1.Dd July, 1997 2.Dt "libalias" 3 3.Os 4.Sh NAME 5.Nm "libalias" 6Packet Aliasing Library. A collection of 7functions for aliasing and de-aliasing 8of IP packets, intended for masquerading and 9network address translation (NAT). 10 11.Sh SYNOPSIS 12.Fd #include <sys/types.h> 13.Fd #include <netinet/in.h> 14.Fd #include <alias.h> 15 16Function prototypes are given in the main body 17of the text. 18 19.Sh CONTENTS 20.Bd -literal -offset left 211. Introduction 222. Initialization and Control 23 2.1 PacketAliasInit() 24 2.2 PacketAliasUninit() 25 2.3 PacketAliasSetAddress() 26 2.4 PacketAliasSetMode() 27 2.5 PacketAliasSetFWBase() 283. Packet Handling 29 3.1 PacketAliasOut() 30 3.2 PacketAliasIn() 314. Port and Address Redirection 32 4.1 PacketAliasRedirectPort() 33 4.2 PacketAliasRedirectAddr() 34 4.3 PacketAliasRedirectDelete() 355. Fragment Handling 36 5.1 PacketAliasSaveFragment() 37 5.2 PacketAliasGetFragment() 38 5.3 PacketAliasFragmentIn() 396. Miscellaneous Functions 40 6.1 PacketAliasSetTarget() 41 6.2 PacketAliasCheckNewLink() 42 6.3 PacketAliasInternetChecksum() 437. Authors 448. Acknowledgments 45 46Appendix A: Conceptual Background 47 A.1 Aliasing Links 48 A.2 Static and Dynamic Links 49 A.3 Partially Specified Links 50 A.4 Dynamic Link Creation 51.Ed 52 53.Sh 1. Introduction 54This library is a moderately portable 55set of functions designed to assist 56in the process of IP masquerading and 57network address translation. Outgoing 58packets from a local network with 59unregistered IP addresses can be aliased 60to appear as if they came from an 61accessible IP address. Incoming packets 62are then de-aliased so that they are sent 63to the correct machine on the local network. 64 65A certain amount of flexibility is built 66into the packet aliasing engine. In 67the simplest mode of operation, a 68many-to-one address mapping takes place 69between local network and the packet 70aliasing host. This is known as IP 71masquerading. In addition, one-to-one 72mappings between local and public addresses 73can also be implemented, which is known as 74static NAT. In between these extremes, 75different groups of private addresses 76can be linked to different public addresses, 77comprising several distinct many-to-one 78mappings. Also, a given public address 79and port can be statically redirected to 80a private address/port. 81 82The packet aliasing engine was designed 83to operate in user space outside of the 84kernel, without any access to private 85kernel data structure, but the source code 86can also be ported to a kernel environment. 87 88.Sh 2. Initialization and Control 89Two specific functions, PacketAliasInit() 90and PacketAliasSetAddress(), must always be 91called before any packet handling may be 92performed. In addition, the operating mode 93of the packet aliasing engine can be customized 94by calling PacketAliasSetMode(). 95.Ss 2.1 PacketAliasInit() 96 97.Ft void 98.Fn PacketAliasInit "void" 99 100This function has no argument or return 101value and is used to initialize internal 102data structures. The following mode bits 103are always set after calling 104PacketAliasInit(). See section 2.3 for 105the meaning of these mode bits. 106.Bd -literal -offset indent 107 PKT_ALIAS_USE_SAME_PORTS 108 PKT_ALIAS_USE_SOCKETS 109 PKT_ALIAS_RESET_ON_ADDR_CHANGE 110 111.Ed 112This function will always return the packet 113aliasing engine to the same initial state. 114PacketAliasSetAddress() must be called afterwards, 115and any desired changes from the default mode 116bits listed above require a call to 117PacketAliasSetMode(). 118 119It is mandatory that this function be called 120at the beginning of a program prior to any 121packet handling. 122.Ss 2.2 PacketAliasUninit() 123 124.Ft void 125.Fn PacketAliasUninit "void" 126 127This function has no argument or return 128value and is used to clear any resources 129attached to internal data structures. 130 131This functions should be called when a 132program stop using the aliasing engine; 133it do, among other things, clear out any 134firewall holes. To provide backwards 135compatibility and extra security, it is 136added to the atexit() chain by 137PacketAliasInit(). Calling it multiple 138times is harmless. 139.Ss 2.3 PacketAliasSetAddress() 140 141.Ft void 142.Fn PacketAliasSetAddress "struct in_addr addr" 143 144This function sets the source address to which 145outgoing packets from the local area network 146are aliased. All outgoing packets are remapped 147to this address unless overridden by a static 148address mapping established by 149PacketAliasRedirectAddr(). 150 151If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 152is set (the default mode of operation), then 153the internal aliasing link tables will be reset 154any time the aliasing address changes, as if 155PacketAliasReset() were called. This is useful 156for interfaces such as ppp where the IP 157address may or may not change on successive 158dial-up attempts. 159 160If the PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit 161is set to zero, this function can also be used to 162dynamically change the aliasing address on a 163packet to packet basis (it is a low overhead 164call). 165 166It is mandatory that this function be called 167prior to any packet handling. 168.Ss 2.4 PacketAliasSetMode() 169 170.Ft unsigned int 171.Fn PacketAliasSetMode "unsigned int mode" "unsigned int mask" 172 173This function sets or clears mode bits 174according to the value of 175.Em mode . 176Only bits marked in 177.Em mask 178are affected. The following mode bits are 179defined in alias.h: 180.Bl -hang -offset left 181.It PKT_ALIAS_LOG. 182Enables logging /var/log/alias.log. The log file 183shows total numbers of links (icmp, tcp, udp) each 184time an aliasing link is created or deleted. Mainly 185useful for debugging when the log file is viewed 186continuously with "tail -f". 187.It PKT_ALIAS_DENY_INCOMING. 188If this mode bit is set, all incoming packets 189associated with new TCP connections or new 190UDP transactions will be marked for being 191ignored (PacketAliasIn() return code 192PKT_ALIAS_IGNORED) by the calling program. 193Response packets to connections or transactions 194initiated from the packet aliasing host or 195local network will be unaffected. This mode 196bit is useful for implementing a one-way firewall. 197.It PKT_ALIAS_SAME_PORTS. 198If this mode bit is set, the packet aliasing 199engine will attempt to leave the alias port 200numbers unchanged from the actual local port 201number. This can be done as long as the 202quintuple (proto, alias addr, alias port, 203remote addr, remote port) is unique. If a 204conflict exists, an new aliasing port number is 205chosen even if this mode bit is set. 206.It PKT_ALIAS_USE_SOCKETS. 207This bit should be set when the the packet 208aliasing host originates network traffic as 209well as forwards it. When the packet aliasing 210host is waiting for a connection from an 211unknown host address or unknown port number 212(e.g. an FTP data connection), this mode bit 213specifies that a socket be allocated as a place 214holder to prevent port conflicts. Once a 215connection is established, usually within a 216minute or so, the socket is closed. 217.It PKT_ALIAS_UNREGISTERED_ONLY. 218If this mode bit is set, traffic on the 219local network which does not originate from 220unregistered address spaces will be ignored. 221Standard Class A, B and C unregistered addresses 222are: 223.Bd -literal -offset indent 224 10.0.0.0 -> 10.255.255.255 (Class A subnet) 225 172.16.0.0 -> 172.31.255.255 (Class B subnets) 226 192.168.0.0 -> 192.168.255.255 (Class C subnets) 227 228.Ed 229This option is useful in the case that 230packet aliasing host has both registered and 231unregistered subnets on different interfaces. 232The registered subnet is fully accessible to 233the outside world, so traffic from it doesn't 234need to be passed through the packet aliasing 235engine. 236.It PKT_ALIAS_RESET_ON_ADDR_CHANGE. 237When this mode bit is set and 238PacketAliasSetAddress() is called to change 239the aliasing address, the internal link table 240of the packet aliasing engine will be cleared. 241This operating mode is useful for ppp links 242where the interface address can sometimes 243change or remain the same between dial-ups. 244If this mode bit is not set, it the link table 245will never be reset in the event of an 246address change. 247.It PKT_ALIAS_PUNCH_FW. 248This option make libalias `punch holes' in an 249ipfw based firewall for FTP/IRC DCC connections. 250The holes punched are bound by from/to IP address 251and port; it will not be possible to use a hole 252for another connection. A hole is removed when 253the connection that use it die. To cater for 254unexpected death of a program using libalias (e.g 255kill -9), changing the state of the flag will 256clear the entire ipfw range allocated for holes. 257This will also happen on the initial call to 258PacketAliasSetFWBase(). This call must happen 259prior to setting this flag. 260 261.El 262 263.Ss 2.5 PacketAliasSetFWBase() 264 265.Ft void 266.Fn PacketAliasSetFWBase "unsigned int base" "unsigned int num" 267 268Set IPFW range allocated for punching firewall holes (with the 269PKT_ALIAS_PUNCH_FW flag). The range will be cleared for all rules on 270initialization. 271 272.Sh 3. Packet Handling 273The packet handling functions are used to 274modify incoming (remote->local) and outgoing 275(local->remote) packets. The calling program 276is responsible for receiving and sending 277packets via network interfaces. 278 279Along with PacketAliasInit() and PacketAliasSetAddress(), 280the two packet handling functions, PacketAliasIn() 281and PacketAliasOut(), comprise minimal set of functions 282needed for a basic IP masquerading implementation. 283.Ss 3.1 PacketAliasIn() 284 285.Ft int 286.Fn PacketAliasIn "char *buffer" "int maxpacketsize" 287 288An incoming packet coming from a remote machine to 289the local network is de-aliased by this function. 290The IP packet is pointed to by 291.Em buffer , 292and 293.Em maxpacketsize 294indicates the size of the data structure containing 295the packet and should be at least as large as the 296actual packet size. 297 298Return codes: 299.Bl -hang -offset left 300.It PKT_ALIAS_ERROR. 301An internal error within the packet aliasing 302engine occurred. 303.It PKT_ALIAS_OK. 304The packet aliasing process was successful. 305.It PKT_ALIAS_IGNORED. 306The packet was ignored and not de-aliased. 307This can happen if the protocal is unrecognized, 308possibly an ICMP message type is not handled or 309if incoming packets for new connections are being 310ignored (see PKT_ALIAS_DENY_INCOMING in section 3112.2). 312.It PKT_ALIAS_UNRESOLVED_FRAGMENT. 313This is returned when a fragment cannot be 314resolved because the header fragment has not 315been sent yet. In this situation, fragments 316must be saved with PacketAliasSaveFragment() 317until a header fragment is found. 318.It PKT_ALIAS_FOUND_HEADER_FRAGMENT. 319The packet aliasing process was successful, 320and a header fragment was found. This is a 321signal to retrieve any unresolved fragments 322with PacketAliasGetFragment() and de-alias 323them with PacketAliasFragmentIn(). 324.El 325.Ss 3.2 PacketAliasOut() 326 327.Ft int 328.Fn PacketAliasIn "char *buffer" "int maxpacketsize" 329 330An outgoing packet coming from the local network 331to a remote machine is aliased by this function. 332The IP packet is pointed to by 333.Em buffer r, 334and 335.Em maxpacketsize 336indicates the maximum packet size permissible 337should the packet length be changed. IP encoding 338protocols place address and port information in 339the encapsulated data stream which have to be 340modified and can account for changes in packet 341length. Well known examples of such protocols 342are FTP and IRC DCC. 343 344Return codes: 345.Bl -hang -offset left 346.It PKT_ALIAS_ERROR. 347An internal error within the packet aliasing 348engine occurred. 349.It PKT_ALIAS_OK. 350The packet aliasing process was successful. 351.It PKT_ALIAS_IGNORED. 352The packet was ignored and not de-aliased. 353This can happen if the protocal is unrecognized, 354or possibly an ICMP message type is not handled. 355.El 356 357.Sh 4. Port and Address Redirection 358The functions described in this section allow machines 359on the local network to be accessible in some degree 360to new incoming connections from the external network. 361Individual ports can be re-mapped or static network 362address translations can be designated. 363.Ss 4.1 PacketAliasRedirectPort() 364 365.Ft struct alias_link * 366.Fo PacketAliasRedirectPort 367.Fa "struct in_addr local_addr" 368.Fa "u_short local_port" 369.Fa "struct in_addr remote_addr" 370.Fa "u_short remote_port" 371.Fa "struct in_addr alias_addr" 372.Fa "u_short alias_port" 373.Fa "u_char proto" 374.Fc 375 376This function specifies that traffic from a 377given remote address/port to an alias address/port 378be redirected to a specified local address/port. 379The parameter 380.Em proto 381can be either IPPROTO_TCP or IPPROTO_UDP, as 382defined in <netinet/in.h>. 383 384If 385.Em local_addr 386or 387.Em alias_addr 388is zero, this indicates that the packet aliasing 389address as established by PacketAliasSetAddress() 390is to be used. Even if PacketAliasAddress() is 391called to change the address after PacketAliasRedirectPort() 392is called, a zero reference will track this change. 393 394If 395.Em remote_addr 396is zero, this indicates to redirect packets from 397any remote address. Likewise, if 398.Em remote_port 399is zero, this indicates to redirect packets originating 400from any remote port number. Almost always, the remote 401port specification will be zero, but non-zero remote 402addresses can be sometimes be useful for firewalling. 403If two calls to PacketAliasRedirectPort() overlap in 404their address/port specifications, then the most recent 405call will have precedence. 406 407This function returns a pointer which can subsequently 408be used by PacketAliasRedirectDelete(). If NULL is 409returned, then the function call did not complete 410successfully. 411 412All port numbers are in network address byte order, 413so it is necessary to use htons() to convert these 414parameters from internally readable numbers to 415network byte order. Addresses are also in network 416byte order, which is implicit in the use of the 417.Em struct in_addr 418data type. 419.Ss 4.2 PacketAliasRedirectAddr() 420 421.Ft struct alias_link * 422.Fo PacketAliasRedirectAddr 423.Fa "struct in_addr local_addr" 424.Fa "struct in_addr alias_addr" 425.Fc 426 427This function desgnates that all incoming 428traffic to 429.Em alias_addr 430be redirected to 431.Em local_addr. 432Similarly, all outgoing traffic from 433.Em local_addr 434is aliased to 435.Em alias_addr . 436 437If 438.Em local_addr 439or 440.Em alias_addr 441is zero, this indicates that the packet aliasing 442address as established by PacketAliasSetAddress() 443is to be used. Even if PacketAliasAddress() is 444called to change the address after PacketAliasRedirectAddr() 445is called, a zero reference will track this change. 446 447If subsequent calls to PacketAliasRedirectAddr() 448use the same aliasing address, all new incoming 449traffic to this aliasing address will be redirected 450to the local address made in the last function call, 451but new traffic all of the local machines designated 452in the several function calls will be aliased to 453the same address. Consider the following example: 454.Bd -literal -offset left 455 PacketAliasRedirectAddr(inet_aton("192.168.0.2"), 456 inet_aton("141.221.254.101")); 457 PacketAliasRedirectAddr(inet_aton("192.168.0.3"), 458 inet_aton("141.221.254.101")); 459 PacketAliasRedirectAddr(inet_aton("192.168.0.4"), 460 inet_aton("141.221.254.101")); 461.Ed 462 463Any outgoing connections such as telnet or ftp 464from 192.168.0.2, 102.168.0.3, 192.168.0.4 will 465appear to come from 141.221.254.101. Any incoming 466connections to 141.221.254.101 will be directed 467to 192.168.0.4. 468 469Any calls to PacketAliasRedirectPort() will 470have precedence over address mappings designated 471by PacketAliasRedirectAddr(). 472 473This function returns a pointer which can subsequently 474be used by PacketAliasRedirectDelete(). If NULL is 475returned, then the function call did not complete 476successfully. 477.Ss 4.3 PacketAliasRedirectDelete() 478 479.Ft void 480.Fn PacketAliasRedirectDelete "struct alias_link *ptr" 481 482This function will delete a specific static redirect 483rule entered by PacketAliasRedirectPort() or 484PacketAliasRedirectAddr(). The parameter 485.Em ptr 486is the pointer returned by either of the redirection 487functions. If an invalid pointer is passed to 488PacketAliasRedirectDelete(), then a program crash 489or unpredictable operation could result, so it is 490necessary to be careful using this function. 491 492.Sh 5. Fragment Handling 493The functions in this section are used to deal with 494incoming fragments. 495 496Outgoing fragments are handled within PacketAliasOut() 497by changing the address according to any 498applicable mapping set by PacketAliasRedirectAddress(), 499or the default aliasing address set by 500PacketAliasSetAddress(). 501 502Incoming fragments are handled in one of two ways. 503If the header of a fragmented IP packet has already 504been seen, then all subsequent fragments will be 505re-mapped in the same manner the header fragment 506was. Fragments which arrive before the header 507are saved and then retrieved once the header fragment 508has been resolved. 509.Ss 5.1 PacketAliasSaveFragment() 510 511.Ft int 512.Fn PacketAliasSaveFragment "char *ptr" 513 514When PacketAliasIn() returns 515PKT_ALIAS_UNRESOLVED_FRAGMENT, this 516function can be used to save the pointer to 517the unresolved fragment. 518 519It is implicitly assumed that 520.Em ptr 521points to a block of memory allocated by 522malloc(). If the fragment is never 523resolved, the packet aliasing engine will 524automatically free the memory after a 525timeout period. [Eventually this function 526should be modified so that a callback 527function for freeing memory is passed as 528an argument.] 529 530This function returns PKT_ALIAS_OK if it 531was successful and PKT_ALIAS_ERROR if there 532was an error. 533.Ss 5.2 PacketAliasGetNextFragment() 534 535.Ft char * 536.Fn PacketAliasGetFragment "char *buffer" 537 538This function can be used to retrieve fragment 539pointers saved by PacketAliasSaveFragment(). 540The IP header fragment pointed to by 541Em buffer 542is the header fragment indicated when 543PacketAliasIn() returns PKT_ALIAS_FOUND_HEADER_FRAGMENT. 544Once a a fragment pointer is retrieved, it 545becomes the calling program's responsibility 546to free the dynamically allocated memory for 547the fragment. 548 549PacketAliasGetFragment() can be called 550sequentially until there are no more fragments 551available, at which time it returns NULL. 552.Ss 5.3 PacketAliasFragmentIn() 553 554.Ft void 555.Fn PacketAliasFragmentIn "char *header" "char *fragment" 556 557When a fragment is retrieved with 558PacketAliasGetFragment(), it can then be 559de-aliased with a call to PacketAliasFragmentIn(). 560.Em header 561is the pointer to a header fragment used as a 562template, and 563.Em fragment 564is the pointer to the packet to be de-aliased. 565 566.Sh 6. Miscellaneous Functions 567 568.Ss 6.1 PacketAliasSetTarget() 569 570.Ft void 571.Fn PacketAliasSetTarget "struct in_addr addr" 572 573When an incoming packet not associated with 574any pre-existing aliasing link arrives at the 575host machine, it will be sent to the address 576indicated by a call to PacketAliasSetTarget(). 577 578If this function is not called, or is called 579with a zero address argument, then all new 580incoming packets go to the address set by 581PacketAliasSetAddress. 582.Ss 6.2 PacketAliasCheckNewLink() 583 584.Ft int 585.Fn PacketAliasCheckNewLink "void" 586 587This function returns a non-zero value when 588a new aliasing link is created. In circumstances 589where incoming traffic is being sequentially 590sent to different local servers, this function 591can be used to trigger when PacketAliasSetTarget() 592is called to change the default target address. 593.Ss 6.3 PacketAliasInternetChecksum() 594 595.Ft u_short 596.Fn PacketAliasInternetChecksum "u_short *buffer" "int nbytes" 597 598This is a utility function that does not seem 599to be available elswhere and is included as a 600convenience. It computes the internet checksum, 601which is used in both IP and protocol-specific 602headers (TCP, UDP, ICMP). 603 604.Em buffer 605points to the data block to be checksummed, and 606.Em nbytes 607is the number of bytes. The 16-bit checksum 608field should be zeroed before computing the checksum. 609 610Checksums can also be verified by operating on a block 611of data including its checksum. If the checksum is 612valid, PacketAliasInternetChecksum() will return zero. 613 614.Sh 7. Authors 615Charles Mott (cmott@srv.net), versions 1.0 - 1.8, 2.0 - 2.4. 616 617Eivind Eklund (eivind@freebsd.org), versions 1.8b, 1.9 and 6182.5. Added IRC DCC support as well as contributing a number of 619architectural improvements; added the firewall bypass 620for FTP/IRC DCC. 621 622.Sh 8. Acknowledgments 623 624Listed below, in approximate chronological 625order, are individuals who have provided 626valuable comments and/or debugging assistance. 627 628.Bl -inset -compact -offset left 629.It Gary Roberts 630.It Tom Torrance 631.It Reto Burkhalter 632.It Martin Renters 633.It Brian Somers 634.It Paul Traina 635.It Ari Suutari 636.It Dave Remien 637.It J. Fortes 638.It Andrzej Bialeki 639.It Gordon Burditt 640.El 641 642.Sh Appendix: Conceptual Background 643This appendix is intended for those who 644are planning to modify the source code or want 645to create somewhat esoteric applications using 646the packet aliasing functions. 647 648The conceptual framework under which the 649packet aliasing engine operates is described here. 650Central to the discussion is the idea of an 651"aliasing link" which describes the relationship 652for a given packet transaction between the local 653machine, aliased identity and remote machine. It 654is discussed how such links come into existence 655and are destroyed. 656.Ss A.1 Aliasing Links 657There is a notion of an "aliasing link", 658which is 7-tuple describing a specific 659translation: 660.Bd -literal -offset indent 661(local addr, local port, alias addr, alias port, 662 remote addr, remote port, protocol) 663.Ed 664 665Outgoing packets have the local address and 666port number replaced with the alias address 667and port number. Incoming packets undergo the 668reverse process. The packet aliasing engine 669attempts to match packets against an internal 670table of aliasing links to determine how to 671modify a given IP packet. Both the IP 672header and protocol dependent headers are 673modified as necessary. Aliasing links are 674created and deleted as necessary according 675to network traffic. 676 677Protocols can be TCP, UDP or even ICMP in 678certain circumstances. (Some types of ICMP 679packets can be aliased according to sequence 680or id number which acts as an equivalent port 681number for identifying how individual packets 682should be handled.) 683 684Each aliasing link must have a unique 685combination of the following five quantities: 686alias address/port, remote address/port 687and protocol. This ensures that several 688machines on a local network can share the 689same aliased IP address. In cases where 690conflicts might arise, the aliasing port 691is chosen so that uniqueness is maintained. 692.Ss A.2 Static and Dynamic Links 693Aliasing links can either be static or dynamic. 694Static links persist indefinitely and represent 695fixed rules for translating IP packets. Dynamic 696links come into existence for a specific TCP 697connection or UDP transaction or ICMP echo 698sequence. For the case of TCP, the connection 699can be monitored to see when the associated 700aliasing link should be deleted. Aliasing links 701for UDP transactions (and ICMP echo and timestamp 702requests) work on a simple timeout rule. When 703no activity is observed on a dynamic link for 704a certain amount of time it is automatically 705deleted. Timeout rules also apply to TCP 706connections which do not open or close 707properly. 708.Ss A.3 Partially Specified Aliasing Links 709Aliasing links can be partially specified, 710meaning that the remote address and/or remote 711ports are unknown. In this case, when a packet 712matching the incomplete specification is found, 713a fully specified dynamic link is created. If 714the original partially specified link is dynamic, 715it will be deleted after the fully specified link 716is created, otherwise it will persist. 717 718For instance, a partially specified link might 719be 720.Bd -literal -offset indent 721(192.168.0.4, 23, 204.228.203.215, 8066, 0, 0, tcp) 722.Ed 723 724The zeros denote unspecified components for 725the remote address and port. If this link were 726static it would have the effect of redirecting 727all incoming traffic from port 8066 of 728204.228.203.215 to port 23 (telnet) of machine 729192.168.0.4 on the local network. Each 730individual telnet connection would initiate 731the creation of a distinct dynamic link. 732.Ss A.4 Dynamic Link Creation 733In addition to aliasing links, there are 734also address mappings that can be stored 735within the internal data table of the packet 736aliasing mechanism. 737.Bd -literal -offset indent 738(local addr, alias addr) 739.Ed 740 741Address mappings are searched when creating 742new dynamic links. 743 744All outgoing packets from the local network 745automatically create a dynamic link if 746they do not match an already existing fully 747specified link. If an address mapping exists 748for the the outgoing packet, this determines 749the alias address to be used. If no mapping 750exists, then a default address, usually the 751address of the packet aliasing host, is used. 752If necessary, this default address can be 753changed as often as each individual packet 754arrives. 755 756The aliasing port number is determined 757such that the new dynamic link does not 758conflict with any existing links. In the 759default operating mode, the packet aliasing 760engine attempts to set the aliasing port 761equal to the local port number. If this 762results in a conflict, then port numbers 763are randomly chosen until a unique aliasing 764link can be established. In an alternate 765operating mode, the first choice of an 766aliasing port is also random and unrelated 767to the local port number. 768 769