d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for multiple PPTP sessions:

Browse Source 
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.
This commit is contained in:
ru 2000-04-18 10:18:21 +00:00
parent c17873d359
commit 85fa946e2a
10 changed files with 530 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
lib/libalias/alias.c
View File

@ -192,7 +192,7 @@ address of the outgoing packet and then correctly put it back for
any incoming packets. For TCP and UDP, ports are also re-mapped.
For ICMP echo/timestamp requests and replies, the following scheme
is used: the id number is replaced by an alias for the outgoing
is used: the ID number is replaced by an alias for the outgoing
packet.
ICMP error messages are handled by looking at the IP fragment
@ -201,7 +201,7 @@ in the data section of the message.
For TCP and UDP protocols, a port number is chosen for an outgoing
packet, and then incoming packets are identified by IP address and
port numbers. For TCP packets, there is additional logic in the event
that sequence and ack numbers have been altered (as is the case for
that sequence and ACK numbers have been altered (as in the case for
FTP data port commands).
The port numbers used by the packet aliasing module are not true
@ -661,21 +661,32 @@ PptpAliasIn(struct ip *pip)
the dest IP address of the packet to our inside
machine.
*/
struct in_addr alias_addr;
struct alias_link *link;
if (!GetPptpAlias (&alias_addr))
return PKT_ALIAS_IGNORED;
/* Return if proxy-only mode is enabled */
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
return PKT_ALIAS_OK;
if (pip->ip_src.s_addr != alias_addr.s_addr) {
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
return PKT_ALIAS_IGNORED;
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_addr,
(u_short *) &pip->ip_dst,
2);
pip->ip_dst = alias_addr;
link = FindPptpIn(pip->ip_src, pip->ip_dst);
if (link != NULL)
{
struct in_addr original_address;
original_address = GetOriginalAddress(link);
/* Restore original IP address */
DifferentialChecksum(&pip->ip_sum,
(u_short *) &original_address,
(u_short *) &pip->ip_dst,
2);
pip->ip_dst = original_address;
return(PKT_ALIAS_OK);
}
return PKT_ALIAS_OK;
return(PKT_ALIAS_IGNORED);
}
@ -687,22 +698,32 @@ PptpAliasOut(struct ip *pip)
only thing which is done in this case is to alias
the source IP address of the packet.
*/
struct in_addr alias_addr;
struct alias_link *link;
if (!GetPptpAlias (&alias_addr))
return PKT_ALIAS_IGNORED;
/* Return if proxy-only mode is enabled */
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
return PKT_ALIAS_OK;
if (pip->ip_src.s_addr == alias_addr.s_addr) {
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
return PKT_ALIAS_IGNORED;
alias_addr = FindAliasAddress(pip->ip_src);
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_addr,
(u_short *) &pip->ip_src,
2);
pip->ip_src = alias_addr;
link = FindPptpOut(pip->ip_src, pip->ip_dst);
if (link != NULL)
{
struct in_addr alias_address;
alias_address = GetAliasAddress(link);
/* Change source address */
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_address,
(u_short *) &pip->ip_src,
2);
pip->ip_src = alias_address;
return(PKT_ALIAS_OK);
}
return PKT_ALIAS_OK;
return(PKT_ALIAS_IGNORED);
}
@ -902,7 +923,7 @@ TcpAliasIn(struct ip *pip)
accumulate -= *sptr++;
accumulate -= *sptr;
/* If this is a proxy, then modify the tcp source port and
/* If this is a proxy, then modify the TCP source port and
checksum accumulation */
if (proxy_port != 0)
{
@ -918,7 +939,7 @@ TcpAliasIn(struct ip *pip)
accumulate -= *sptr;
}
/* See if ack number needs to be modified */
/* See if ACK number needs to be modified */
if (GetAckModified(link) == 1)
{
int delta;
@ -989,7 +1010,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
return PKT_ALIAS_OK;
/* If this is a transparent proxy, save original destination,
then alter the destination and adust checksums */
then alter the destination and adjust checksums */
dest_port = tc->th_dport;
dest_address = pip->ip_dst;
if (proxy_type != 0)
@ -1044,7 +1065,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
alias_port = GetAliasPort(link);
alias_address = GetAliasAddress(link);
/* Monitor tcp connection state */
/* Monitor TCP connection state */
TcpMonitorOut(pip, link);
/* Special processing for IP encoding protocols */
@ -1114,7 +1135,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
The packet aliasing module has a limited ability for handling IP
fragments. If the ICMP, TCP or UDP header is in the first fragment
received, then the id number of the IP packet is saved, and other
received, then the ID number of the IP packet is saved, and other
fragments are identified according to their ID number and IP address
they were sent from. Pointers to unresolved fragments can also be
saved and recalled when a header fragment is seen.
@ -1358,7 +1379,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
addr_save = GetDefaultAliasAddress();
if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY)
{
unsigned int addr;
u_long addr;
int iclass;
iclass = 0;

15
lib/libalias/alias.h
View File

@ -54,6 +54,8 @@ struct alias_link;
extern int
PacketAliasPptp(struct in_addr);
extern struct alias_link *
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
@ -113,13 +115,12 @@ struct alias_link;
port it chooses. This will avoid interference with the host
machine. Fully specified links do not require this. This bit
is set after a call to PacketAliasInit(), so it is a default
mode of operation.*/
mode of operation. */
#define PKT_ALIAS_USE_SOCKETS 0x08
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with
unregistered source addresses will be aliased (along with those
of the ppp host maching itself. Private addresses are those
in the following ranges:
unregistered source addresses will be aliased. Private
addresses are those in the following ranges:
10.0.0.0 -> 10.255.255.255
172.16.0.0 -> 172.31.255.255
192.168.0.0 -> 192.168.255.255 */
@ -128,7 +129,7 @@ struct alias_link;
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
aliasing links will be reset whenever PacketAliasSetAddress()
changes the default aliasing address. If the default aliasing
address is left unchanged by this functions call, then the
address is left unchanged by this function call, then the
table of dynamic aliasing links will be left intact. This
bit is set after a call to PacketAliasInit(). */
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
@ -151,6 +152,10 @@ struct alias_link;
and PacketAliasOut() are reversed */
#define PKT_ALIAS_REVERSE 0x80
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
prevented by the aliasing engine. */
#define PKT_ALIAS_DENY_PPTP 0x200
/* Return Codes */
#define PKT_ALIAS_ERROR -1
#define PKT_ALIAS_OK 1

162
lib/libalias/alias_db.c
View File

@ -32,7 +32,7 @@
Version 1.7: January 9, 1997 (cjm)
Fragment handling simplified.
Saves pointers for unresolved fragments.
Permits links for unspecied remote ports
Permits links for unspecified remote ports
or unspecified remote addresses.
Fixed bug which did not properly zero port
table entries after a link was deleted.
@ -48,8 +48,8 @@
machine will will not have their port number aliased unless it
conflicts with an aliasing port already being used. (cjm)
All options earlier being #ifdef'ed now are available through
a new interface, SetPacketAliasMode(). This allow run time
All options earlier being #ifdef'ed are now available through
a new interface, SetPacketAliasMode(). This allows run time
control (which is now available in PPP+pktAlias through the
'alias' keyword). (ee)
@ -78,7 +78,7 @@
(192.168.0.2, port 21) <-> alias port 3604, known dest addr
unknown dest port
These permament links allow for incoming connections to
These permanent links allow for incoming connections to
machines on the local network. They can be given with a
user-chosen amount of specificity, with increasing specificity
meaning more security. (cjm)
@ -147,6 +147,7 @@
/* Timeouts (in seconds) for different link types */
#define ICMP_EXPIRE_TIME 60
#define UDP_EXPIRE_TIME 60
#define PPTP_EXPIRE_TIME 60
#define FRAGMENT_ID_EXPIRE_TIME 10
#define FRAGMENT_PTR_EXPIRE_TIME 30
@ -192,25 +193,25 @@
The link record is identified by the source address/port
and the destination address/port. In the case of an ICMP
echo request, the source port is treated as being equivalent
with the 16-bit id number of the ICMP packet.
with the 16-bit ID number of the ICMP packet.
The link record also can store some auxiliary data. For
TCP connections that have had sequence and acknowledgment
modifications, data space is available to track these changes.
A state field is used to keep track in changes to the tcp
connection state. Id numbers of fragments can also be
A state field is used to keep track in changes to the TCP
connection state. ID numbers of fragments can also be
stored in the auxiliary space. Pointers to unresolved
framgents can also be stored.
fragments can also be stored.
The link records support two independent chainings. Lookup
tables for input and out tables hold the initial pointers
the link chains. On input, the lookup table indexes on alias
port and link type. On output, the lookup table indexes on
source addreess, destination address, source port, destination
source address, destination address, source port, destination
port and link type.
*/
struct ack_data_record /* used to save changes to ack/seq numbers */
struct ack_data_record /* used to save changes to ACK/sequence numbers */
{
u_long ack_old;
u_long ack_new;
@ -218,16 +219,16 @@ struct ack_data_record /* used to save changes to ack/seq numbers */
int active;
};
struct tcp_state /* Information about tcp connection */
struct tcp_state /* Information about TCP connection */
{
int in; /* State for outside -> inside */
int out; /* State for inside -> outside */
int index; /* Index to ack data array */
int ack_modified; /* Indicates whether ack and seq numbers */
int index; /* Index to ACK data array */
int ack_modified; /* Indicates whether ACK and sequence numbers */
/* been modified */
};
#define N_LINK_TCP_DATA 3 /* Number of distinct ack number changes
#define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
saved for a modified TCP stream */
struct tcp_dat
{
@ -247,7 +248,7 @@ struct alias_link /* Main data structure */
u_short alias_port;
u_short proxy_port;
int link_type; /* Type of link: tcp, udp, icmp, frag */
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
/* values for link_type */
#define LINK_ICMP 1
@ -256,6 +257,7 @@ struct alias_link /* Main data structure */
#define LINK_FRAGMENT_ID 4
#define LINK_FRAGMENT_PTR 5
#define LINK_ADDR 6
#define LINK_PPTP 7
int flags; /* indicates special characteristics */
@ -319,6 +321,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
static int icmpLinkCount; /* Link statistics */
static int udpLinkCount;
static int tcpLinkCount;
static int pptpLinkCount;
static int fragmentIdLinkCount;
static int fragmentPtrLinkCount;
static int sockCount;
@ -352,11 +355,6 @@ static int fireWallFD = -1; /* File descriptor to be able to */
/* flag. */
#endif
static int pptpAliasFlag; /* Indicates if PPTP aliasing is */
/* on or off */
static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
/* packets. */
@ -368,7 +366,7 @@ static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
Lookup table starting points:
StartPointIn() -- link table initial search point for
incoming packets
StartPointOut() -- port table initial search point for
StartPointOut() -- link table initial search point for
outgoing packets
Miscellaneous:
@ -449,16 +447,18 @@ ShowAliasStats(void)
if (monitorFile)
{
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, frag_id=%d frag_ptr=%d",
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
icmpLinkCount,
udpLinkCount,
tcpLinkCount,
pptpLinkCount,
fragmentIdLinkCount,
fragmentPtrLinkCount);
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
icmpLinkCount + udpLinkCount
+ tcpLinkCount
+ pptpLinkCount
+ fragmentIdLinkCount
+ fragmentPtrLinkCount,
sockCount);
@ -542,7 +542,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
the port number. GetNewPort() will return this number
without check that it is in use.
Whis this parameter is -1, it indicates to get a randomly
When this parameter is -1, it indicates to get a randomly
selected port number.
*/
@ -557,7 +557,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
if (packetAliasMode & PKT_ALIAS_SAME_PORTS)
{
/*
* When the ALIAS_SAME_PORTS option is
* When the PKT_ALIAS_SAME_PORTS option is
* chosen, the first try will be the
* actual source port. If this is already
* in use, the remainder of the trials
@ -734,6 +734,7 @@ IncrementalCleanup(void)
case LINK_UDP:
case LINK_FRAGMENT_ID:
case LINK_FRAGMENT_PTR:
case LINK_PPTP:
if (idelta > link->expire_time)
{
DeleteLink(link);
@ -773,7 +774,7 @@ DeleteLink(struct alias_link *link)
return;
#ifndef NO_FW_PUNCH
/* Delete associatied firewall hole, if any */
/* Delete associated firewall hole, if any */
ClearFWHole(link);
#endif
@ -822,6 +823,9 @@ DeleteLink(struct alias_link *link)
if (link->data.tcp != NULL)
free(link->data.tcp);
break;
case LINK_PPTP:
pptpLinkCount--;
break;
case LINK_FRAGMENT_ID:
fragmentIdLinkCount--;
break;
@ -884,6 +888,9 @@ AddLink(struct in_addr src_addr,
case LINK_TCP:
link->expire_time = TCP_EXPIRE_INITIAL;
break;
case LINK_PPTP:
link->expire_time = PPTP_EXPIRE_TIME;
break;
case LINK_FRAGMENT_ID:
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
break;
@ -967,6 +974,9 @@ AddLink(struct in_addr src_addr,
#endif
}
break;
case LINK_PPTP:
pptpLinkCount++;
break;
case LINK_FRAGMENT_ID:
fragmentIdLinkCount++;
break;
@ -1272,6 +1282,7 @@ FindLinkIn(struct in_addr dst_addr,
FindIcmpIn(), FindIcmpOut()
FindFragmentIn1(), FindFragmentIn2()
AddFragmentPtrLink(), FindFragmentPtr()
FindPptpIn(), FindPptpOut()
FindUdpTcpIn(), FindUdpTcpOut()
FindOriginalAddress(), FindAliasAddress()
@ -1367,6 +1378,54 @@ FindFragmentPtr(struct in_addr dst_addr,
}
struct alias_link *
FindPptpIn(struct in_addr dst_addr,
struct in_addr alias_addr)
{
struct alias_link *link;
link = FindLinkIn(dst_addr, alias_addr,
NO_DEST_PORT, 0,
LINK_PPTP, 1);
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
{
struct in_addr target_addr;
target_addr = FindOriginalAddress(alias_addr);
link = AddLink(target_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
}
return (link);
}
struct alias_link *
FindPptpOut(struct in_addr src_addr,
struct in_addr dst_addr)
{
struct alias_link *link;
link = FindLinkOut(src_addr, dst_addr,
NO_SRC_PORT, NO_DEST_PORT,
LINK_PPTP, 1);
if (link == NULL)
{
struct in_addr alias_addr;
alias_addr = FindAliasAddress(src_addr);
link = AddLink(src_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
}
return (link);
}
struct alias_link *
FindUdpTcpIn(struct in_addr dst_addr,
struct in_addr alias_addr,
@ -1663,7 +1722,7 @@ GetDestPort(struct alias_link *link)
void
SetAckModified(struct alias_link *link)
{
/* Indicate that ack numbers have been modified in a TCP connection */
/* Indicate that ACK numbers have been modified in a TCP connection */
link->data.tcp->state.ack_modified = 1;
}
@ -1699,7 +1758,7 @@ SetProxyPort(struct alias_link *link, u_short port)
int
GetAckModified(struct alias_link *link)
{
/* See if ack numbers have been modified */
/* See if ACK numbers have been modified */
return link->data.tcp->state.ack_modified;
}
@ -1708,8 +1767,8 @@ int
GetDeltaAckIn(struct ip *pip, struct alias_link *link)
{
/*
Find out how much the ack number has been altered for an incoming
TCP packet. To do this, a circular list is ack numbers where the TCP
Find out how much the ACK number has been altered for an incoming
TCP packet. To do this, a circular list of ACK numbers where the TCP
packet size was altered is searched.
*/
@ -1759,8 +1818,8 @@ int
GetDeltaSeqOut(struct ip *pip, struct alias_link *link)
{
/*
Find out how much the seq number has been altered for an outgoing
TCP packet. To do this, a circular list is ack numbers where the TCP
Find out how much the sequence number has been altered for an outgoing
TCP packet. To do this, a circular list of ACK numbers where the TCP
packet size was altered is searched.
*/
@ -1976,6 +2035,7 @@ UninitPacketAliasLog(void)
-- "outside world" means other than alias*.c routines --
PacketAliasRedirectPort()
PacketAliasRedirectPptp()
PacketAliasRedirectAddr()
PacketAliasRedirectDelete()
PacketAliasSetAddress()
@ -1987,7 +2047,7 @@ UninitPacketAliasLog(void)
*/
/* Redirection from a specific public addr:port to a
a private addr:port */
private addr:port */
struct alias_link *
PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
@ -2033,23 +2093,46 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
}
/* Translate PPTP packets to a machine on the inside
* XXX This function is made obsolete by PacketAliasRedirectPptp().
*/
int
PacketAliasPptp(struct in_addr src_addr)
{
pptpAliasAddr = src_addr; /* Address of the inside PPTP machine */
pptpAliasFlag = src_addr.s_addr != INADDR_NONE;
if (src_addr.s_addr == INADDR_NONE)
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
else
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
return 1;
}
int GetPptpAlias (struct in_addr* alias_addr)
/* Redirect PPTP packets from a specific
public address to a private address */
struct alias_link *
PacketAliasRedirectPptp(struct in_addr src_addr,
struct in_addr dst_addr,
struct in_addr alias_addr)
{
if (pptpAliasFlag)
*alias_addr = pptpAliasAddr;
struct alias_link *link;
return pptpAliasFlag;
link = AddLink(src_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
if (link != NULL)
{
link->flags |= LINK_PERMANENT;
}
#ifdef DEBUG
else
{
fprintf(stderr, "PacketAliasRedirectPptp(): "
"call to AddLink() failed\n");
}
#endif
return link;
}
/* Static address translation */
@ -2145,6 +2228,7 @@ PacketAliasInit(void)
icmpLinkCount = 0;
udpLinkCount = 0;
tcpLinkCount = 0;
pptpLinkCount = 0;
fragmentIdLinkCount = 0;
fragmentPtrLinkCount = 0;
sockCount = 0;
@ -2154,8 +2238,6 @@ PacketAliasInit(void)
packetAliasMode = PKT_ALIAS_SAME_PORTS
| PKT_ALIAS_USE_SOCKETS
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
pptpAliasFlag = 0;
}
void

8
lib/libalias/alias_local.h
View File

@ -95,6 +95,12 @@ AddFragmentPtrLink(struct in_addr, u_short);
struct alias_link *
FindFragmentPtr(struct in_addr, u_short);
struct alias_link *
FindPptpIn(struct in_addr, struct in_addr);
struct alias_link *
FindPptpOut(struct in_addr, struct in_addr);
struct alias_link *
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
@ -169,7 +175,5 @@ enum alias_tcp_state {
ALIAS_TCP_STATE_CONNECTED,
ALIAS_TCP_STATE_DISCONNECTED
};
int GetPptpAlias (struct in_addr*);
/*lint -restore */
#endif /* defined(ALIAS_LOCAL_H) */

85
lib/libalias/libalias.3
View File

@ -227,6 +227,15 @@ Normal packet aliasing is not performed.
See
.Fn PacketAliasProxyRule
below for details.
.It Dv PKT_ALIAS_DENY_PPTP
If this mode bit is set, all PPTP packets will be marked for being ignored
(both
.Fn PacketAliasIn
and
.Fn PacketAliasOut
return
.Dv PKT_ALIAS_IGNORED
code).
.El
.Ed
.Pp
@ -362,9 +371,9 @@ by
.Fn PacketAliasSetAddress
is to be used.
Even if
.Nm PacketAliasSetAddress
.Fn PacketAliasSetAddress
is called to change the address after
.Nm PacketAliasRedirectPort
.Fn PacketAliasRedirectPort
is called, a zero reference will track this change.
.Pp
If
@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet
access, or to restrict access to certain external machines.
.Ed
.Pp
.Ft struct alias_link *
.Fo PacketAliasRedirectPptp
.Fa "struct in_addr local_addr"
.Fa "struct in_addr remote_addr"
.Fa "struct in_addr alias_addr"
.Fc
.Bd -ragged -offset indent
This function specifies that any Point to Point Tunneling Protocol
(PPTP) traffic from a given remote address to an alias address be
redirected to a specified local address.
Currently supported PPTP protocols include:
.Pp
.Bl -tag -width "IPPROTO_GRE" -compact
.It IPPROTO_GRE
Generic Routing Encapsulation (RFC 1702)
.It IPPROTO_ESP
IP Encapsulating Security Payload (RFC 1827)
.It IPPROTO_AH
IP Authentication Header (RFC 1826)
.El
.Pp
If
.Fa local_addr
or
.Fa alias_addr
is zero, this indicates that the packet aliasing address as established
by
.Fn PacketAliasSetAddress
is to be used.
Even if
.Fn PacketAliasSetAddress
is called to change the address after
.Fn PacketAliasRedirectPptp
is called, a zero reference will track this change.
.Pp
If
.Fa remote_addr
is zero, this indicates to redirect PPTP packets from any remote address.
Non-zero remote addresses can sometimes be useful for firewalling.
.Pp
If two calls to
.Fn PacketAliasRedirectPptp
overlap in their address specifications, then the most recent call
will have precedence.
.Pp
This function returns a pointer which can subsequently be used by
.Fn PacketAliasRedirectDelete .
If
.Dv NULL
is returned, then the function call did not complete successfully.
.Ed
.Pp
.Ft int
.Fn PacketAliasPptp "struct in_addr addr"
.Bd -ragged -offset indent
This function causes any General Routing Encapsulation
.Pq Dv IPPROTO_GRE
packets to be aliased using
.Ar addr
This function causes any PPTP packets to be aliased using
.Fa addr
rather than the address set via
.Fn PacketAliasSetAddress .
This allows the uses of the Point to Point Tunneling Protocol (PPTP)
on a machine on the internal network.
This allows the uses of the PPTP on a single machine on the internal network.
.Pp
If the passed address is
.Dv INADDR_NONE ,
.Dv PPTP
aliasing is disabled.
then PPTP aliasing is disabled.
.Pp
.Bf -symbolic
This function is made obsolete by
.Fn PacketAliasRedirectPptp
and
.Dv PKT_ALIAS_DENY_PPTP
mode bit, and is provided only for backward compatibility.
.Ef
.Ed
.Sh FRAGMENT HANDLING
The functions in this section are used to deal with incoming fragments.

83
sys/netinet/libalias/alias.c
View File

@ -192,7 +192,7 @@ address of the outgoing packet and then correctly put it back for
any incoming packets. For TCP and UDP, ports are also re-mapped.
For ICMP echo/timestamp requests and replies, the following scheme
is used: the id number is replaced by an alias for the outgoing
is used: the ID number is replaced by an alias for the outgoing
packet.
ICMP error messages are handled by looking at the IP fragment
@ -201,7 +201,7 @@ in the data section of the message.
For TCP and UDP protocols, a port number is chosen for an outgoing
packet, and then incoming packets are identified by IP address and
port numbers. For TCP packets, there is additional logic in the event
that sequence and ack numbers have been altered (as is the case for
that sequence and ACK numbers have been altered (as in the case for
FTP data port commands).
The port numbers used by the packet aliasing module are not true
@ -661,21 +661,32 @@ PptpAliasIn(struct ip *pip)
the dest IP address of the packet to our inside
machine.
*/
struct in_addr alias_addr;
struct alias_link *link;
if (!GetPptpAlias (&alias_addr))
return PKT_ALIAS_IGNORED;
/* Return if proxy-only mode is enabled */
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
return PKT_ALIAS_OK;
if (pip->ip_src.s_addr != alias_addr.s_addr) {
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
return PKT_ALIAS_IGNORED;
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_addr,
(u_short *) &pip->ip_dst,
2);
pip->ip_dst = alias_addr;
link = FindPptpIn(pip->ip_src, pip->ip_dst);
if (link != NULL)
{
struct in_addr original_address;
original_address = GetOriginalAddress(link);
/* Restore original IP address */
DifferentialChecksum(&pip->ip_sum,
(u_short *) &original_address,
(u_short *) &pip->ip_dst,
2);
pip->ip_dst = original_address;
return(PKT_ALIAS_OK);
}
return PKT_ALIAS_OK;
return(PKT_ALIAS_IGNORED);
}
@ -687,22 +698,32 @@ PptpAliasOut(struct ip *pip)
only thing which is done in this case is to alias
the source IP address of the packet.
*/
struct in_addr alias_addr;
struct alias_link *link;
if (!GetPptpAlias (&alias_addr))
return PKT_ALIAS_IGNORED;
/* Return if proxy-only mode is enabled */
if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
return PKT_ALIAS_OK;
if (pip->ip_src.s_addr == alias_addr.s_addr) {
if (packetAliasMode & PKT_ALIAS_DENY_PPTP)
return PKT_ALIAS_IGNORED;
alias_addr = FindAliasAddress(pip->ip_src);
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_addr,
(u_short *) &pip->ip_src,
2);
pip->ip_src = alias_addr;
link = FindPptpOut(pip->ip_src, pip->ip_dst);
if (link != NULL)
{
struct in_addr alias_address;
alias_address = GetAliasAddress(link);
/* Change source address */
DifferentialChecksum(&pip->ip_sum,
(u_short *) &alias_address,
(u_short *) &pip->ip_src,
2);
pip->ip_src = alias_address;
return(PKT_ALIAS_OK);
}
return PKT_ALIAS_OK;
return(PKT_ALIAS_IGNORED);
}
@ -902,7 +923,7 @@ TcpAliasIn(struct ip *pip)
accumulate -= *sptr++;
accumulate -= *sptr;
/* If this is a proxy, then modify the tcp source port and
/* If this is a proxy, then modify the TCP source port and
checksum accumulation */
if (proxy_port != 0)
{
@ -918,7 +939,7 @@ TcpAliasIn(struct ip *pip)
accumulate -= *sptr;
}
/* See if ack number needs to be modified */
/* See if ACK number needs to be modified */
if (GetAckModified(link) == 1)
{
int delta;
@ -989,7 +1010,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
return PKT_ALIAS_OK;
/* If this is a transparent proxy, save original destination,
then alter the destination and adust checksums */
then alter the destination and adjust checksums */
dest_port = tc->th_dport;
dest_address = pip->ip_dst;
if (proxy_type != 0)
@ -1044,7 +1065,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
alias_port = GetAliasPort(link);
alias_address = GetAliasAddress(link);
/* Monitor tcp connection state */
/* Monitor TCP connection state */
TcpMonitorOut(pip, link);
/* Special processing for IP encoding protocols */
@ -1114,7 +1135,7 @@ TcpAliasOut(struct ip *pip, int maxpacketsize)
The packet aliasing module has a limited ability for handling IP
fragments. If the ICMP, TCP or UDP header is in the first fragment
received, then the id number of the IP packet is saved, and other
received, then the ID number of the IP packet is saved, and other
fragments are identified according to their ID number and IP address
they were sent from. Pointers to unresolved fragments can also be
saved and recalled when a header fragment is seen.
@ -1358,7 +1379,7 @@ PacketAliasOut(char *ptr, /* valid IP packet */
addr_save = GetDefaultAliasAddress();
if (packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY)
{
unsigned int addr;
u_long addr;
int iclass;
iclass = 0;

15
sys/netinet/libalias/alias.h
View File

@ -54,6 +54,8 @@ struct alias_link;
extern int
PacketAliasPptp(struct in_addr);
extern struct alias_link *
PacketAliasRedirectPptp(struct in_addr, struct in_addr, struct in_addr);
extern struct alias_link *
PacketAliasRedirectAddr(struct in_addr,
@ -113,13 +115,12 @@ struct alias_link;
port it chooses. This will avoid interference with the host
machine. Fully specified links do not require this. This bit
is set after a call to PacketAliasInit(), so it is a default
mode of operation.*/
mode of operation. */
#define PKT_ALIAS_USE_SOCKETS 0x08
/* If PKT_ALIAS_UNREGISTERED_ONLY is set, then only packets with
unregistered source addresses will be aliased (along with those
of the ppp host maching itself. Private addresses are those
in the following ranges:
unregistered source addresses will be aliased. Private
addresses are those in the following ranges:
10.0.0.0 -> 10.255.255.255
172.16.0.0 -> 172.31.255.255
192.168.0.0 -> 192.168.255.255 */
@ -128,7 +129,7 @@ struct alias_link;
/* If PKT_ALIAS_RESET_ON_ADDR_CHANGE is set, then the table of dynamic
aliasing links will be reset whenever PacketAliasSetAddress()
changes the default aliasing address. If the default aliasing
address is left unchanged by this functions call, then the
address is left unchanged by this function call, then the
table of dynamic aliasing links will be left intact. This
bit is set after a call to PacketAliasInit(). */
#define PKT_ALIAS_RESET_ON_ADDR_CHANGE 0x20
@ -151,6 +152,10 @@ struct alias_link;
and PacketAliasOut() are reversed */
#define PKT_ALIAS_REVERSE 0x80
/* If PKT_ALIAS_DENY_PPTP is set, then PPTP sessions will be
prevented by the aliasing engine. */
#define PKT_ALIAS_DENY_PPTP 0x200
/* Return Codes */
#define PKT_ALIAS_ERROR -1
#define PKT_ALIAS_OK 1

162
sys/netinet/libalias/alias_db.c
View File

@ -32,7 +32,7 @@
Version 1.7: January 9, 1997 (cjm)
Fragment handling simplified.
Saves pointers for unresolved fragments.
Permits links for unspecied remote ports
Permits links for unspecified remote ports
or unspecified remote addresses.
Fixed bug which did not properly zero port
table entries after a link was deleted.
@ -48,8 +48,8 @@
machine will will not have their port number aliased unless it
conflicts with an aliasing port already being used. (cjm)
All options earlier being #ifdef'ed now are available through
a new interface, SetPacketAliasMode(). This allow run time
All options earlier being #ifdef'ed are now available through
a new interface, SetPacketAliasMode(). This allows run time
control (which is now available in PPP+pktAlias through the
'alias' keyword). (ee)
@ -78,7 +78,7 @@
(192.168.0.2, port 21) <-> alias port 3604, known dest addr
unknown dest port
These permament links allow for incoming connections to
These permanent links allow for incoming connections to
machines on the local network. They can be given with a
user-chosen amount of specificity, with increasing specificity
meaning more security. (cjm)
@ -147,6 +147,7 @@
/* Timeouts (in seconds) for different link types */
#define ICMP_EXPIRE_TIME 60
#define UDP_EXPIRE_TIME 60
#define PPTP_EXPIRE_TIME 60
#define FRAGMENT_ID_EXPIRE_TIME 10
#define FRAGMENT_PTR_EXPIRE_TIME 30
@ -192,25 +193,25 @@
The link record is identified by the source address/port
and the destination address/port. In the case of an ICMP
echo request, the source port is treated as being equivalent
with the 16-bit id number of the ICMP packet.
with the 16-bit ID number of the ICMP packet.
The link record also can store some auxiliary data. For
TCP connections that have had sequence and acknowledgment
modifications, data space is available to track these changes.
A state field is used to keep track in changes to the tcp
connection state. Id numbers of fragments can also be
A state field is used to keep track in changes to the TCP
connection state. ID numbers of fragments can also be
stored in the auxiliary space. Pointers to unresolved
framgents can also be stored.
fragments can also be stored.
The link records support two independent chainings. Lookup
tables for input and out tables hold the initial pointers
the link chains. On input, the lookup table indexes on alias
port and link type. On output, the lookup table indexes on
source addreess, destination address, source port, destination
source address, destination address, source port, destination
port and link type.
*/
struct ack_data_record /* used to save changes to ack/seq numbers */
struct ack_data_record /* used to save changes to ACK/sequence numbers */
{
u_long ack_old;
u_long ack_new;
@ -218,16 +219,16 @@ struct ack_data_record /* used to save changes to ack/seq numbers */
int active;
};
struct tcp_state /* Information about tcp connection */
struct tcp_state /* Information about TCP connection */
{
int in; /* State for outside -> inside */
int out; /* State for inside -> outside */
int index; /* Index to ack data array */
int ack_modified; /* Indicates whether ack and seq numbers */
int index; /* Index to ACK data array */
int ack_modified; /* Indicates whether ACK and sequence numbers */
/* been modified */
};
#define N_LINK_TCP_DATA 3 /* Number of distinct ack number changes
#define N_LINK_TCP_DATA 3 /* Number of distinct ACK number changes
saved for a modified TCP stream */
struct tcp_dat
{
@ -247,7 +248,7 @@ struct alias_link /* Main data structure */
u_short alias_port;
u_short proxy_port;
int link_type; /* Type of link: tcp, udp, icmp, frag */
int link_type; /* Type of link: TCP, UDP, ICMP, PPTP, frag */
/* values for link_type */
#define LINK_ICMP 1
@ -256,6 +257,7 @@ struct alias_link /* Main data structure */
#define LINK_FRAGMENT_ID 4
#define LINK_FRAGMENT_PTR 5
#define LINK_ADDR 6
#define LINK_PPTP 7
int flags; /* indicates special characteristics */
@ -319,6 +321,7 @@ linkTableIn[LINK_TABLE_IN_SIZE]; /* into input and output lookup */
static int icmpLinkCount; /* Link statistics */
static int udpLinkCount;
static int tcpLinkCount;
static int pptpLinkCount;
static int fragmentIdLinkCount;
static int fragmentPtrLinkCount;
static int sockCount;
@ -352,11 +355,6 @@ static int fireWallFD = -1; /* File descriptor to be able to */
/* flag. */
#endif
static int pptpAliasFlag; /* Indicates if PPTP aliasing is */
/* on or off */
static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
/* packets. */
@ -368,7 +366,7 @@ static struct in_addr pptpAliasAddr; /* Address of source of PPTP */
Lookup table starting points:
StartPointIn() -- link table initial search point for
incoming packets
StartPointOut() -- port table initial search point for
StartPointOut() -- link table initial search point for
outgoing packets
Miscellaneous:
@ -449,16 +447,18 @@ ShowAliasStats(void)
if (monitorFile)
{
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, frag_id=%d frag_ptr=%d",
fprintf(monitorFile, "icmp=%d, udp=%d, tcp=%d, pptp=%d, frag_id=%d frag_ptr=%d",
icmpLinkCount,
udpLinkCount,
tcpLinkCount,
pptpLinkCount,
fragmentIdLinkCount,
fragmentPtrLinkCount);
fprintf(monitorFile, " / tot=%d (sock=%d)\n",
icmpLinkCount + udpLinkCount
+ tcpLinkCount
+ pptpLinkCount
+ fragmentIdLinkCount
+ fragmentPtrLinkCount,
sockCount);
@ -542,7 +542,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
the port number. GetNewPort() will return this number
without check that it is in use.
Whis this parameter is -1, it indicates to get a randomly
When this parameter is -1, it indicates to get a randomly
selected port number.
*/
@ -557,7 +557,7 @@ GetNewPort(struct alias_link *link, int alias_port_param)
if (packetAliasMode & PKT_ALIAS_SAME_PORTS)
{
/*
* When the ALIAS_SAME_PORTS option is
* When the PKT_ALIAS_SAME_PORTS option is
* chosen, the first try will be the
* actual source port. If this is already
* in use, the remainder of the trials
@ -734,6 +734,7 @@ IncrementalCleanup(void)
case LINK_UDP:
case LINK_FRAGMENT_ID:
case LINK_FRAGMENT_PTR:
case LINK_PPTP:
if (idelta > link->expire_time)
{
DeleteLink(link);
@ -773,7 +774,7 @@ DeleteLink(struct alias_link *link)
return;
#ifndef NO_FW_PUNCH
/* Delete associatied firewall hole, if any */
/* Delete associated firewall hole, if any */
ClearFWHole(link);
#endif
@ -822,6 +823,9 @@ DeleteLink(struct alias_link *link)
if (link->data.tcp != NULL)
free(link->data.tcp);
break;
case LINK_PPTP:
pptpLinkCount--;
break;
case LINK_FRAGMENT_ID:
fragmentIdLinkCount--;
break;
@ -884,6 +888,9 @@ AddLink(struct in_addr src_addr,
case LINK_TCP:
link->expire_time = TCP_EXPIRE_INITIAL;
break;
case LINK_PPTP:
link->expire_time = PPTP_EXPIRE_TIME;
break;
case LINK_FRAGMENT_ID:
link->expire_time = FRAGMENT_ID_EXPIRE_TIME;
break;
@ -967,6 +974,9 @@ AddLink(struct in_addr src_addr,
#endif
}
break;
case LINK_PPTP:
pptpLinkCount++;
break;
case LINK_FRAGMENT_ID:
fragmentIdLinkCount++;
break;
@ -1272,6 +1282,7 @@ FindLinkIn(struct in_addr dst_addr,
FindIcmpIn(), FindIcmpOut()
FindFragmentIn1(), FindFragmentIn2()
AddFragmentPtrLink(), FindFragmentPtr()
FindPptpIn(), FindPptpOut()
FindUdpTcpIn(), FindUdpTcpOut()
FindOriginalAddress(), FindAliasAddress()
@ -1367,6 +1378,54 @@ FindFragmentPtr(struct in_addr dst_addr,
}
struct alias_link *
FindPptpIn(struct in_addr dst_addr,
struct in_addr alias_addr)
{
struct alias_link *link;
link = FindLinkIn(dst_addr, alias_addr,
NO_DEST_PORT, 0,
LINK_PPTP, 1);
if (link == NULL && !(packetAliasMode & PKT_ALIAS_DENY_INCOMING))
{
struct in_addr target_addr;
target_addr = FindOriginalAddress(alias_addr);
link = AddLink(target_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
}
return (link);
}
struct alias_link *
FindPptpOut(struct in_addr src_addr,
struct in_addr dst_addr)
{
struct alias_link *link;
link = FindLinkOut(src_addr, dst_addr,
NO_SRC_PORT, NO_DEST_PORT,
LINK_PPTP, 1);
if (link == NULL)
{
struct in_addr alias_addr;
alias_addr = FindAliasAddress(src_addr);
link = AddLink(src_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
}
return (link);
}
struct alias_link *
FindUdpTcpIn(struct in_addr dst_addr,
struct in_addr alias_addr,
@ -1663,7 +1722,7 @@ GetDestPort(struct alias_link *link)
void
SetAckModified(struct alias_link *link)
{
/* Indicate that ack numbers have been modified in a TCP connection */
/* Indicate that ACK numbers have been modified in a TCP connection */
link->data.tcp->state.ack_modified = 1;
}
@ -1699,7 +1758,7 @@ SetProxyPort(struct alias_link *link, u_short port)
int
GetAckModified(struct alias_link *link)
{
/* See if ack numbers have been modified */
/* See if ACK numbers have been modified */
return link->data.tcp->state.ack_modified;
}
@ -1708,8 +1767,8 @@ int
GetDeltaAckIn(struct ip *pip, struct alias_link *link)
{
/*
Find out how much the ack number has been altered for an incoming
TCP packet. To do this, a circular list is ack numbers where the TCP
Find out how much the ACK number has been altered for an incoming
TCP packet. To do this, a circular list of ACK numbers where the TCP
packet size was altered is searched.
*/
@ -1759,8 +1818,8 @@ int
GetDeltaSeqOut(struct ip *pip, struct alias_link *link)
{
/*
Find out how much the seq number has been altered for an outgoing
TCP packet. To do this, a circular list is ack numbers where the TCP
Find out how much the sequence number has been altered for an outgoing
TCP packet. To do this, a circular list of ACK numbers where the TCP
packet size was altered is searched.
*/
@ -1976,6 +2035,7 @@ UninitPacketAliasLog(void)
-- "outside world" means other than alias*.c routines --
PacketAliasRedirectPort()
PacketAliasRedirectPptp()
PacketAliasRedirectAddr()
PacketAliasRedirectDelete()
PacketAliasSetAddress()
@ -1987,7 +2047,7 @@ UninitPacketAliasLog(void)
*/
/* Redirection from a specific public addr:port to a
a private addr:port */
private addr:port */
struct alias_link *
PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
struct in_addr dst_addr, u_short dst_port,
@ -2033,23 +2093,46 @@ PacketAliasRedirectPort(struct in_addr src_addr, u_short src_port,
}
/* Translate PPTP packets to a machine on the inside
* XXX This function is made obsolete by PacketAliasRedirectPptp().
*/
int
PacketAliasPptp(struct in_addr src_addr)
{
pptpAliasAddr = src_addr; /* Address of the inside PPTP machine */
pptpAliasFlag = src_addr.s_addr != INADDR_NONE;
if (src_addr.s_addr == INADDR_NONE)
packetAliasMode |= PKT_ALIAS_DENY_PPTP;
else
(void)PacketAliasRedirectPptp(src_addr, nullAddress, nullAddress);
return 1;
}
int GetPptpAlias (struct in_addr* alias_addr)
/* Redirect PPTP packets from a specific
public address to a private address */
struct alias_link *
PacketAliasRedirectPptp(struct in_addr src_addr,
struct in_addr dst_addr,
struct in_addr alias_addr)
{
if (pptpAliasFlag)
*alias_addr = pptpAliasAddr;
struct alias_link *link;
return pptpAliasFlag;
link = AddLink(src_addr, dst_addr, alias_addr,
NO_SRC_PORT, NO_DEST_PORT, 0,
LINK_PPTP);
if (link != NULL)
{
link->flags |= LINK_PERMANENT;
}
#ifdef DEBUG
else
{
fprintf(stderr, "PacketAliasRedirectPptp(): "
"call to AddLink() failed\n");
}
#endif
return link;
}
/* Static address translation */
@ -2145,6 +2228,7 @@ PacketAliasInit(void)
icmpLinkCount = 0;
udpLinkCount = 0;
tcpLinkCount = 0;
pptpLinkCount = 0;
fragmentIdLinkCount = 0;
fragmentPtrLinkCount = 0;
sockCount = 0;
@ -2154,8 +2238,6 @@ PacketAliasInit(void)
packetAliasMode = PKT_ALIAS_SAME_PORTS
| PKT_ALIAS_USE_SOCKETS
| PKT_ALIAS_RESET_ON_ADDR_CHANGE;
pptpAliasFlag = 0;
}
void

8
sys/netinet/libalias/alias_local.h
View File

@ -95,6 +95,12 @@ AddFragmentPtrLink(struct in_addr, u_short);
struct alias_link *
FindFragmentPtr(struct in_addr, u_short);
struct alias_link *
FindPptpIn(struct in_addr, struct in_addr);
struct alias_link *
FindPptpOut(struct in_addr, struct in_addr);
struct alias_link *
FindUdpTcpIn (struct in_addr, struct in_addr, u_short, u_short, u_char);
@ -169,7 +175,5 @@ enum alias_tcp_state {
ALIAS_TCP_STATE_CONNECTED,
ALIAS_TCP_STATE_DISCONNECTED
};
int GetPptpAlias (struct in_addr*);
/*lint -restore */
#endif /* defined(ALIAS_LOCAL_H) */

85
sys/netinet/libalias/libalias.3
View File

@ -227,6 +227,15 @@ Normal packet aliasing is not performed.
See
.Fn PacketAliasProxyRule
below for details.
.It Dv PKT_ALIAS_DENY_PPTP
If this mode bit is set, all PPTP packets will be marked for being ignored
(both
.Fn PacketAliasIn
and
.Fn PacketAliasOut
return
.Dv PKT_ALIAS_IGNORED
code).
.El
.Ed
.Pp
@ -362,9 +371,9 @@ by
.Fn PacketAliasSetAddress
is to be used.
Even if
.Nm PacketAliasSetAddress
.Fn PacketAliasSetAddress
is called to change the address after
.Nm PacketAliasRedirectPort
.Fn PacketAliasRedirectPort
is called, a zero reference will track this change.
.Pp
If
@ -577,22 +586,78 @@ internal machines that are not permitted certain types of internet
access, or to restrict access to certain external machines.
.Ed
.Pp
.Ft struct alias_link *
.Fo PacketAliasRedirectPptp
.Fa "struct in_addr local_addr"
.Fa "struct in_addr remote_addr"
.Fa "struct in_addr alias_addr"
.Fc
.Bd -ragged -offset indent
This function specifies that any Point to Point Tunneling Protocol
(PPTP) traffic from a given remote address to an alias address be
redirected to a specified local address.
Currently supported PPTP protocols include:
.Pp
.Bl -tag -width "IPPROTO_GRE" -compact
.It IPPROTO_GRE
Generic Routing Encapsulation (RFC 1702)
.It IPPROTO_ESP
IP Encapsulating Security Payload (RFC 1827)
.It IPPROTO_AH
IP Authentication Header (RFC 1826)
.El
.Pp
If
.Fa local_addr
or
.Fa alias_addr
is zero, this indicates that the packet aliasing address as established
by
.Fn PacketAliasSetAddress
is to be used.
Even if
.Fn PacketAliasSetAddress
is called to change the address after
.Fn PacketAliasRedirectPptp
is called, a zero reference will track this change.
.Pp
If
.Fa remote_addr
is zero, this indicates to redirect PPTP packets from any remote address.
Non-zero remote addresses can sometimes be useful for firewalling.
.Pp
If two calls to
.Fn PacketAliasRedirectPptp
overlap in their address specifications, then the most recent call
will have precedence.
.Pp
This function returns a pointer which can subsequently be used by
.Fn PacketAliasRedirectDelete .
If
.Dv NULL
is returned, then the function call did not complete successfully.
.Ed
.Pp
.Ft int
.Fn PacketAliasPptp "struct in_addr addr"
.Bd -ragged -offset indent
This function causes any General Routing Encapsulation
.Pq Dv IPPROTO_GRE
packets to be aliased using
.Ar addr
This function causes any PPTP packets to be aliased using
.Fa addr
rather than the address set via
.Fn PacketAliasSetAddress .
This allows the uses of the Point to Point Tunneling Protocol (PPTP)
on a machine on the internal network.
This allows the uses of the PPTP on a single machine on the internal network.
.Pp
If the passed address is
.Dv INADDR_NONE ,
.Dv PPTP
aliasing is disabled.
then PPTP aliasing is disabled.
.Pp
.Bf -symbolic
This function is made obsolete by
.Fn PacketAliasRedirectPptp
and
.Dv PKT_ALIAS_DENY_PPTP
mode bit, and is provided only for backward compatibility.
.Ef
.Ed
.Sh FRAGMENT HANDLING
The functions in this section are used to deal with incoming fragments.