1.\" $FreeBSD$ 2.\" 3.Dd July, 1997 4.Dt LIBALIAS 3 5.Os 6.Sh NAME 7.Nm libalias 8.Nd packet aliasing library for masquerading and address translation (NAT) 9.Sh SYNOPSIS 10.Fd #include <sys/types.h> 11.Fd #include <netinet/in.h> 12.Fd #include <alias.h> 13 14Function prototypes are given in the main body 15of the text. 16.Sh DESCRIPTION 17The 18.Nm 19library is a collection of 20functions for aliasing and de-aliasing 21of IP packets, intended for masquerading and 22network address translation (NAT). 23.Sh CONTENTS 24.Bd -literal -offset left 251. Introduction 262. Initialization and Control 27 2.1 PacketAliasInit() 28 2.2 PacketAliasUninit() 29 2.3 PacketAliasSetAddress() 30 2.4 PacketAliasSetMode() 31 2.5 PacketAliasSetFWBase() 323. Packet Handling 33 3.1 PacketAliasIn() 34 3.2 PacketAliasOut() 354. Port and Address Redirection 36 4.1 PacketAliasRedirectPort() 37 4.2 PacketAliasRedirectAddr() 38 4.3 PacketAliasRedirectDelete() 39 4.4 PacketAliasProxyRule() 40 4.5 PacketAliasPptp() 415. Fragment Handling 42 5.1 PacketAliasSaveFragment() 43 5.2 PacketAliasGetFragment() 44 5.3 PacketAliasFragmentIn() 456. Miscellaneous Functions 46 6.1 PacketAliasSetTarget() 47 6.2 PacketAliasCheckNewLink() 48 6.3 PacketAliasInternetChecksum() 497. Authors 508. Acknowledgments 51 52Appendix A: Conceptual Background 53 A.1 Aliasing Links 54 A.2 Static and Dynamic Links 55 A.3 Partially Specified Links 56 A.4 Dynamic Link Creation 57.Ed 58.Sh 1. Introduction 59This library is a moderately portable 60set of functions designed to assist 61in the process of IP masquerading and 62network address translation. Outgoing 63packets from a local network with 64unregistered IP addresses can be aliased 65to appear as if they came from an 66accessible IP address. Incoming packets 67are then de-aliased so that they are sent 68to the correct machine on the local network. 69 70A certain amount of flexibility is built 71into the packet aliasing engine. In 72the simplest mode of operation, a 73many-to-one address mapping takes place 74between local network and the packet 75aliasing host. This is known as IP 76masquerading. In addition, one-to-one 77mappings between local and public addresses 78can also be implemented, which is known as 79static NAT. In between these extremes, 80different groups of private addresses 81can be linked to different public addresses, 82comprising several distinct many-to-one 83mappings. Also, a given public address 84and port can be statically redirected to 85a private address/port. 86 87The packet aliasing engine was designed 88to operate in user space outside of the 89kernel, without any access to private 90kernel data structure, but the source code 91can also be ported to a kernel environment. 92.Sh 2. Initialization and Control 93Two specific functions, PacketAliasInit() 94and PacketAliasSetAddress(), must always be 95called before any packet handling may be 96performed. In addition, the operating mode 97of the packet aliasing engine can be customized 98by calling PacketAliasSetMode(). 99.Ss 2.1 PacketAliasInit() 100 101.Ft void 102.Fn PacketAliasInit "void" 103 104This function has no argument or return 105value and is used to initialize internal 106data structures. The following mode bits 107are always set after calling 108PacketAliasInit(). See section 2.3 for 109the meaning of these mode bits. 110.Bd -literal -offset indent 111 PKT_ALIAS_USE_SAME_PORTS 112 PKT_ALIAS_USE_SOCKETS 113 PKT_ALIAS_RESET_ON_ADDR_CHANGE 114 115.Ed 116This function will always return the packet 117aliasing engine to the same initial state. 118PacketAliasSetAddress() must be called afterwards, 119and any desired changes from the default mode 120bits listed above require a call to 121PacketAliasSetMode(). 122 123It is mandatory that this function be called 124at the beginning of a program prior to any 125packet handling. 126.Ss 2.2 PacketAliasUninit() 127 128.Ft void 129.Fn PacketAliasUninit "void" 130 131This function has no argument or return 132value and is used to clear any resources 133attached to internal data structures. 134 135This functions should be called when a 136program stop using the aliasing engine; 137it do, among other things, clear out any 138firewall holes. To provide backwards 139compatibility and extra security, it is 140added to the atexit() chain by 141PacketAliasInit(). Calling it multiple 142times is harmless. 143.Ss 2.3 PacketAliasSetAddress() 144 145.Ft void 146.Fn PacketAliasSetAddress "struct in_addr addr" 147 148This function sets the source address to which 149outgoing packets from the local area network 150are aliased. All outgoing packets are remapped 151to this address unless overridden by a static 152address mapping established by 153PacketAliasRedirectAddr(). 154 155If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 156is set (the default mode of operation), then 157the internal aliasing link tables will be reset 158any time the aliasing address changes. 159This is useful 160for interfaces such as ppp where the IP 161address may or may not change on successive 162dial-up attempts. 163 164If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 165is set to zero, this function can also be used to 166dynamically change the aliasing address on a 167packet to packet basis (it is a low overhead 168call). 169 170It is mandatory that this function be called 171prior to any packet handling. 172.Ss 2.4 PacketAliasSetMode() 173 174.Ft unsigned int 175.Fn PacketAliasSetMode "unsigned int mode" "unsigned int mask" 176 177This function sets or clears mode bits 178according to the value of 179.Em mode . 180Only bits marked in 181.Em mask 182are affected. The following mode bits are 183defined in alias.h: 184.Bl -hang -offset left 185.It PKT_ALIAS_LOG. 186Enables logging /var/log/alias.log. The log file 187shows total numbers of links (icmp, tcp, udp) each 188time an aliasing link is created or deleted. Mainly 189useful for debugging when the log file is viewed 190continuously with "tail -f". 191.It PKT_ALIAS_DENY_INCOMING. 192If this mode bit is set, all incoming packets 193associated with new TCP connections or new 194UDP transactions will be marked for being 195ignored (PacketAliasIn() return code 196PKT_ALIAS_IGNORED) by the calling program. 197Response packets to connections or transactions 198initiated from the packet aliasing host or 199local network will be unaffected. This mode 200bit is useful for implementing a one-way firewall. 201.It PKT_ALIAS_SAME_PORTS. 202If this mode bit is set, the packet aliasing 203engine will attempt to leave the alias port 204numbers unchanged from the actual local port 205number. This can be done as long as the 206quintuple (proto, alias addr, alias port, 207remote addr, remote port) is unique. If a 208conflict exists, a new aliasing port number is 209chosen even if this mode bit is set. 210.It PKT_ALIAS_USE_SOCKETS. 211This bit should be set when the packet 212aliasing host originates network traffic as 213well as forwards it. When the packet aliasing 214host is waiting for a connection from an 215unknown host address or unknown port number 216(e.g. an FTP data connection), this mode bit 217specifies that a socket be allocated as a place 218holder to prevent port conflicts. Once a 219connection is established, usually within a 220minute or so, the socket is closed. 221.It PKT_ALIAS_UNREGISTERED_ONLY. 222If this mode bit is set, traffic on the 223local network which does not originate from 224unregistered address spaces will be ignored. 225Standard Class A, B and C unregistered addresses 226are: 227.Bd -literal -offset indent 228 10.0.0.0 -> 10.255.255.255 (Class A subnet) 229 172.16.0.0 -> 172.31.255.255 (Class B subnets) 230 192.168.0.0 -> 192.168.255.255 (Class C subnets) 231 232.Ed 233This option is useful in the case that 234packet aliasing host has both registered and 235unregistered subnets on different interfaces. 236The registered subnet is fully accessible to 237the outside world, so traffic from it doesn't 238need to be passed through the packet aliasing 239engine. 240.It PKT_ALIAS_RESET_ON_ADDR_CHANGE. 241When this mode bit is set and 242PacketAliasSetAddress() is called to change 243the aliasing address, the internal link table 244of the packet aliasing engine will be cleared. 245This operating mode is useful for ppp links 246where the interface address can sometimes 247change or remain the same between dial-ups. 248If this mode bit is not set, the link table 249will never be reset in the event of an 250address change. 251.It PKT_ALIAS_PUNCH_FW. 252This option makes libalias `punch holes' in an 253ipfw based firewall for FTP/IRC DCC connections. 254The holes punched are bound by from/to IP address 255and port; it will not be possible to use a hole 256for another connection. A hole is removed when 257the connection that uses it dies. To cater to 258unexpected death of a program using libalias (e.g 259kill -9), changing the state of the flag will 260clear the entire ipfw range allocated for holes. 261This will also happen on the initial call to 262PacketAliasSetFWBase(). This call must happen 263prior to setting this flag. 264.It PKT_ALIAS_REVERSE. 265This option makes libalias reverse the way it 266handles incoming and outgoing packets, allowing 267it to be fed data that passes through the internal 268interface rather than the external one. 269 270.El 271 272.Ss 2.5 PacketAliasSetFWBase() 273 274.Ft void 275.Fn PacketAliasSetFWBase "unsigned int base" "unsigned int num" 276 277Set IPFW range allocated for punching firewall holes (with the 278PKT_ALIAS_PUNCH_FW flag). The range will be cleared for all rules on 279initialization. 280.Sh 3. Packet Handling 281The packet handling functions are used to 282modify incoming (remote->local) and outgoing 283(local->remote) packets. The calling program 284is responsible for receiving and sending 285packets via network interfaces. 286 287Along with PacketAliasInit() and PacketAliasSetAddress(), 288the two packet handling functions, PacketAliasIn() 289and PacketAliasOut(), comprise minimal set of functions 290needed for a basic IP masquerading implementation. 291.Ss 3.1 PacketAliasIn() 292 293.Ft int 294.Fn PacketAliasIn "char *buffer" "int maxpacketsize" 295 296An incoming packet coming from a remote machine to 297the local network is de-aliased by this function. 298The IP packet is pointed to by 299.Em buffer , 300and 301.Em maxpacketsize 302indicates the size of the data structure containing 303the packet and should be at least as large as the 304actual packet size. 305 306Return codes: 307.Bl -hang -offset left 308.It PKT_ALIAS_ERROR. 309An internal error within the packet aliasing 310engine occurred. 311.It PKT_ALIAS_OK. 312The packet aliasing process was successful. 313.It PKT_ALIAS_IGNORED. 314The packet was ignored and not de-aliased. 315This can happen if the protocol is unrecognized, 316possibly an ICMP message type is not handled or 317if incoming packets for new connections are being 318ignored (see PKT_ALIAS_DENY_INCOMING in section 3192.2). 320.It PKT_ALIAS_UNRESOLVED_FRAGMENT. 321This is returned when a fragment cannot be 322resolved because the header fragment has not 323been sent yet. In this situation, fragments 324must be saved with PacketAliasSaveFragment() 325until a header fragment is found. 326.It PKT_ALIAS_FOUND_HEADER_FRAGMENT. 327The packet aliasing process was successful, 328and a header fragment was found. This is a 329signal to retrieve any unresolved fragments 330with PacketAliasGetFragment() and de-alias 331them with PacketAliasFragmentIn(). 332.El 333.Ss 3.2 PacketAliasOut() 334 335.Ft int 336.Fn PacketAliasOut "char *buffer" "int maxpacketsize" 337 338An outgoing packet coming from the local network 339to a remote machine is aliased by this function. 340The IP packet is pointed to by 341.Em buffer , 342and 343.Em maxpacketsize 344indicates the maximum packet size permissible 345should the packet length be changed. IP encoding 346protocols place address and port information in 347the encapsulated data stream which have to be 348modified and can account for changes in packet 349length. Well known examples of such protocols 350are FTP and IRC DCC. 351 352Return codes: 353.Bl -hang -offset left 354.It PKT_ALIAS_ERROR. 355An internal error within the packet aliasing 356engine occurred. 357.It PKT_ALIAS_OK. 358The packet aliasing process was successful. 359.It PKT_ALIAS_IGNORED. 360The packet was ignored and not de-aliased. 361This can happen if the protocol is unrecognized, 362or possibly an ICMP message type is not handled. 363.El 364.Sh 4. Port and Address Redirection 365The functions described in this section allow machines 366on the local network to be accessible in some degree 367to new incoming connections from the external network. 368Individual ports can be re-mapped or static network 369address translations can be designated. 370.Ss 4.1 PacketAliasRedirectPort() 371 372.Ft struct alias_link * 373.Fo PacketAliasRedirectPort 374.Fa "struct in_addr local_addr" 375.Fa "u_short local_port" 376.Fa "struct in_addr remote_addr" 377.Fa "u_short remote_port" 378.Fa "struct in_addr alias_addr" 379.Fa "u_short alias_port" 380.Fa "u_char proto" 381.Fc 382 383This function specifies that traffic from a 384given remote address/port to an alias address/port 385be redirected to a specified local address/port. 386The parameter 387.Em proto 388can be either IPPROTO_TCP or IPPROTO_UDP, as 389defined in <netinet/in.h>. 390 391If 392.Em local_addr 393or 394.Em alias_addr 395is zero, this indicates that the packet aliasing 396address as established by PacketAliasSetAddress() 397is to be used. Even if PacketAliasSetAddress() is 398called to change the address after PacketAliasRedirectPort() 399is called, a zero reference will track this change. 400 401If 402.Em remote_addr 403is zero, this indicates to redirect packets from 404any remote address. Likewise, if 405.Em remote_port 406is zero, this indicates to redirect packets originating 407from any remote port number. Almost always, the remote 408port specification will be zero, but non-zero remote 409addresses can sometimes be useful for firewalling. 410If two calls to PacketAliasRedirectPort() overlap in 411their address/port specifications, then the most recent 412call will have precedence. 413 414This function returns a pointer which can subsequently 415be used by PacketAliasRedirectDelete(). If NULL is 416returned, then the function call did not complete 417successfully. 418 419All port numbers are in network address byte order, 420so it is necessary to use htons() to convert these 421parameters from internally readable numbers to 422network byte order. Addresses are also in network 423byte order, which is implicit in the use of the 424.Em struct in_addr 425data type. 426.Ss 4.2 PacketAliasRedirectAddr() 427 428.Ft struct alias_link * 429.Fo PacketAliasRedirectAddr 430.Fa "struct in_addr local_addr" 431.Fa "struct in_addr alias_addr" 432.Fc 433 434This function desgnates that all incoming 435traffic to 436.Em alias_addr 437be redirected to 438.Em local_addr. 439Similarly, all outgoing traffic from 440.Em local_addr 441is aliased to 442.Em alias_addr . 443 444If 445.Em local_addr 446or 447.Em alias_addr 448is zero, this indicates that the packet aliasing 449address as established by PacketAliasSetAddress() 450is to be used. Even if PacketAliasSetAddress() is 451called to change the address after PacketAliasRedirectAddr() 452is called, a zero reference will track this change. 453 454If subsequent calls to PacketAliasRedirectAddr() 455use the same aliasing address, all new incoming 456traffic to this aliasing address will be redirected 457to the local address made in the last function call. 458New traffic generated by any of the local machines, designated 459in the several function calls, will be aliased to 460the same address. Consider the following example: 461.Bd -literal -offset left 462 PacketAliasRedirectAddr(inet_aton("192.168.0.2"), 463 inet_aton("141.221.254.101")); 464 PacketAliasRedirectAddr(inet_aton("192.168.0.3"), 465 inet_aton("141.221.254.101")); 466 PacketAliasRedirectAddr(inet_aton("192.168.0.4"), 467 inet_aton("141.221.254.101")); 468.Ed 469 470Any outgoing connections such as telnet or ftp 471from 192.168.0.2, 192.168.0.3, 192.168.0.4 will 472appear to come from 141.221.254.101. Any incoming 473connections to 141.221.254.101 will be directed 474to 192.168.0.4. 475 476Any calls to PacketAliasRedirectPort() will 477have precedence over address mappings designated 478by PacketAliasRedirectAddr(). 479 480This function returns a pointer which can subsequently 481be used by PacketAliasRedirectDelete(). If NULL is 482returned, then the function call did not complete 483successfully. 484.Ss 4.3 PacketAliasRedirectDelete() 485 486.Ft void 487.Fn PacketAliasRedirectDelete "struct alias_link *ptr" 488 489This function will delete a specific static redirect 490rule entered by PacketAliasRedirectPort() or 491PacketAliasRedirectAddr(). The parameter 492.Em ptr 493is the pointer returned by either of the redirection 494functions. If an invalid pointer is passed to 495PacketAliasRedirectDelete(), then a program crash 496or unpredictable operation could result, so it is 497necessary to be careful using this function. 498.Ss 4.4 PacketAliasProxyRule() 499 500.Ft int 501.Fn PacketAliasProxyRule "const char *cmd" 502 503The passed 504.Ar cmd 505string consists of one or more pairs of words. The first word in each 506pair is a token and the second is the value that should be applied for 507that token. Tokens and their argument types are as follows: 508 509.Bl -tag -offset XXX -width XXX 510.It type encode_ip_hdr|encode_tcp_stream|no_encode 511In order to support transparent proxying, it is necessary to somehow 512pass the original address and port information into the new destination 513server. If 514.Dq encode_ip_hdr 515is specified, the original address and port is passed as an extra IP 516option. If 517.Dq encode_tcp_stream 518is specified, the original address and port is passed as the first 519piece of data in the tcp stream in the format 520.Dq DEST Ar IP port . 521.It port Ar portnum 522Only packets with the destination port 523.Ar portnum 524are proxied. 525.It server Ar host[:portnum] 526This specifies the 527.Ar host 528and 529.Ar portnum 530that the data is to be redirected to. 531.Ar host 532must be an IP address rather than a DNS host name. If 533.Ar portnum 534is not specified, the destination port number is not changed. 535.Pp 536The 537.Ar server 538specification is mandatory unless the 539.Dq delete 540command is being used. 541.It rule Ar index 542Normally, each call to 543.Fn PacketAliasProxyRule 544inserts the next rule at the start of a linear list of rules. If an 545.Ar index 546is specified, the new rule will be checked after all rules with lower 547indices. Calls to 548.Fn PacketAliasProxyRule 549that do not specify a rule are assigned rule 0. 550.It delete Ar index 551This token and its argument must not be used with any other tokens. When 552used, all existing rules with the given 553.Ar index 554are deleted. 555.It proto tcp|udp 556If specified, only packets of the given protocol type are matched. 557.It src Ar IP[/bits] 558If specified, only packets with a source address matching the given 559.Ar IP 560are matched. If 561.Ar bits 562is also specified, then the first 563.Ar bits 564bits of 565.Ar IP 566are taken as a network specification, and all IP addresses from that 567network will be matched. 568.It dst Ar IP[/bits] 569If specified, only packets with a destination address matching the given 570.Ar IP 571are matched. If 572.Ar bits 573is also specified, then the first 574.Ar bits 575bits of 576.Ar IP 577are taken as a network specification, and all IP addresses from that 578network will be matched. 579.El 580 581This function is usually used to redirect outgoing connections for 582internal machines that are not permitted certain types of internet 583access, or to restrict access to certain external machines. 584.Ss 4.5 PacketAliasPptp() 585 586.Ft extern int 587.Fn PacketAliasPptp "struct in_addr addr" 588 589This function causes any 590.Em G Ns No eneral 591.Em R Ns No outing 592.Em E Ns No ncapsulation 593.Pq Dv IPPROTO_GRE 594packets to be aliased using 595.Ar addr 596rather than the address set via 597.Fn PacketAliasSetAddress . 598This allows the uses of the 599.Em P Ns No oint 600to 601.Em P Ns No oint 602.Em T Ns No unneling 603.Em P Ns No rotocol 604on a machine on the internal network. 605.Pp 606If the passed address is 607.Dv INADDR_NONE 608.Pq 255.255.255.255 , 609.Dv PPTP 610aliasing is disabled. 611.Sh 5. Fragment Handling 612The functions in this section are used to deal with 613incoming fragments. 614 615Outgoing fragments are handled within PacketAliasOut() 616by changing the address according to any 617applicable mapping set by PacketAliasRedirectAddress(), 618or the default aliasing address set by 619PacketAliasSetAddress(). 620 621Incoming fragments are handled in one of two ways. 622If the header of a fragmented IP packet has already 623been seen, then all subsequent fragments will be 624re-mapped in the same manner the header fragment 625was. Fragments which arrive before the header 626are saved and then retrieved once the header fragment 627has been resolved. 628.Ss 5.1 PacketAliasSaveFragment() 629 630.Ft int 631.Fn PacketAliasSaveFragment "char *ptr" 632 633When PacketAliasIn() returns 634PKT_ALIAS_UNRESOLVED_FRAGMENT, this 635function can be used to save the pointer to 636the unresolved fragment. 637 638It is implicitly assumed that 639.Em ptr 640points to a block of memory allocated by 641malloc(). If the fragment is never 642resolved, the packet aliasing engine will 643automatically free the memory after a 644timeout period. [Eventually this function 645should be modified so that a callback 646function for freeing memory is passed as 647an argument.] 648 649This function returns PKT_ALIAS_OK if it 650was successful and PKT_ALIAS_ERROR if there 651was an error. 652 653.Ss 5.2 PacketAliasGetFragment() 654 655.Ft char * 656.Fn PacketAliasGetFragment "char *buffer" 657 658This function can be used to retrieve fragment 659pointers saved by PacketAliasSaveFragment(). 660The IP header fragment pointed to by 661.Em buffer 662is the header fragment indicated when 663PacketAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT. 664Once a a fragment pointer is retrieved, it 665becomes the calling program's responsibility 666to free the dynamically allocated memory for 667the fragment. 668 669PacketAliasGetFragment() can be called 670sequentially until there are no more fragments 671available, at which time it returns NULL. 672.Ss 5.3 PacketAliasFragmentIn() 673 674.Ft void 675.Fn PacketAliasFragmentIn "char *header" "char *fragment" 676 677When a fragment is retrieved with 678PacketAliasGetFragment(), it can then be 679de-aliased with a call to PacketAliasFragmentIn(). 680.Em header 681is the pointer to a header fragment used as a 682template, and 683.Em fragment 684is the pointer to the packet to be de-aliased. 685.Sh 6. Miscellaneous Functions 686 687.Ss 6.1 PacketAliasSetTarget() 688 689.Ft void 690.Fn PacketAliasSetTarget "struct in_addr addr" 691 692When an incoming packet not associated with 693any pre-existing aliasing link arrives at the 694host machine, it will be sent to the address 695indicated by a call to PacketAliasSetTarget(). 696 697If this function is not called, or is called 698with a zero address argument, then all new 699incoming packets go to the address set by 700PacketAliasSetAddress. 701.Ss 6.2 PacketAliasCheckNewLink() 702 703.Ft int 704.Fn PacketAliasCheckNewLink "void" 705 706This function returns a non-zero value when 707a new aliasing link is created. In circumstances 708where incoming traffic is being sequentially 709sent to different local servers, this function 710can be used to trigger when PacketAliasSetTarget() 711is called to change the default target address. 712.Ss 6.3 PacketAliasInternetChecksum() 713 714.Ft u_short 715.Fn PacketAliasInternetChecksum "u_short *buffer" "int nbytes" 716 717This is a utility function that does not seem 718to be available elswhere and is included as a 719convenience. It computes the internet checksum, 720which is used in both IP and protocol-specific 721headers (TCP, UDP, ICMP). 722 723.Em buffer 724points to the data block to be checksummed, and 725.Em nbytes 726is the number of bytes. The 16-bit checksum 727field should be zeroed before computing the checksum. 728 729Checksums can also be verified by operating on a block 730of data including its checksum. If the checksum is 731valid, PacketAliasInternetChecksum() will return zero. 732.Sh 7. Authors 733Charles Mott (cmott@srv.net), versions 1.0 - 1.8, 2.0 - 2.4. 734 735Eivind Eklund (eivind@freebsd.org), versions 1.8b, 1.9 and 7362.5. Added IRC DCC support as well as contributing a number of 737architectural improvements; added the firewall bypass 738for FTP/IRC DCC. 739.Sh 8. Acknowledgments 740 741Listed below, in approximate chronological 742order, are individuals who have provided 743valuable comments and/or debugging assistance. 744 745.Bl -inset -compact -offset left 746.It Gary Roberts 747.It Tom Torrance 748.It Reto Burkhalter 749.It Martin Renters 750.It Brian Somers 751.It Paul Traina 752.It Ari Suutari 753.It Dave Remien 754.It J. Fortes 755.It Andrzej Bialeki 756.It Gordon Burditt 757.El 758.Sh Appendix: Conceptual Background 759This appendix is intended for those who 760are planning to modify the source code or want 761to create somewhat esoteric applications using 762the packet aliasing functions. 763 764The conceptual framework under which the 765packet aliasing engine operates is described here. 766Central to the discussion is the idea of an 767"aliasing link" which describes the relationship 768for a given packet transaction between the local 769machine, aliased identity and remote machine. It 770is discussed how such links come into existence 771and are destroyed. 772.Ss A.1 Aliasing Links 773There is a notion of an "aliasing link", 774which is 7-tuple describing a specific 775translation: 776.Bd -literal -offset indent 777(local addr, local port, alias addr, alias port, 778 remote addr, remote port, protocol) 779.Ed 780 781Outgoing packets have the local address and 782port number replaced with the alias address 783and port number. Incoming packets undergo the 784reverse process. The packet aliasing engine 785attempts to match packets against an internal 786table of aliasing links to determine how to 787modify a given IP packet. Both the IP 788header and protocol dependent headers are 789modified as necessary. Aliasing links are 790created and deleted as necessary according 791to network traffic. 792 793Protocols can be TCP, UDP or even ICMP in 794certain circumstances. (Some types of ICMP 795packets can be aliased according to sequence 796or id number which acts as an equivalent port 797number for identifying how individual packets 798should be handled.) 799 800Each aliasing link must have a unique 801combination of the following five quantities: 802alias address/port, remote address/port 803and protocol. This ensures that several 804machines on a local network can share the 805same aliased IP address. In cases where 806conflicts might arise, the aliasing port 807is chosen so that uniqueness is maintained. 808.Ss A.2 Static and Dynamic Links 809Aliasing links can either be static or dynamic. 810Static links persist indefinitely and represent 811fixed rules for translating IP packets. Dynamic 812links come into existence for a specific TCP 813connection or UDP transaction or ICMP echo 814sequence. For the case of TCP, the connection 815can be monitored to see when the associated 816aliasing link should be deleted. Aliasing links 817for UDP transactions (and ICMP echo and timestamp 818requests) work on a simple timeout rule. When 819no activity is observed on a dynamic link for 820a certain amount of time it is automatically 821deleted. Timeout rules also apply to TCP 822connections which do not open or close 823properly. 824.Ss A.3 Partially Specified Aliasing Links 825Aliasing links can be partially specified, 826meaning that the remote address and/or remote 827ports are unknown. In this case, when a packet 828matching the incomplete specification is found, 829a fully specified dynamic link is created. If 830the original partially specified link is dynamic, 831it will be deleted after the fully specified link 832is created, otherwise it will persist. 833 834For instance, a partially specified link might 835be 836.Bd -literal -offset indent 837(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp) 838.Ed 839 840The zeros denote unspecified components for 841the remote address and port. If this link were 842static it would have the effect of redirecting 843all incoming traffic from port 8066 of 844204.228.203.215 to port 23 (telnet) of machine 845192.168.0.4 on the local network. Each 846individual telnet connection would initiate 847the creation of a distinct dynamic link. 848.Ss A.4 Dynamic Link Creation 849In addition to aliasing links, there are 850also address mappings that can be stored 851within the internal data table of the packet 852aliasing mechanism. 853.Bd -literal -offset indent 854(local addr, alias addr) 855.Ed 856 857Address mappings are searched when creating 858new dynamic links. 859 860All outgoing packets from the local network 861automatically create a dynamic link if 862they do not match an already existing fully 863specified link. If an address mapping exists 864for the outgoing packet, this determines 865the alias address to be used. If no mapping 866exists, then a default address, usually the 867address of the packet aliasing host, is used. 868If necessary, this default address can be 869changed as often as each individual packet 870arrives. 871 872The aliasing port number is determined 873such that the new dynamic link does not 874conflict with any existing links. In the 875default operating mode, the packet aliasing 876engine attempts to set the aliasing port 877equal to the local port number. If this 878results in a conflict, then port numbers 879are randomly chosen until a unique aliasing 880link can be established. In an alternate 881operating mode, the first choice of an 882aliasing port is also random and unrelated 883to the local port number. 884 885