Add support for multiple PPTP sessions:

- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.

1 files changed, 75 insertions, 10 deletions

diff --git a/sys/netinet/libalias/libalias.3 b/sys/netinet/libalias/libalias.3
index 6186e19..42840af 100644
--- a/sys/netinet/libalias/libalias.3
+++ b/sys/netinet/libalias/libalias.3
@@ -227,6 +227,15 @@ Normal packet aliasing is not performed.
 See
 .Fn PacketAliasProxyRule
 below for details.
+.It Dv PKT_ALIAS_DENY_PPTP
+If this mode bit is set, all PPTP packets will be marked for being ignored
+(both
+.Fn PacketAliasIn
+and
+.Fn PacketAliasOut
+return
+.Dv PKT_ALIAS_IGNORED
+code).
 .El
 .Ed
 .Pp
@@ -362,9 +371,9 @@ by
 .Fn PacketAliasSetAddress
 is to be used.
 Even if
-.Nm PacketAliasSetAddress
+.Fn PacketAliasSetAddress
 is called to change the address after
-.Nm PacketAliasRedirectPort
+.Fn PacketAliasRedirectPort
 is called, a zero reference will track this change.
 .Pp
 If
@@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet
 access, or to restrict access to certain external machines.
 .Ed
 .Pp
+.Ft struct alias_link *
+.Fo PacketAliasRedirectPptp
+.Fa "struct in_addr local_addr"
+.Fa "struct in_addr remote_addr"
+.Fa "struct in_addr alias_addr"
+.Fc
+.Bd -ragged -offset indent
+This function specifies that any Point to Point Tunneling Protocol
+(PPTP) traffic from a given remote address to an alias address be
+redirected to a specified local address.
+Currently supported PPTP protocols include:
+.Pp
+.Bl -tag -width "IPPROTO_GRE" -compact
+.It IPPROTO_GRE
+Generic Routing Encapsulation (RFC 1702)
+.It IPPROTO_ESP
+IP Encapsulating Security Payload (RFC 1827)
+.It IPPROTO_AH
+IP Authentication Header (RFC 1826)
+.El
+.Pp
+If
+.Fa local_addr
+or
+.Fa alias_addr
+is zero, this indicates that the packet aliasing address as established
+by
+.Fn PacketAliasSetAddress
+is to be used.
+Even if
+.Fn PacketAliasSetAddress
+is called to change the address after
+.Fn PacketAliasRedirectPptp
+is called, a zero reference will track this change.
+.Pp
+If
+.Fa remote_addr
+is zero, this indicates to redirect PPTP packets from any remote address.
+Non-zero remote addresses can sometimes be useful for firewalling.
+.Pp
+If two calls to
+.Fn PacketAliasRedirectPptp
+overlap in their address specifications, then the most recent call
+will have precedence.
+.Pp
+This function returns a pointer which can subsequently be used by
+.Fn PacketAliasRedirectDelete .
+If
+.Dv NULL
+is returned, then the function call did not complete successfully.
+.Ed
+.Pp
 .Ft int
 .Fn PacketAliasPptp "struct in_addr addr"
 .Bd -ragged -offset indent
-This function causes any General Routing Encapsulation
-.Pq Dv IPPROTO_GRE
-packets to be aliased using
-.Ar addr
+This function causes any PPTP packets to be aliased using
+.Fa addr
 rather than the address set via
 .Fn PacketAliasSetAddress .
-This allows the uses of the Point to Point Tunneling Protocol (PPTP)
-on a machine on the internal network.
+This allows the uses of the PPTP on a single machine on the internal network.
 .Pp
 If the passed address is
 .Dv INADDR_NONE ,
-.Dv PPTP
-aliasing is disabled.
+then PPTP aliasing is disabled.
+.Pp
+.Bf -symbolic
+This function is made obsolete by
+.Fn PacketAliasRedirectPptp
+and
+.Dv PKT_ALIAS_DENY_PPTP
+mode bit, and is provided only for backward compatibility.
+.Ef
 .Ed
 .Sh FRAGMENT HANDLING
 The functions in this section are used to deal with incoming fragments.