaps@yes.no 845(IRC support & misc additions) 846.An Ari Suutari Aq Mt suutari@iki.fi 847(natd) 848.An Dru Nelson Aq Mt dnelson@redwoodsoft.com 849(early PPTP support) 850.An Brian Somers Aq Mt brian@awfulhak.org 851(glue) 852.An Ruslan Ermilov Aq Mt ru@FreeBSD.org 853(natd, packet aliasing, glue) 854.An Poul-Henning Kamp Aq Mt phk@FreeBSD.org 855(multiple instances) 856