1.\" $FreeBSD$ 2.\" 3.Dd July, 1997 4.Dt LIBALIAS 3 5.Os 6.Sh NAME 7.Nm libalias 8.Nd packet aliasing library for masquerading and address translation (NAT) 9.Sh SYNOPSIS 10.Fd #include <sys/types.h> 11.Fd #include <netinet/in.h> 12.Fd #include <alias.h> 13 14Function prototypes are given in the main body 15of the text. 16.Sh DESCRIPTION 17The 18.Nm 19library is a collection of 20functions for aliasing and de-aliasing 21of IP packets, intended for masquerading and 22network address translation (NAT). 23.Sh CONTENTS 24.Bd -literal -offset left 251. Introduction 262. Initialization and Control 27 2.1 PacketAliasInit() 28 2.2 PacketAliasUninit() 29 2.3 PacketAliasSetAddress() 30 2.4 PacketAliasSetMode() 31 2.5 PacketAliasSetFWBase() 323. Packet Handling 33 3.1 PacketAliasIn() 34 3.2 PacketAliasOut() 354. Port and Address Redirection 36 4.1 PacketAliasRedirectPort() 37 4.2 PacketAliasRedirectAddr() 38 4.3 PacketAliasRedirectDelete() 39 4.4 PacketAliasProxyRule() 40 4.5 PacketAliasPptp() 415. Fragment Handling 42 5.1 PacketAliasSaveFragment() 43 5.2 PacketAliasGetFragment() 44 5.3 PacketAliasFragmentIn() 456. Miscellaneous Functions 46 6.1 PacketAliasSetTarget() 47 6.2 PacketAliasCheckNewLink() 48 6.3 PacketAliasInternetChecksum() 497. Authors 508. Acknowledgments 51 52Appendix A: Conceptual Background 53 A.1 Aliasing Links 54 A.2 Static and Dynamic Links 55 A.3 Partially Specified Links 56 A.4 Dynamic Link Creation 57.Ed 58.Sh 1. Introduction 59This library is a moderately portable 60set of functions designed to assist 61in the process of IP masquerading and 62network address translation. Outgoing 63packets from a local network with 64unregistered IP addresses can be aliased 65to appear as if they came from an 66accessible IP address. Incoming packets 67are then de-aliased so that they are sent 68to the correct machine on the local network. 69 70A certain amount of flexibility is built 71into the packet aliasing engine. In 72the simplest mode of operation, a 73many-to-one address mapping takes place 74between local network and the packet 75aliasing host. This is known as IP 76masquerading. In addition, one-to-one 77mappings between local and public addresses 78can also be implemented, which is known as 79static NAT. In between these extremes, 80different groups of private addresses 81can be linked to different public addresses, 82comprising several distinct many-to-one 83mappings. Also, a given public address 84and port can be statically redirected to 85a private address/port. 86 87The packet aliasing engine was designed 88to operate in user space outside of the 89kernel, without any access to private 90kernel data structure, but the source code 91can also be ported to a kernel environment. 92.Sh 2. Initialization and Control 93Two specific functions, PacketAliasInit() 94and PacketAliasSetAddress(), must always be 95called before any packet handling may be 96performed. In addition, the operating mode 97of the packet aliasing engine can be customized 98by calling PacketAliasSetMode(). 99.Ss 2.1 PacketAliasInit() 100 101.Ft void 102.Fn PacketAliasInit "void" 103 104This function has no argument or return 105value and is used to initialize internal 106data structures. The following mode bits 107are always set after calling 108PacketAliasInit(). See section 2.3 for 109the meaning of these mode bits. 110.Bd -literal -offset indent 111 PKT_ALIAS_USE_SAME_PORTS 112 PKT_ALIAS_USE_SOCKETS 113 PKT_ALIAS_RESET_ON_ADDR_CHANGE 114 115.Ed 116This function will always return the packet 117aliasing engine to the same initial state. 118PacketAliasSetAddress() must be called afterwards, 119and any desired changes from the default mode 120bits listed above require a call to 121PacketAliasSetMode(). 122 123It is mandatory that this function be called 124at the beginning of a program prior to any 125packet handling. 126.Ss 2.2 PacketAliasUninit() 127 128.Ft void 129.Fn PacketAliasUninit "void" 130 131This function has no argument or return 132value and is used to clear any resources 133attached to internal data structures. 134 135This functions should be called when a 136program stop using the aliasing engine; 137it do, among other things, clear out any 138firewall holes. To provide backwards 139compatibility and extra security, it is 140added to the atexit() chain by 141PacketAliasInit(). Calling it multiple 142times is harmless. 143.Ss 2.3 PacketAliasSetAddress() 144 145.Ft void 146.Fn PacketAliasSetAddress "struct in_addr addr" 147 148This function sets the source address to which 149outgoing packets from the local area network 150are aliased. All outgoing packets are remapped 151to this address unless overridden by a static 152address mapping established by 153PacketAliasRedirectAddr(). 154 155If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 156is set (the default mode of operation), then 157the internal aliasing link tables will be reset 158any time the aliasing address changes, as if 159PacketAliasReset() were called. This is useful 160for interfaces such as ppp where the IP 161address may or may not change on successive 162dial-up attempts. 163 164If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 165is set to zero, this function can also be used to 166dynamically change the aliasing address on a 167packet to packet basis (it is a low overhead 168call). 169 170It is mandatory that this function be called 171prior to any packet handling. 172.Ss 2.4 PacketAliasSetMode() 173 174.Ft unsigned int 175.Fn PacketAliasSetMode "unsigned int mode" "unsigned int mask" 176 177This function sets or clears mode bits 178according to the value of 179.Em mode . 180Only bits marked in 181.Em mask 182are affected. The following mode bits are 183defined in alias.h: 184.Bl -hang -offset left 185.It PKT_ALIAS_LOG. 186Enables logging /var/log/alias.log. The log file 187shows total numbers of links (icmp, tcp, udp) each 188time an aliasing link is created or deleted. Mainly 189useful for debugging when the log file is viewed 190continuously with "tail -f". 191.It PKT_ALIAS_DENY_INCOMING. 192If this mode bit is set, all incoming packets 193associated with new TCP connections or new 194UDP transactions will be marked for being 195ignored (PacketAliasIn() return code 196PKT_ALIAS_IGNORED) by the calling program. 197Response packets to connections or transactions 198initiated from the packet aliasing host or 199local network will be unaffected. This mode 200bit is useful for implementing a one-way firewall. 201.It PKT_ALIAS_SAME_PORTS. 202If this mode bit is set, the packet aliasing 203engine will attempt to leave the alias port 204numbers unchanged from the actual local port 205number. This can be done as long as the 206quintuple (proto, alias addr, alias port, 207remote addr, remote port) is unique. If a 208conflict exists, an new aliasing port number is 209chosen even if this mode bit is set. 210.It PKT_ALIAS_USE_SOCKETS. 211This bit should be set when the the packet 212aliasing host originates network traffic as 213well as forwards it. When the packet aliasing 214host is waiting for a connection from an 215unknown host address or unknown port number 216(e.g. an FTP data connection), this mode bit 217specifies that a socket be allocated as a place 218holder to prevent port conflicts. Once a 219connection is established, usually within a 220minute or so, the socket is closed. 221.It PKT_ALIAS_UNREGISTERED_ONLY. 222If this mode bit is set, traffic on the 223local network which does not originate from 224unregistered address spaces will be ignored. 225Standard Class A, B and C unregistered addresses 226are: 227.Bd -literal -offset indent 228 10.0.0.0 -> 10.255.255.255 (Class A subnet) 229 172.16.0.0 -> 172.31.255.255 (Class B subnets) 230 192.168.0.0 -> 192.168.255.255 (Class C subnets) 231 232.Ed 233This option is useful in the case that 234packet aliasing host has both registered and 235unregistered subnets on different interfaces. 236The registered subnet is fully accessible to 237the outside world, so traffic from it doesn't 238need to be passed through the packet aliasing 239engine. 240.It PKT_ALIAS_RESET_ON_ADDR_CHANGE. 241When this mode bit is set and 242PacketAliasSetAddress() is called to change 243the aliasing address, the internal link table 244of the packet aliasing engine will be cleared. 245This operating mode is useful for ppp links 246where the interface address can sometimes 247change or remain the same between dial-ups. 248If this mode bit is not set, it the link table 249will never be reset in the event of an 250address change. 251.It PKT_ALIAS_PUNCH_FW. 252This option makes libalias `punch holes' in an 253ipfw based firewall for FTP/IRC DCC connections. 254The holes punched are bound by from/to IP address 255and port; it will not be possible to use a hole 256for another connection. A hole is removed when 257the connection that use it die. To cater for 258unexpected death of a program using libalias (e.g 259kill -9), changing the state of the flag will 260clear the entire ipfw range allocated for holes. 261This will also happen on the initial call to 262PacketAliasSetFWBase(). This call must happen 263prior to setting this flag. 264.It PKT_ALIAS_REVERSE. 265This option makes libalias reverse the way it 266handles incoming and outgoing packets, allowing 267it to be fed data that passes through the internal 268interface rather than the external one. 269 270.El 271 272.Ss 2.5 PacketAliasSetFWBase() 273 274.Ft void 275.Fn PacketAliasSetFWBase "unsigned int base" "unsigned int num" 276 277Set IPFW range allocated for punching firewall holes (with the 278PKT_ALIAS_PUNCH_FW flag). The range will be cleared for all rules on 279initialization. 280.Sh 3. Packet Handling 281The packet handling functions are used to 282modify incoming (remote->local) and outgoing 283(local->remote) packets. The calling program 284is responsible for receiving and sending 285packets via network interfaces. 286 287Along with PacketAliasInit() and PacketAliasSetAddress(), 288the two packet handling functions, PacketAliasIn() 289and PacketAliasOut(), comprise minimal set of functions 290needed for a basic IP masquerading implementation. 291.Ss 3.1 PacketAliasIn() 292 293.Ft int 294.Fn PacketAliasIn "char *buffer" "int maxpacketsize" 295 296An incoming packet coming from a remote machine to 297the local network is de-aliased by this function. 298The IP packet is pointed to by 299.Em buffer , 300and 301.Em maxpacketsize 302indicates the size of the data structure containing 303the packet and should be at least as large as the 304actual packet size. 305 306Return codes: 307.Bl -hang -offset left 308.It PKT_ALIAS_ERROR. 309An internal error within the packet aliasing 310engine occurred. 311.It PKT_ALIAS_OK. 312The packet aliasing process was successful. 313.It PKT_ALIAS_IGNORED. 314The packet was ignored and not de-aliased. 315This can happen if the protocal is unrecognized, 316possibly an ICMP message type is not handled or 317if incoming packets for new connections are being 318ignored (see PKT_ALIAS_DENY_INCOMING in section 3192.2). 320.It PKT_ALIAS_UNRESOLVED_FRAGMENT. 321This is returned when a fragment cannot be 322resolved because the header fragment has not 323been sent yet. In this situation, fragments 324must be saved with PacketAliasSaveFragment() 325until a header fragment is found. 326.It PKT_ALIAS_FOUND_HEADER_FRAGMENT. 327The packet aliasing process was successful, 328and a header fragment was found. This is a 329signal to retrieve any unresolved fragments 330with PacketAliasGetFragment() and de-alias 331them with PacketAliasFragmentIn(). 332.El 333.Ss 3.2 PacketAliasOut() 334 335.Ft int 336.Fn PacketAliasOut "char *buffer" "int maxpacketsize" 337 338An outgoing packet coming from the local network 339to a remote machine is aliased by this function. 340The IP packet is pointed to by 341.Em buffer r, 342and 343.Em maxpacketsize 344indicates the maximum packet size permissible 345should the packet length be changed. IP encoding 346protocols place address and port information in 347the encapsulated data stream which have to be 348modified and can account for changes in packet 349length. Well known examples of such protocols 350are FTP and IRC DCC. 351 352Return codes: 353.Bl -hang -offset left 354.It PKT_ALIAS_ERROR. 355An internal error within the packet aliasing 356engine occurred. 357.It PKT_ALIAS_OK. 358The packet aliasing process was successful. 359.It PKT_ALIAS_IGNORED. 360The packet was ignored and not de-aliased. 361This can happen if the protocal is unrecognized, 362or possibly an ICMP message type is not handled. 363.El 364.Sh 4. Port and Address Redirection 365The functions described in this section allow machines 366on the local network to be accessible in some degree 367to new incoming connections from the external network. 368Individual ports can be re-mapped or static network 369address translations can be designated. 370.Ss 4.1 PacketAliasRedirectPort() 371 372.Ft struct alias_link * 373.Fo PacketAliasRedirectPort 374.Fa "struct in_addr local_addr" 375.Fa "u_short local_port" 376.Fa "struct in_addr remote_addr" 377.Fa "u_short remote_port" 378.Fa "struct in_addr alias_addr" 379.Fa "u_short alias_port" 380.Fa "u_char proto" 381.Fc 382 383This function specifies that traffic from a 384given remote address/port to an alias address/port 385be redirected to a specified local address/port. 386The parameter 387.Em proto 388can be either IPPROTO_TCP or IPPROTO_UDP, as 389defined in <netinet/in.h>. 390 391If 392.Em local_addr 393or 394.Em alias_addr 395is zero, this indicates that the packet aliasing 396address as established by PacketAliasSetAddress() 397is to be used. Even if PacketAliasAddress() is 398called to change the address after PacketAliasRedirectPort() 399is called, a zero reference will track this change. 400 401If 402.Em remote_addr 403is zero, this indicates to redirect packets from 404any remote address. Likewise, if 405.Em remote_port 406is zero, this indicates to redirect packets originating 407from any remote port number. Almost always, the remote 408port specification will be zero, but non-zero remote 409addresses can be sometimes be useful for firewalling. 410If two calls to PacketAliasRedirectPort() overlap in 411their address/port specifications, then the most recent 412call will have precedence. 413 414This function returns a pointer which can subsequently 415be used by PacketAliasRedirectDelete(). If NULL is 416returned, then the function call did not complete 417successfully. 418 419All port numbers are in network address byte order, 420so it is necessary to use htons() to convert these 421parameters from internally readable numbers to 422network byte order. Addresses are also in network 423byte order, which is implicit in the use of the 424.Em struct in_addr 425data type. 426.Ss 4.2 PacketAliasRedirectAddr() 427 428.Ft struct alias_link * 429.Fo PacketAliasRedirectAddr 430.Fa "struct in_addr local_addr" 431.Fa "struct in_addr alias_addr" 432.Fc 433 434This function desgnates that all incoming 435traffic to 436.Em alias_addr 437be redirected to 438.Em local_addr. 439Similarly, all outgoing traffic from 440.Em local_addr 441is aliased to 442.Em alias_addr . 443 444If 445.Em local_addr 446or 447.Em alias_addr 448is zero, this indicates that the packet aliasing 449address as established by PacketAliasSetAddress() 450is to be used. Even if PacketAliasAddress() is 451called to change the address after PacketAliasRedirectAddr() 452is called, a zero reference will track this change. 453 454If subsequent calls to PacketAliasRedirectAddr() 455use the same aliasing address, all new incoming 456traffic to this aliasing address will be redirected 457to the local address made in the last function call, 458but new traffic all of the local machines designated 459in the several function calls will be aliased to 460the same address. Consider the following example: 461.Bd -literal -offset left 462 PacketAliasRedirectAddr(inet_aton("192.168.0.2"), 463 inet_aton("141.221.254.101")); 464 PacketAliasRedirectAddr(inet_aton("192.168.0.3"), 465 inet_aton("141.221.254.101")); 466 PacketAliasRedirectAddr(inet_aton("192.168.0.4"), 467 inet_aton("141.221.254.101")); 468.Ed 469 470Any outgoing connections such as telnet or ftp 471from 192.168.0.2, 192.168.0.3, 192.168.0.4 will 472appear to come from 141.221.254.101. Any incoming 473connections to 141.221.254.101 will be directed 474to 192.168.0.4. 475 476Any calls to PacketAliasRedirectPort() will 477have precedence over address mappings designated 478by PacketAliasRedirectAddr(). 479 480This function returns a pointer which can subsequently 481be used by PacketAliasRedirectDelete(). If NULL is 482returned, then the function call did not complete 483successfully. 484.Ss 4.3 PacketAliasRedirectDelete() 485 486.Ft void 487.Fn PacketAliasRedirectDelete "struct alias_link *ptr" 488 489This function will delete a specific static redirect 490rule entered by PacketAliasRedirectPort() or 491PacketAliasRedirectAddr(). The parameter 492.Em ptr 493is the pointer returned by either of the redirection 494functions. If an invalid pointer is passed to 495PacketAliasRedirectDelete(), then a program crash 496or unpredictable operation could result, so it is 497necessary to be careful using this function. 498.Sh 5. Fragment Handling 499The functions in this section are used to deal with 500incoming fragments. 501 502Outgoing fragments are handled within PacketAliasOut() 503by changing the address according to any 504applicable mapping set by PacketAliasRedirectAddress(), 505or the default aliasing address set by 506PacketAliasSetAddress(). 507 508Incoming fragments are handled in one of two ways. 509If the header of a fragmented IP packet has already 510been seen, then all subsequent fragments will be 511re-mapped in the same manner the header fragment 512was. Fragments which arrive before the header 513are saved and then retrieved once the header fragment 514has been resolved. 515 516.Ss 4.4 PacketAliasProxyRule() 517 518.Ft int 519.Fn PacketAliasProxyRule "const char *cmd" 520 521The passed 522.Ar cmd 523string consists of one or more pairs of words. The first word in each 524pair is a token and the second is the value that should be applied for 525that token. Tokens and their argument types are as follows: 526 527.Bl -tag -offset XXX -width XXX 528.It type encode_ip_hdr|encode_tcp_stream|no_encode 529In order to support transparent proxying, it is necessary to somehow 530pass the original address and port information into the new destination 531server. If 532.Dq encode_ip_hdr 533is specified, the original address and port is passed as an extra IP 534option. If 535.Dq encode_tcp_stream 536is specified, the original address and port is passed as the first 537piece of data in the tcp stream in the format 538.Dq DEST Ar IP port . 539.It port Ar portnum 540Only packets with the destination port 541.Ar portnum 542are proxied. 543.It server Ar host[:portnum] 544This specifies the 545.Ar host 546and 547.Ar portnum 548that the data is to be redirected to. 549.Ar host 550must be an IP address rather than a DNS host name. If 551.Ar portnum 552is not specified, the destination port number is not changed. 553.Pp 554The 555.Ar server 556specification is mandatory unless the 557.Dq delete 558command is being used. 559.It rule Ar index 560Normally, each call to 561.Fn PacketAliasProxyRule 562inserts the next rule at the start of a linear list of rules. If an 563.Ar index 564is specified, the new rule will be checked after all rules with lower 565indices. Calls to 566.Fn PacketAliasProxyRule 567that do not specify a rule are assigned rule 0. 568.It delete Ar index 569This token and its argument must not be used with any other tokens. When 570used, all existing rules with the given 571.Ar index 572are deleted. 573.It proto tcp|udp 574If specified, only packets of the given protocol type are matched. 575.It src Ar IP[/bits] 576If specified, only packets with a source address matching the given 577.Ar IP 578are matched. If 579.Ar bits 580is also specified, then the first 581.Ar bits 582bits of 583.Ar IP 584are taken as a network specification, and all IP addresses from that 585network will be matched. 586.It dst Ar IP[/bits] 587If specified, only packets with a destination address matching the given 588.Ar IP 589are matched. If 590.Ar bits 591is also specified, then the first 592.Ar bits 593bits of 594.Ar IP 595are taken as a network specification, and all IP addresses from that 596network will be matched. 597.El 598 599This function is usually used to redirect outgoing connections for 600internal machines that are not permitted certain types of internet 601access, or to restrict access to certain external machines. 602 603.Ss 4.5 PacketAliasPptp() 604 605.Ft extern int 606.Fn PacketAliasPptp "struct in_addr addr" 607 608This function causes any 609.Em G Ns No eneral 610.Em R Ns No outing 611.Em E Ns No encapsulated 612.Pq Dv IPPROTO_GRE 613packets to be aliased using 614.Ar addr 615rather than the address set via 616.Fn PacketAliasSetAddress . 617This allows the uses of the 618.Em P Ns No oint 619to 620.Em P Ns No oint 621.Em T Ns No unneling 622.Em P Ns No rotocol 623on a machine on the internal network. 624.Pp 625If the passed address is 626.Dv INADDR_NONE 627.Pq 255.255.255.255 , 628.Dv PPTP 629aliasing is disabled. 630 631.Ss 5.1 PacketAliasSaveFragment() 632 633.Ft int 634.Fn PacketAliasSaveFragment "char *ptr" 635 636When PacketAliasIn() returns 637PKT_ALIAS_UNRESOLVED_FRAGMENT, this 638function can be used to save the pointer to 639the unresolved fragment. 640 641It is implicitly assumed that 642.Em ptr 643points to a block of memory allocated by 644malloc(). If the fragment is never 645resolved, the packet aliasing engine will 646automatically free the memory after a 647timeout period. [Eventually this function 648should be modified so that a callback 649function for freeing memory is passed as 650an argument.] 651 652This function returns PKT_ALIAS_OK if it 653was successful and PKT_ALIAS_ERROR if there 654was an error. 655 656.Ss 5.2 PacketAliasGetFragment() 657 658.Ft char * 659.Fn PacketAliasGetFragment "char *buffer" 660 661This function can be used to retrieve fragment 662pointers saved by PacketAliasSaveFragment(). 663The IP header fragment pointed to by 664.Em buffer 665is the header fragment indicated when 666PacketAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT. 667Once a a fragment pointer is retrieved, it 668becomes the calling program's responsibility 669to free the dynamically allocated memory for 670the fragment. 671 672PacketAliasGetFragment() can be called 673sequentially until there are no more fragments 674available, at which time it returns NULL. 675.Ss 5.3 PacketAliasFragmentIn() 676 677.Ft void 678.Fn PacketAliasFragmentIn "char *header" "char *fragment" 679 680When a fragment is retrieved with 681PacketAliasGetFragment(), it can then be 682de-aliased with a call to PacketAliasFragmentIn(). 683.Em header 684is the pointer to a header fragment used as a 685template, and 686.Em fragment 687is the pointer to the packet to be de-aliased. 688.Sh 6. Miscellaneous Functions 689 690.Ss 6.1 PacketAliasSetTarget() 691 692.Ft void 693.Fn PacketAliasSetTarget "struct in_addr addr" 694 695When an incoming packet not associated with 696any pre-existing aliasing link arrives at the 697host machine, it will be sent to the address 698indicated by a call to PacketAliasSetTarget(). 699 700If this function is not called, or is called 701with a zero address argument, then all new 702incoming packets go to the address set by 703PacketAliasSetAddress. 704.Ss 6.2 PacketAliasCheckNewLink() 705 706.Ft int 707.Fn PacketAliasCheckNewLink "void" 708 709This function returns a non-zero value when 710a new aliasing link is created. In circumstances 711where incoming traffic is being sequentially 712sent to different local servers, this function 713can be used to trigger when PacketAliasSetTarget() 714is called to change the default target address. 715.Ss 6.3 PacketAliasInternetChecksum() 716 717.Ft u_short 718.Fn PacketAliasInternetChecksum "u_short *buffer" "int nbytes" 719 720This is a utility function that does not seem 721to be available elswhere and is included as a 722convenience. It computes the internet checksum, 723which is used in both IP and protocol-specific 724headers (TCP, UDP, ICMP). 725 726.Em buffer 727points to the data block to be checksummed, and 728.Em nbytes 729is the number of bytes. The 16-bit checksum 730field should be zeroed before computing the checksum. 731 732Checksums can also be verified by operating on a block 733of data including its checksum. If the checksum is 734valid, PacketAliasInternetChecksum() will return zero. 735.Sh 7. Authors 736Charles Mott (cmott@srv.net), versions 1.0 - 1.8, 2.0 - 2.4. 737 738Eivind Eklund (eivind@freebsd.org), versions 1.8b, 1.9 and 7392.5. Added IRC DCC support as well as contributing a number of 740architectural improvements; added the firewall bypass 741for FTP/IRC DCC. 742.Sh 8. Acknowledgments 743 744Listed below, in approximate chronological 745order, are individuals who have provided 746valuable comments and/or debugging assistance. 747 748.Bl -inset -compact -offset left 749.It Gary Roberts 750.It Tom Torrance 751.It Reto Burkhalter 752.It Martin Renters 753.It Brian Somers 754.It Paul Traina 755.It Ari Suutari 756.It Dave Remien 757.It J. Fortes 758.It Andrzej Bialeki 759.It Gordon Burditt 760.El 761.Sh Appendix: Conceptual Background 762This appendix is intended for those who 763are planning to modify the source code or want 764to create somewhat esoteric applications using 765the packet aliasing functions. 766 767The conceptual framework under which the 768packet aliasing engine operates is described here. 769Central to the discussion is the idea of an 770"aliasing link" which describes the relationship 771for a given packet transaction between the local 772machine, aliased identity and remote machine. It 773is discussed how such links come into existence 774and are destroyed. 775.Ss A.1 Aliasing Links 776There is a notion of an "aliasing link", 777which is 7-tuple describing a specific 778translation: 779.Bd -literal -offset indent 780(local addr, local port, alias addr, alias port, 781 remote addr, remote port, protocol) 782.Ed 783 784Outgoing packets have the local address and 785port number replaced with the alias address 786and port number. Incoming packets undergo the 787reverse process. The packet aliasing engine 788attempts to match packets against an internal 789table of aliasing links to determine how to 790modify a given IP packet. Both the IP 791header and protocol dependent headers are 792modified as necessary. Aliasing links are 793created and deleted as necessary according 794to network traffic. 795 796Protocols can be TCP, UDP or even ICMP in 797certain circumstances. (Some types of ICMP 798packets can be aliased according to sequence 799or id number which acts as an equivalent port 800number for identifying how individual packets 801should be handled.) 802 803Each aliasing link must have a unique 804combination of the following five quantities: 805alias address/port, remote address/port 806and protocol. This ensures that several 807machines on a local network can share the 808same aliased IP address. In cases where 809conflicts might arise, the aliasing port 810is chosen so that uniqueness is maintained. 811.Ss A.2 Static and Dynamic Links 812Aliasing links can either be static or dynamic. 813Static links persist indefinitely and represent 814fixed rules for translating IP packets. Dynamic 815links come into existence for a specific TCP 816connection or UDP transaction or ICMP echo 817sequence. For the case of TCP, the connection 818can be monitored to see when the associated 819aliasing link should be deleted. Aliasing links 820for UDP transactions (and ICMP echo and timestamp 821requests) work on a simple timeout rule. When 822no activity is observed on a dynamic link for 823a certain amount of time it is automatically 824deleted. Timeout rules also apply to TCP 825connections which do not open or close 826properly. 827.Ss A.3 Partially Specified Aliasing Links 828Aliasing links can be partially specified, 829meaning that the remote address and/or remote 830ports are unknown. In this case, when a packet 831matching the incomplete specification is found, 832a fully specified dynamic link is created. If 833the original partially specified link is dynamic, 834it will be deleted after the fully specified link 835is created, otherwise it will persist. 836 837For instance, a partially specified link might 838be 839.Bd -literal -offset indent 840(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp) 841.Ed 842 843The zeros denote unspecified components for 844the remote address and port. If this link were 845static it would have the effect of redirecting 846all incoming traffic from port 8066 of 847204.228.203.215 to port 23 (telnet) of machine 848192.168.0.4 on the local network. Each 849individual telnet connection would initiate 850the creation of a distinct dynamic link. 851.Ss A.4 Dynamic Link Creation 852In addition to aliasing links, there are 853also address mappings that can be stored 854within the internal data table of the packet 855aliasing mechanism. 856.Bd -literal -offset indent 857(local addr, alias addr) 858.Ed 859 860Address mappings are searched when creating 861new dynamic links. 862 863All outgoing packets from the local network 864automatically create a dynamic link if 865they do not match an already existing fully 866specified link. If an address mapping exists 867for the the outgoing packet, this determines 868the alias address to be used. If no mapping 869exists, then a default address, usually the 870address of the packet aliasing host, is used. 871If necessary, this default address can be 872changed as often as each individual packet 873arrives. 874 875The aliasing port number is determined 876such that the new dynamic link does not 877conflict with any existing links. In the 878default operating mode, the packet aliasing 879engine attempts to set the aliasing port 880equal to the local port number. If this 881results in a conflict, then port numbers 882are randomly chosen until a unique aliasing 883link can be established. In an alternate 884operating mode, the first choice of an 885aliasing port is also random and unrelated 886to the local port number. 887 888