diff options
| author | ru <ru@FreeBSD.org> | 2000-04-18 10:18:21 +0000 |
|---|---|---|
| committer | ru <ru@FreeBSD.org> | 2000-04-18 10:18:21 +0000 |
| commit | d297953a9f17b56644c7143453a40eb397aab2be (patch) | |
| tree | 07cc847d2eddbbe6faed904565457b0d1ddce0c9 /lib/libalias | |
| parent | 6d573144b323d585e9999b045a7cdfb0f3f8d491 (diff) | |
| download | FreeBSD-src-d297953a9f17b56644c7143453a40eb397aab2be.zip FreeBSD-src-d297953a9f17b56644c7143453a40eb397aab2be.tar.gz | |
Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP
Please see manual page for details.
Diffstat (limited to 'lib/libalias')
| -rw-r--r-- | lib/libalias/alias.c | 83 | ||||
| -rw-r--r-- | lib/libalias/alias.h | 15 | ||||
| -rw-r--r-- | lib/libalias/alias_db.c | 162 | ||||
| -rw-r--r-- | lib/libalias/alias_local.h | 8 | ||||
| -rw-r--r-- | lib/libalias/libalias.3 | 85 |
5 files changed, 265 insertions, 88 deletions
diff --git a/lib/libalias/alias.c b/lib/libalias/alias.c index d60791e..39a7e4f 100644 --- a/lib/libalias/alias.c +++ b/lib/libalias/alias.c @@ -192,7 +192,7 @@ address of the outgoing packet and then correctly put it back for any incoming packets. For TCP and UDP, ports are also re-mapped. For ICMP echo/timestamp requests and replies, the following scheme -is used: the id number is replaced by an alias for the outgoing +is used: the ID number is replaced by an alias for the outgoing packet. ICMP error messages are handled by looking at the IP fragment @@ -201,7 +201,7 @@ in the data section of the message. For TCP and UDP protocols, a port number is chosen for an outgoing packet, and then incoming packets are identified by IP address and port numbers. For TCP packets, there is additional logic in the event -that sequence and ack numbers have been altered (as is the case for +that sequence and ACK numbers have been altered (as in the case for FTP data port commands). The port numbers used by the packet aliasing module are not true @@ -661,21 +661,32 @@ PptpAliasIn(struct ip *pip) the dest IP address of the packet to our inside machine. */ - struct in_addr alias_addr; + struct alias_link *link; - if (!GetPptpAlias (&alias_addr)) - return PKT_ALIAS_IGNORED; +/* Return if proxy-only mode is enabled */ + if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) + return PKT_ALIAS_OK; - if (pip->ip_src.s_addr != alias_addr.s_addr) { + if (packetAliasMode & PKT_ALIAS_DENY_PPTP) + return PKT_ALIAS_IGNORED; - DifferentialChecksum(&pip->ip_sum, - (u_short *) &alias_addr, - (u_short *) &pip->ip_dst, - 2); - pip->ip_dst = alias_addr; - } + link = FindPptpIn(pip->ip_src, pip->ip_dst); + if (link != NULL) + { + struct in_addr original_address; - return PKT_ALIAS_OK; + original_address = GetOriginalAddress(link); + +/* Restore original IP address */ + DifferentialChecksum(&pip->ip_sum, + (u_short *) &original_address, + (u_short *) &pip->ip_dst, + 2); + pip->ip_dst = original_address; + + return(PKT_ALIAS_OK); + } + return(PKT_ALIAS_IGNORED); } @@ -687,22 +698,32 @@ PptpAliasOut(struct ip *pip) only thing which is done in this case is to alias the source IP address of the packet. */ - struct in_addr alias_addr; + struct alias_link *link; - if (!GetPptpAlias (&alias_addr)) - return PKT_ALIAS_IGNORED; +/* Return if proxy-only mode is enabled */ + if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) + return PKT_ALIAS_OK; - if (pip->ip_src.s_addr == alias_addr.s_addr) { + if (packetAliasMode & PKT_ALIAS_DENY_PPTP) + return PKT_ALIAS_IGNORED; - alias_addr = FindAliasAddress(pip->ip_src); - DifferentialChecksum(&pip->ip_sum, - (u_short *) &alias_addr, - (u_short *) &pip->ip_src, - 2); - pip->ip_src = alias_addr; - } + link = FindPptpOut(pip->ip_src, pip->ip_dst); + if (link != NULL) + { + struct in_addr alias_address; - return PKT_ALIAS_OK; + alias_address = GetAliasAddress(link); + +/* Change source address */ + DifferentialChecksum(&pip->ip_sum, + (u_short *) &alias_address, + (u_short *) &pip->ip_src, + 2); + pip->ip_src = alias_address; + + return(PKT_ALIAS_OK); + } + return(PKT_ALIAS_IGNORED); } @@ -902,7 +923,7 @@ TcpAliasIn(struct ip *pip) accumulate -= *sptr++; accumulate -= *sptr; -/* If this is a proxy, then modify the tcp source port and +/* If this is a proxy, then modify the TCP source port and checksum accumulation */ if (proxy_port != 0) { @@ -918,7 +939,7 @@ TcpAliasIn(struct ip *pip) accumulate -= *sptr; } -/* See if ack number needs to be modified */ +/* See if ACK number needs to be modified */ if (GetAckModified(link) == 1) { int delta; @@ -989,7 +1010,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize) return PKT_ALIAS_OK; /* If this is a transparent proxy, save original destination, - then alter the destination and adust checksums */ + then alter the destination and adjust checksums */ dest_port = tc->th_dport; dest_address = pip->ip_dst; if (proxy_type != 0) @@ -1044,7 +1065,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize) alias_port = GetAliasPort(link); alias_address = GetAliasAddress(link); -/* Monitor tcp connection state */ +/* Monitor TCP connection state */ TcpMonitorOut(pip, link); /* Special processing for IP encoding protocols */ @@ -1114,7 +1135,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize) The packet aliasing module has a limited ability for handling IP fragments. If the ICMP, TCP or UDP header is in the first fragment -received, then the id number of the IP packet is saved, and other +received, then the ID number of the IP packet is saved, and other fragments are identified according to their ID number and IP address they were sent from. Pointers to unresolved fragments can also be saved and recalled when a header fragment is seen. @@ -1358,7 +1379,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */ addr_save = GetDefaultAliasAddress(); if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) { - unsigned int addr; + u_long addr; int iclass; iclass = 0; diff --git a/lib/libalias/alias.h b/lib/libalias/alias.h index aa43b2e..2285d97 100644 --- a/lib/libalias/alias.h +++ b/lib/libalias/alias.h @@ -54,6 +54,8 @@ struct alias_link; extern int PacketAliasPptp(struct in_addr); + extern struct alias_link * + PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr); extern struct alias_link * PacketAliasRedirectAddr(struct in_addr, @@ -113,13 +115,12 @@ struct alias_link; port it chooses. This will avoid interference with the host machine. Fully specified links do not require this. This bit is set after a call to PacketAliasInit(), so it is a default - mode of operation.*/ + mode of operation. */ #define PKT_ALIAS_USE_SOCKETS 0x08 /* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with - unregistered source addresses will be aliased (along with those - of the ppp host maching itself. Private addresses are those - in the following ranges: + unregistered source addresses will be aliased. Private + addresses are those in the following ranges: 10.0.0.0 -> 10.255.255.255 172.16.0.0 -> 172.31.255.255 192.168.0.0 -> 192.168.255.255 */ @@ -128,7 +129,7 @@ struct alias_link; /* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic aliasing links will be reset whenever PacketAliasSetAddress() changes the default aliasing address. If the default aliasing - address is left unchanged by this functions call, then the + address is left unchanged by this function call, then the table of dynamic aliasing links will be left intact. This bit is set after a call to PacketAliasInit(). */ #define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20 @@ -151,6 +152,10 @@ struct alias_link; and PacketAliasOut() are reversed */ #define PKT_ALIAS_REVERSE 0x80 +/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be + prevented by the aliasing engine. */ +#define PKT_ALIAS_DENY_PPTP 0x200 + /* Return Codes */ #define PKT_ALIAS_ERROR -1 #define PKT_ALIAS_OK 1 diff --git a/lib/libalias/alias_db.c b/lib/libalias/alias_db.c index 1ea3413..431a757 100644 --- a/lib/libalias/alias_db.c +++ b/lib/libalias/alias_db.c @@ -32,7 +32,7 @@ Version 1.7: January 9, 1997 (cjm) Fragment handling simplified. Saves pointers for unresolved fragments. - Permits links for unspecied remote ports + Permits links for unspecified remote ports or unspecified remote addresses. Fixed bug which did not properly zero port table entries after a link was deleted. @@ -48,8 +48,8 @@ machine will will not have their port number aliased unless it conflicts with an aliasing port already being used. (cjm) - All options earlier being #ifdef'ed now are available through - a new interface, SetPacketAliasMode(). This allow run time + All options earlier being #ifdef'ed are now available through + a new interface, SetPacketAliasMode(). This allows run time control (which is now available in PPP+pktAlias through the 'alias' keyword). (ee) @@ -78,7 +78,7 @@ (192.168.0.2, port 21) <-> alias port 3604, known dest addr unknown dest port - These permament links allow for incoming connections to + These permanent links allow for incoming connections to machines on the local network. They can be given with a user-chosen amount of specificity, with increasing specificity meaning more security. (cjm) @@ -147,6 +147,7 @@ /* Timeouts (in seconds) for different link types */ #define ICMP_EXPIRE_TIME 60 #define UDP_EXPIRE_TIME 60 +#define PPTP_EXPIRE_TIME 60 #define FRAGMENT_ID_EXPIRE_TIME 10 #define FRAGMENT_PTR_EXPIRE_TIME 30 @@ -192,25 +193,25 @@ The link record is identified by the source address/port and the destination address/port. In the case of an ICMP echo request, the source port is treated as being equivalent - with the 16-bit id number of the ICMP packet. + with the 16-bit ID number of the ICMP packet. The link record also can store some auxiliary data. For TCP connections that have had sequence and acknowledgment modifications, data space is available to track these changes. - A state field is used to keep track in changes to the tcp - connection state. Id numbers of fragments can also be + A state field is used to keep track in changes to the TCP + connection state. ID numbers of fragments can also be stored in the auxiliary space. Pointers to unresolved - framgents can also be stored. + fragments can also be stored. The link records support two independent chainings. Lookup tables for input and out tables hold the initial pointers the link chains. On input, the lookup table indexes on alias port and link type. On output, the lookup table indexes on - source addreess, destination address, source port, destination + source address, destination address, source port, destination port and link type. */ -struct ack_data_record /* used to save changes to ack/seq numbers */ +struct ack_data_record /* used to save changes to ACK/sequence numbers */ { u_long ack_old; u_long ack_new; @@ -218,16 +219,16 @@ struct ack_data_record /* used to save changes to ack/seq numbers */ int active; }; -struct tcp_state /* Information about tcp connection */ +struct tcp_state /* Information about TCP connection */ { int in; /* State for outside -> inside */ int out; /* State for inside -> outside */ - int index; /* Index to ack data array */ - int ack_modified; /* Indicates whether ack and seq numbers */ + int index; /* Index to ACK data array */ + int ack_modified; /* Indicates whether ACK and sequence numbers */ /* been modified */ }; -#define N_LINK_TCP_DATA 3 /* Number of distinct ack number changes +#define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes saved for a modified TCP stream */ struct tcp_dat { @@ -247,7 +248,7 @@ struct alias_link /* Main data structure */ u_short alias_port; u_short proxy_port; - int link_type; /* Type of link: tcp, udp, icmp, frag */ + int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */ /* values for link_type */ #define LINK_ICMP 1 @@ -256,6 +257,7 @@ struct alias_link /* Main data structure */ #define LINK_FRAGMENT_ID 4 #define LINK_FRAGMENT_PTR 5 #define LINK_ADDR 6 +#define LINK_PPTP 7 int flags; /* indicates special characteristics */ @@ -319,6 +321,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */ static int icmpLinkCount; /* Link statistics */ static int udpLinkCount; static int tcpLinkCount; +static int pptpLinkCount; static int fragmentIdLinkCount; static int fragmentPtrLinkCount; static int sockCount; @@ -352,11 +355,6 @@ static int fireWallFD = -1; /* File descriptor to be able to */ /* flag. */ #endif -static int pptpAliasFlag; /* Indicates if PPTP aliasing is */ - /* on or off */ -static struct in_addr pptpAliasAddr; /* Address of source of PPTP */ - /* packets. */ - @@ -368,7 +366,7 @@ static struct in_addr pptpAliasAddr; /* Address of source of PPTP */ Lookup table starting points: StartPointIn() -- link table initial search point for incoming packets - StartPointOut() -- port table initial search point for + StartPointOut() -- link table initial search point for outgoing packets Miscellaneous: @@ -449,16 +447,18 @@ ShowAliasStats(void) if (monitorFile) { - fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, frag_id=%d frag_ptr=%d", + fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d", icmpLinkCount, udpLinkCount, tcpLinkCount, + pptpLinkCount, fragmentIdLinkCount, fragmentPtrLinkCount); fprintf(monitorFile, " / tot=%d (sock=%d)\n", icmpLinkCount + udpLinkCount + tcpLinkCount + + pptpLinkCount + fragmentIdLinkCount + fragmentPtrLinkCount, sockCount); @@ -542,7 +542,7 @@ GetNewPort(struct alias_link *link, int alias_port_param) the port number. GetNewPort() will return this number without check that it is in use. - Whis this parameter is -1, it indicates to get a randomly + When this parameter is -1, it indicates to get a randomly selected port number. */ @@ -557,7 +557,7 @@ GetNewPort(struct alias_link *link, int alias_port_param) if (packetAliasMode & PKT_ALIAS_SAME_PORTS) { /* - * When the ALIAS_SAME_PORTS option is + * When the PKT_ALIAS_SAME_PORTS option is * chosen, the first try will be the * actual source port. If this is already * in use, the remainder of the trials @@ -734,6 +734,7 @@ IncrementalCleanup(void) case LINK_UDP: case LINK_FRAGMENT_ID: case LINK_FRAGMENT_PTR: + case LINK_PPTP: if (idelta > link->expire_time) { DeleteLink(link); @@ -773,7 +774,7 @@ DeleteLink(struct alias_link *link) return; #ifndef NO_FW_PUNCH -/* Delete associatied firewall hole, if any */ +/* Delete associated firewall hole, if any */ ClearFWHole(link); #endif @@ -822,6 +823,9 @@ DeleteLink(struct alias_link *link) if (link->data.tcp != NULL) free(link->data.tcp); break; + case LINK_PPTP: + pptpLinkCount--; + break; case LINK_FRAGMENT_ID: fragmentIdLinkCount--; break; @@ -884,6 +888,9 @@ AddLink(struct in_addr src_addr, case LINK_TCP: link->expire_time = TCP_EXPIRE_INITIAL; break; + case LINK_PPTP: + link->expire_time = PPTP_EXPIRE_TIME; + break; case LINK_FRAGMENT_ID: link->expire_time = FRAGMENT_ID_EXPIRE_TIME; break; @@ -967,6 +974,9 @@ AddLink(struct in_addr src_addr, #endif } break; + case LINK_PPTP: + pptpLinkCount++; + break; case LINK_FRAGMENT_ID: fragmentIdLinkCount++; break; @@ -1272,6 +1282,7 @@ FindLinkIn(struct in_addr dst_addr, FindIcmpIn(), FindIcmpOut() FindFragmentIn1(), FindFragmentIn2() AddFragmentPtrLink(), FindFragmentPtr() + FindPptpIn(), FindPptpOut() FindUdpTcpIn(), FindUdpTcpOut() FindOriginalAddress(), FindAliasAddress() @@ -1368,6 +1379,54 @@ FindFragmentPtr(struct in_addr dst_addr, struct alias_link * +FindPptpIn(struct in_addr dst_addr, + struct in_addr alias_addr) +{ + struct alias_link *link; + + link = FindLinkIn(dst_addr, alias_addr, + NO_DEST_PORT, 0, + LINK_PPTP, 1); + + if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING)) + { + struct in_addr target_addr; + + target_addr = FindOriginalAddress(alias_addr); + link = AddLink(target_addr, dst_addr, alias_addr, + NO_SRC_PORT, NO_DEST_PORT, 0, + LINK_PPTP); + } + + return (link); +} + + +struct alias_link * +FindPptpOut(struct in_addr src_addr, + struct in_addr dst_addr) +{ + struct alias_link *link; + + link = FindLinkOut(src_addr, dst_addr, + NO_SRC_PORT, NO_DEST_PORT, + LINK_PPTP, 1); + + if (link == NULL) + { + struct in_addr alias_addr; + + alias_addr = FindAliasAddress(src_addr); + link = AddLink(src_addr, dst_addr, alias_addr, + NO_SRC_PORT, NO_DEST_PORT, 0, + LINK_PPTP); + } + + return (link); +} + + +struct alias_link * FindUdpTcpIn(struct in_addr dst_addr, struct in_addr alias_addr, u_short dst_port, @@ -1663,7 +1722,7 @@ GetDestPort(struct alias_link *link) void SetAckModified(struct alias_link *link) { -/* Indicate that ack numbers have been modified in a TCP connection */ +/* Indicate that ACK numbers have been modified in a TCP connection */ link->data.tcp->state.ack_modified = 1; } @@ -1699,7 +1758,7 @@ SetProxyPort(struct alias_link *link, u_short port) int GetAckModified(struct alias_link *link) { -/* See if ack numbers have been modified */ +/* See if ACK numbers have been modified */ return link->data.tcp->state.ack_modified; } @@ -1708,8 +1767,8 @@ int GetDeltaAckIn(struct ip *pip, struct alias_link *link) { /* -Find out how much the ack number has been altered for an incoming -TCP packet. To do this, a circular list is ack numbers where the TCP +Find out how much the ACK number has been altered for an incoming +TCP packet. To do this, a circular list of ACK numbers where the TCP packet size was altered is searched. */ @@ -1759,8 +1818,8 @@ int GetDeltaSeqOut(struct ip *pip, struct alias_link *link) { /* -Find out how much the seq number has been altered for an outgoing -TCP packet. To do this, a circular list is ack numbers where the TCP +Find out how much the sequence number has been altered for an outgoing +TCP packet. To do this, a circular list of ACK numbers where the TCP packet size was altered is searched. */ @@ -1976,6 +2035,7 @@ UninitPacketAliasLog(void) -- "outside world" means other than alias*.c routines -- PacketAliasRedirectPort() + PacketAliasRedirectPptp() PacketAliasRedirectAddr() PacketAliasRedirectDelete() PacketAliasSetAddress() @@ -1987,7 +2047,7 @@ UninitPacketAliasLog(void) */ /* Redirection from a specific public addr:port to a - a private addr:port */ + private addr:port */ struct alias_link * PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port, struct in_addr dst_addr, u_short dst_port, @@ -2033,23 +2093,46 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port, } /* Translate PPTP packets to a machine on the inside + * XXX This function is made obsolete by PacketAliasRedirectPptp(). */ int PacketAliasPptp(struct in_addr src_addr) { - pptpAliasAddr = src_addr; /* Address of the inside PPTP machine */ - pptpAliasFlag = src_addr.s_addr != INADDR_NONE; + if (src_addr.s_addr == INADDR_NONE) + packetAliasMode |= PKT_ALIAS_DENY_PPTP; + else + (void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress); return 1; } -int GetPptpAlias (struct in_addr* alias_addr) +/* Redirect PPTP packets from a specific + public address to a private address */ +struct alias_link * +PacketAliasRedirectPptp(struct in_addr src_addr, + struct in_addr dst_addr, + struct in_addr alias_addr) { - if (pptpAliasFlag) - *alias_addr = pptpAliasAddr; + struct alias_link *link; + + link = AddLink(src_addr, dst_addr, alias_addr, + NO_SRC_PORT, NO_DEST_PORT, 0, + LINK_PPTP); + + if (link != NULL) + { + link->flags |= LINK_PERMANENT; + } +#ifdef DEBUG + else + { + fprintf(stderr, "PacketAliasRedirectPptp(): " + "call to AddLink() failed\n"); + } +#endif - return pptpAliasFlag; + return link; } /* Static address translation */ @@ -2145,6 +2228,7 @@ PacketAliasInit(void) icmpLinkCount = 0; udpLinkCount = 0; tcpLinkCount = 0; + pptpLinkCount = 0; fragmentIdLinkCount = 0; fragmentPtrLinkCount = 0; sockCount = 0; @@ -2154,8 +2238,6 @@ PacketAliasInit(void) packetAliasMode = PKT_ALIAS_SAME_PORTS | PKT_ALIAS_USE_SOCKETS | PKT_ALIAS_RESET_ON_ADDR_CHANGE; - - pptpAliasFlag = 0; } void diff --git a/lib/libalias/alias_local.h b/lib/libalias/alias_local.h index 805ca87..a5d3cd7 100644 --- a/lib/libalias/alias_local.h +++ b/lib/libalias/alias_local.h @@ -96,6 +96,12 @@ struct alias_link * FindFragmentPtr(struct in_addr, u_short); struct alias_link * +FindPptpIn(struct in_addr, struct in_addr); + +struct alias_link * +FindPptpOut(struct in_addr, struct in_addr); + +struct alias_link * FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char); struct alias_link * @@ -169,7 +175,5 @@ enum alias_tcp_state { ALIAS_TCP_STATE_CONNECTED, ALIAS_TCP_STATE_DISCONNECTED }; - -int GetPptpAlias (struct in_addr*); /*lint -restore */ #endif /* defined(ALIAS_LOCAL_H) */ diff --git a/lib/libalias/libalias.3 b/lib/libalias/libalias.3 index 6186e19..42840af 100644 --- a/lib/libalias/libalias.3 +++ b/lib/libalias/libalias.3 @@ -227,6 +227,15 @@ Normal packet aliasing is not performed. See .Fn PacketAliasProxyRule below for details. +.It Dv PKT_ALIAS_DENY_PPTP +If this mode bit is set, all PPTP packets will be marked for being ignored +(both +.Fn PacketAliasIn +and +.Fn PacketAliasOut +return +.Dv PKT_ALIAS_IGNORED +code). .El .Ed .Pp @@ -362,9 +371,9 @@ by .Fn PacketAliasSetAddress is to be used. Even if -.Nm PacketAliasSetAddress +.Fn PacketAliasSetAddress is called to change the address after -.Nm PacketAliasRedirectPort +.Fn PacketAliasRedirectPort is called, a zero reference will track this change. .Pp If @@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet access, or to restrict access to certain external machines. .Ed .Pp +.Ft struct alias_link * +.Fo PacketAliasRedirectPptp +.Fa "struct in_addr local_addr" +.Fa "struct in_addr remote_addr" +.Fa "struct in_addr alias_addr" +.Fc +.Bd -ragged -offset indent +This function specifies that any Point to Point Tunneling Protocol +(PPTP) traffic from a given remote address to an alias address be +redirected to a specified local address. +Currently supported PPTP protocols include: +.Pp +.Bl -tag -width "IPPROTO_GRE" -compact +.It IPPROTO_GRE +Generic Routing Encapsulation (RFC 1702) +.It IPPROTO_ESP +IP Encapsulating Security Payload (RFC 1827) +.It IPPROTO_AH +IP Authentication Header (RFC 1826) +.El +.Pp +If +.Fa local_addr +or +.Fa alias_addr +is zero, this indicates that the packet aliasing address as established +by +.Fn PacketAliasSetAddress +is to be used. +Even if +.Fn PacketAliasSetAddress +is called to change the address after +.Fn PacketAliasRedirectPptp +is called, a zero reference will track this change. +.Pp +If +.Fa remote_addr +is zero, this indicates to redirect PPTP packets from any remote address. +Non-zero remote addresses can sometimes be useful for firewalling. +.Pp +If two calls to +.Fn PacketAliasRedirectPptp +overlap in their address specifications, then the most recent call +will have precedence. +.Pp +This function returns a pointer which can subsequently be used by +.Fn PacketAliasRedirectDelete . +If +.Dv NULL +is returned, then the function call did not complete successfully. +.Ed +.Pp .Ft int .Fn PacketAliasPptp "struct in_addr addr" .Bd -ragged -offset indent -This function causes any General Routing Encapsulation -.Pq Dv IPPROTO_GRE -packets to be aliased using -.Ar addr +This function causes any PPTP packets to be aliased using +.Fa addr rather than the address set via .Fn PacketAliasSetAddress . -This allows the uses of the Point to Point Tunneling Protocol (PPTP) -on a machine on the internal network. +This allows the uses of the PPTP on a single machine on the internal network. .Pp If the passed address is .Dv INADDR_NONE , -.Dv PPTP -aliasing is disabled. +then PPTP aliasing is disabled. +.Pp +.Bf -symbolic +This function is made obsolete by +.Fn PacketAliasRedirectPptp +and +.Dv PKT_ALIAS_DENY_PPTP +mode bit, and is provided only for backward compatibility. +.Ef .Ed .Sh FRAGMENT HANDLING The functions in this section are used to deal with incoming fragments. |
