Document PacketAliasProxyRule() and fix a typo.

1 files changed, 88 insertions, 1 deletions

diff --git a/sys/netinet/libalias/libalias.3 b/sys/netinet/libalias/libalias.3
index f9b36e6..156e7af 100644
--- a/sys/netinet/libalias/libalias.3
+++ b/sys/netinet/libalias/libalias.3
@@ -32,6 +32,7 @@ of the text.
     4.1 PacketAliasRedirectPort()
     4.2 PacketAliasRedirectAddr()
     4.3 PacketAliasRedirectDelete()
+    4.4 PacketAliasProxyRule()
 5. Fragment Handling
     5.1 PacketAliasSaveFragment()
     5.2 PacketAliasGetFragment()
@@ -506,6 +507,91 @@ re-mapped in the same manner the header fragment
 was.  Fragments which arrive before the header
 are saved and then retrieved once the header fragment
 has been resolved.
+.Ss 4.4 PacketAliasProxyRule()
+
+.Ft int
+.Fn PacketAliasProxyRule "char *cmd"
+
+The passed
+.Ar cmd
+string consists of one or more pairs of words.  The first word in each
+pair is a token and the second is the value that should be applied for
+that token.  Tokens and their argument types are as follows:
+
+.Bl -tag -offset XXX -width XXX
+.It type encode_ip_hdr|encode_tcp_stream|no_encode
+In order to support transparent proxying, it is necessary to somehow
+pass the original address and port information into the new destination
+server.  If
+.Dq encode_ip_hdr
+is specified, the original address and port is passed as an extra IP
+option.  If
+.Dq encode_tcp_stream
+is specified, the original address and port is passed as the first
+piece of data in the tcp stream in the format
+.Dq DEST Ar IP port .
+.It port Ar portnum
+Only packets with the destination port
+.Ar portnum
+are proxied.
+.It server Ar host[:portnum]
+This specifies the
+.Ar host
+and
+.Ar portnum
+that the data is to be redirected to.  If
+.Ar portnum
+is not specified, the destination port number is not changed.
+.Pp
+The
+.Ar server
+specification is mandatory unless the
+.Dq delete
+command is being used.
+.It rule Ar index
+Normally, each call to
+.Fn PacketAliasProxyRule
+inserts the next rule at the start of a linear list of rules.  If an
+.Ar index
+is specified, the new rule will be checked after all rules with lower
+indices.  Calls to
+.Fn PacketAliasProxyRule
+that do not specify a rule are assigned rule 0.
+.It delete Ar index
+This token and its argument must not be used with any other tokens.  When
+used, all existing rules with the given
+.Ar index
+are deleted.
+.It proto tcp|udp
+If specified, only packets of the given protocol type are matched.
+.It src Ar IP[/bits]
+If specified, only packets with a source address matching the given
+.Ar IP
+are matched.  If
+.Ar bits
+is also specified, then the first
+.Ar bits
+bits of
+.Ar IP
+are taken as a network specification, and all IP addresses from that
+network will be matched.
+.It dest Ar IP[/bits]
+If specified, only packets with a destination address matching the given
+.Ar IP
+are matched.  If
+.Ar bits
+is also specified, then the first
+.Ar bits
+bits of
+.Ar IP
+are taken as a network specification, and all IP addresses from that
+network will be matched.
+.El
+
+This function is usually used to redirect outgoing connections for
+internal machines that are not permitted certain types of internet
+access, or to restrict access to certain external machines.
+
 .Ss 5.1 PacketAliasSaveFragment()
 
 .Ft int
@@ -530,7 +616,8 @@ an argument.]
 This function returns PKT_ALIAS_OK if it
 was successful and PKT_ALIAS_ERROR if there
 was an error.
-.Ss 5.2 PacketAliasGetNextFragment()
+
+.Ss 5.2 PacketAliasGetFragment()
 
 .Ft char *
 .Fn PacketAliasGetFragment "char *buffer"