Attachment #116654 for bug #158623

View | Details | Raw Unified | Return to bug 158623
Collapse All | Expand All




.\"
.\" $FreeBSD: src/sys/netinet/libalias/libalias.3,v 1.61 2011/06/22 20:00:27 ae Exp $
.\"
.Dd July 03, 2011
.Dt LIBALIAS 3
.Os
.Sh NAME

.Pp
A certain amount of flexibility is built into the packet aliasing engine.
In the simplest mode of operation, a many-to-one address mapping takes
place between the local network and the packet aliasing host.
This is known as IP masquerading.
In addition, one-to-one mappings between local and public addresses can
also be implemented, which is known as static NAT.

private address/port.
.Pp
The packet aliasing engine was designed to operate in user space outside
of the kernel, without any access to private kernel data structures, but
the source code can also be ported to a kernel environment.
.Sh INITIALIZATION AND CONTROL
One special function,
.Fn LibAliasInit ,
must always be called before any packet handling may be performed, and
the returned instance pointer must be passed to all the other functions.
Normally, the
.Fn LibAliasSetAddress
function is called afterwards, to set the default aliasing address.

This function has no return value and is used to clear any
resources attached to internal data structures.
.Pp
This function should be called when a program stops using the aliasing
engine; amongst other things, it clears out any firewall holes.
To provide backwards compatibility and extra security, it is added to
the
.Xr atexit 3

All outgoing packets are re-mapped to this address unless overridden by a
static address mapping established by
.Fn LibAliasRedirectAddr .
If this function has not been called, and no static rules match, an outgoing
packet retains its source address.
.Pp
If the

If the
.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
mode bit is set to zero, this function can also be used to dynamically change
the aliasing address on a packet-to-packet basis (it is a low overhead call).
.Pp
It is mandatory that this function be called prior to any packet handling.
.Ed

.It Dv PKT_ALIAS_LOG
Enables logging into
.Pa /var/log/alias.log .
Each time an aliasing link is created or deleted, the log file is appended to
with the current number of ICMP, TCP and UDP links.
Mainly useful for debugging when the log file is viewed continuously with
.Xr tail 1 .

aliasing host or local network will be unaffected.
This mode bit is useful for implementing a one-way firewall.
.It Dv PKT_ALIAS_SAME_PORTS
If this mode bit is set, the packet-aliasing engine will attempt to leave
the alias port numbers unchanged from the actual local port numbers.
This can be done as long as the quintuple (proto, alias addr, alias port,
remote addr, remote port) is unique.

192.168.0.0  ->  192.168.255.255  (Class C subnets)
.Ed
.Pp
This option is useful in the case that the packet aliasing host has both
registered and unregistered subnets on different interfaces.
The registered subnet is fully accessible to the outside world, so traffic
from it does not need to be passed through the packet aliasing engine.

.It Dv PKT_ALIAS_PUNCH_FW
This option makes
.Nm
.Dq punch holes
in an
.Xr ipfirewall 4 -
based firewall for FTP/IRC DCC connections.
The holes punched are bound by from/to IP address and port; it will not be
possible to use a hole for another connection.

(e.g.\& kill -9),
changing the state of the flag will clear the entire firewall range
allocated for holes.
This clearing will also happen on the initial call to
.Fn LibAliasSetFWBase ,
which must happen prior to setting this flag.
.It Dv PKT_ALIAS_REVERSE
This option makes
.Nm

.It Dv PKT_ALIAS_SKIP_GLOBAL
This option is used by
.Pa ipfw_nat
only.
Specifying it as a flag to
.Fn LibAliasSetMode
has no effect.
See section
.Sx NETWORK ADDRESS TRANSLATION
in
.Xr ipfw 8

.Ft void
.Fn LibAliasSetFWBase "struct libalias *" "unsigned int base" "unsigned int num"
.Bd -ragged -offset indent
Set the firewall range allocated for punching firewall holes (with the
.Dv PKT_ALIAS_PUNCH_FW
flag).
The range is cleared for all rules on initialization.
.Ed
.Pp
.Ft void

.Fn LibAliasIn
and
.Fn LibAliasOut ,
comprise the minimal set of functions needed for a basic IP masquerading
implementation.
.Pp
.Ft int

The packet aliasing process was successful.
.It Dv PKT_ALIAS_IGNORED
The packet was ignored and not de-aliased.
This can happen if the protocol is unrecognized, as for an ICMP message
type that is not handled, or if incoming packets for new connections are being
ignored (if the
.Dv PKT_ALIAS_DENY_INCOMING
mode bit was set using
.Fn LibAliasSetMode ) .
.It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT
This is returned when a fragment cannot be resolved because the header

.Fn LibAliasRedirectPort
is called, a zero reference will track this change.
.Pp
If the link is further set up to operate with load sharing, then
.Fa local_addr
and
.Fa local_port

.Fa remote_port
is zero, this indicates to redirect packets originating from any remote
port number.
The remote port specification will almost always be zero, but non-zero
remote addresses can sometimes be useful for firewalling.
If two calls to
.Fn LibAliasRedirectPort

.Fn LibAliasRedirectAddr
is called, a zero reference will track this change.
.Pp
If the link is further set up to operate with load sharing, then the
.Fa local_addr
argument
is ignored, and is selected dynamically from the server pool, as described in
.Fn LibAliasAddServer
below.

LSNAT operates as follows.
A client attempts to access a server by using the server virtual address.
The LSNAT router transparently redirects the request to one of the hosts
in the server pool, using a real-time load sharing algorithm.
Multiple sessions may be initiated from the same client, and each session
could be directed to a different host based on the load balance across server
pool hosts when the sessions are initiated.
If load sharing is desired for just a few specific services, the configuration
on LSNAT could be defined to restrict load sharing to just the services
desired.
.Pp
Currently, only the simplest selection algorithm is implemented, where a

is the pointer returned by either of the redirection functions.
If an invalid pointer is passed to
.Fn LibAliasRedirectDelete ,
then a program crash or unpredictable operation could result, so
care is needed when using this function.
.Ed
.Pp
.Ft int

.Bd -ragged -offset indent
This function specifies that any IP packet with protocol number of
.Fa proto
from a given remote address to an alias address will be
redirected to a specified local address.
.Pp
If

"struct in_addr alias_addr" "u_short src_port" "u_short dst_port" \
"int alias_param" "int link_type"
.Bd -ragged -offset indent
This function adds new state to the instance hash table.
The dst_address and/or dst_port may be given as zero, which
introduces some dynamic character into the link, since
LibAliasSetAddress can change the address that is used.
However, in the current implementation, such links can only be used
for inbound (ext -> int) traffic.
.Ed
.Pp
.Ft void

.Ed
.Pp
.Va handler_chain
keeps track of all the protocol handlers loaded, while
.Va ddl_chain
tracks which userland modules are loaded.
.Pp
.Va handler_chain
is composed of

where:
.Bl -inset
.It Va pri
is the priority assigned to a protocol handler; lower priority
is better.
.It Va dir
is the direction of packets: ingoing or outgoing.
.It Va proto
indicates to which protocol this packet belongs: IP, TCP or UDP.
.It Va fingerprint
points to the fingerprint function while protohandler points
to the protocol handler function.

.Pp
The
.Va fingerprint
function has the dual role of checking if the
incoming packet is found, and if it belongs to any categories that this
module can handle.
.Pp
The

if it meets a module hook,
.Va handler_chain
is searched to see if there is an handler that matches
this type of a packet (it checks protocol and direction of packet).
Then, if
more than one handler is found, it starts with the module with
the lowest priority number: it calls the
.Va fingerprint

is called.
The
.Fn find_handler
function is responsible for walking the handler
chain; it receives as input parameters:
.Bl -tag -width indent
.It Fa IN
direction

.Pp
As was mentioned earlier,
.Nm
in userland is a bit different, as
care must be taken in module handling as well (avoiding duplicate load of
modules, avoiding modules with same name, etc.) so
.Va dll_chain
was introduced.
.Pp

.Nm
first unloads all the loaded modules, then reloads all the modules listed in
.Pa /etc/libalias.conf :
for every module loaded, a new entry is added to
.Va dll_chain .
is added.
.Pp
.Va dll_chain
is composed of

.Pa alias_dummy.[ch] )
in
.Nm
that can be used as a skeleton for future work.
Here we analyse some parts of that
module.
From
.Pa alias_dummy.c :

is the
.Dq "most important thing"
in a module
since it describes the handlers present and lets the outside world use
it in an opaque way.
.Pp
It must ALWAYS be present in every module, and it MUST retain

.Ed
When running as KLD,
.Fn mod_handler
registers/deregisters the module using
.Fn attach_handlers
and
.Fn detach_handlers ,

Return to bug 158623

Lines 25-31 Link Here

(-)libalias.3 (-59 / +66 lines)
25	.\"	25	.\"
26	.\" $FreeBSD: src/sys/netinet/libalias/libalias.3,v 1.61 2011/06/22 20:00:27 ae Exp $	26	.\" $FreeBSD: src/sys/netinet/libalias/libalias.3,v 1.61 2011/06/22 20:00:27 ae Exp $
27	.\"	27	.\"
28	.Dd June 22, 2011	28	.Dd July 03, 2011
29	.Dt LIBALIAS 3	29	.Dt LIBALIAS 3
30	.Os	30	.Os
31	.Sh NAME	31	.Sh NAME
Lines 52-58 Link Here
52	.Pp	52	.Pp
53	A certain amount of flexibility is built into the packet aliasing engine.	53	A certain amount of flexibility is built into the packet aliasing engine.
54	In the simplest mode of operation, a many-to-one address mapping takes	54	In the simplest mode of operation, a many-to-one address mapping takes
55	place between local network and the packet aliasing host.	55	place between the local network and the packet aliasing host.
56	This is known as IP masquerading.	56	This is known as IP masquerading.
57	In addition, one-to-one mappings between local and public addresses can	57	In addition, one-to-one mappings between local and public addresses can
58	also be implemented, which is known as static NAT.	58	also be implemented, which is known as static NAT.
Lines 63-75 Link Here
63	private address/port.	63	private address/port.
64	.Pp	64	.Pp
65	The packet aliasing engine was designed to operate in user space outside	65	The packet aliasing engine was designed to operate in user space outside
66	of the kernel, without any access to private kernel data structure, but	66	of the kernel, without any access to private kernel data structures, but
67	the source code can also be ported to a kernel environment.	67	the source code can also be ported to a kernel environment.
68	.Sh INITIALIZATION AND CONTROL	68	.Sh INITIALIZATION AND CONTROL
69	One special function,	69	One special function,
70	.Fn LibAliasInit ,	70	.Fn LibAliasInit ,
71	must always be called before any packet handling may be performed and	71	must always be called before any packet handling may be performed, and
72	the returned instance pointer passed to all the other functions.	72	the returned instance pointer must be passed to all the other functions.
73	Normally, the	73	Normally, the
74	.Fn LibAliasSetAddress	74	.Fn LibAliasSetAddress
75	function is called afterwards, to set the default aliasing address.	75	function is called afterwards, to set the default aliasing address.
Lines 118-125 Link Here
118	This function has no return value and is used to clear any	118	This function has no return value and is used to clear any
119	resources attached to internal data structures.	119	resources attached to internal data structures.
120	.Pp	120	.Pp
121	This functions should be called when a program stops using the aliasing	121	This function should be called when a program stops using the aliasing
122	engine; it does, amongst other things, clear out any firewall holes.	122	engine; amongst other things, it clears out any firewall holes.
123	To provide backwards compatibility and extra security, it is added to	123	To provide backwards compatibility and extra security, it is added to
124	the	124	the
125	.Xr atexit 3	125	.Xr atexit 3
Lines 135-141 Link Here
135	All outgoing packets are re-mapped to this address unless overridden by a	135	All outgoing packets are re-mapped to this address unless overridden by a
136	static address mapping established by	136	static address mapping established by
137	.Fn LibAliasRedirectAddr .	137	.Fn LibAliasRedirectAddr .
138	If this function is not called, and no static rules match, an outgoing	138	If this function has not been called, and no static rules match, an outgoing
139	packet retains its source address.	139	packet retains its source address.
140	.Pp	140	.Pp
141	If the	141	If the
Lines 150-156 Link Here
150	If the	150	If the
151	.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE	151	.Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
152	mode bit is set to zero, this function can also be used to dynamically change	152	mode bit is set to zero, this function can also be used to dynamically change
153	the aliasing address on a packet to packet basis (it is a low overhead call).	153	the aliasing address on a packet-to-packet basis (it is a low overhead call).
154	.Pp	154	.Pp
155	It is mandatory that this function be called prior to any packet handling.	155	It is mandatory that this function be called prior to any packet handling.
156	.Ed	156	.Ed
Lines 170-176 Link Here
170	.It Dv PKT_ALIAS_LOG	170	.It Dv PKT_ALIAS_LOG
171	Enables logging into	171	Enables logging into
172	.Pa /var/log/alias.log .	172	.Pa /var/log/alias.log .
173	Each time an aliasing link is created or deleted, the log file is appended	173	Each time an aliasing link is created or deleted, the log file is appended to
174	with the current number of ICMP, TCP and UDP links.	174	with the current number of ICMP, TCP and UDP links.
175	Mainly useful for debugging when the log file is viewed continuously with	175	Mainly useful for debugging when the log file is viewed continuously with
176	.Xr tail 1 .	176	.Xr tail 1 .
Lines 186-192 Link Here
186	aliasing host or local network will be unaffected.	186	aliasing host or local network will be unaffected.
187	This mode bit is useful for implementing a one-way firewall.	187	This mode bit is useful for implementing a one-way firewall.
188	.It Dv PKT_ALIAS_SAME_PORTS	188	.It Dv PKT_ALIAS_SAME_PORTS
189	If this mode bit is set, the packet aliasing engine will attempt to leave	189	If this mode bit is set, the packet-aliasing engine will attempt to leave
190	the alias port numbers unchanged from the actual local port numbers.	190	the alias port numbers unchanged from the actual local port numbers.
191	This can be done as long as the quintuple (proto, alias addr, alias port,	191	This can be done as long as the quintuple (proto, alias addr, alias port,
192	remote addr, remote port) is unique.	192	remote addr, remote port) is unique.
Lines 211-217 Link Here
211	192.168.0.0 -> 192.168.255.255 (Class C subnets)	211	192.168.0.0 -> 192.168.255.255 (Class C subnets)
212	.Ed	212	.Ed
213	.Pp	213	.Pp
214	This option is useful in the case that packet aliasing host has both	214	This option is useful in the case that the packet aliasing host has both
215	registered and unregistered subnets on different interfaces.	215	registered and unregistered subnets on different interfaces.
216	The registered subnet is fully accessible to the outside world, so traffic	216	The registered subnet is fully accessible to the outside world, so traffic
217	from it does not need to be passed through the packet aliasing engine.	217	from it does not need to be passed through the packet aliasing engine.
Lines 229-236 Link Here
229	.It Dv PKT_ALIAS_PUNCH_FW	229	.It Dv PKT_ALIAS_PUNCH_FW
230	This option makes	230	This option makes
231	.Nm	231	.Nm
232	`punch holes' in an	232	.Dq punch holes
233	.Xr ipfirewall 4	233	in an
		234	.Xr ipfirewall 4 -
234	based firewall for FTP/IRC DCC connections.	235	based firewall for FTP/IRC DCC connections.
235	The holes punched are bound by from/to IP address and port; it will not be	236	The holes punched are bound by from/to IP address and port; it will not be
236	possible to use a hole for another connection.	237	possible to use a hole for another connection.
Lines 240-248 Link Here
240	(e.g.\& kill -9),	241	(e.g.\& kill -9),
241	changing the state of the flag will clear the entire firewall range	242	changing the state of the flag will clear the entire firewall range
242	allocated for holes.	243	allocated for holes.
243	This will also happen on the initial call to	244	This clearing will also happen on the initial call to
244	.Fn LibAliasSetFWBase .	245	.Fn LibAliasSetFWBase ,
245	This call must happen prior to setting this flag.	246	which must happen prior to setting this flag.
246	.It Dv PKT_ALIAS_REVERSE	247	.It Dv PKT_ALIAS_REVERSE
247	This option makes	248	This option makes
248	.Nm	249	.Nm
Lines 260-268 Link Here
260	.It Dv PKT_ALIAS_SKIP_GLOBAL	261	.It Dv PKT_ALIAS_SKIP_GLOBAL
261	This option is used by	262	This option is used by
262	.Pa ipfw_nat	263	.Pa ipfw_nat
263	only. Specifying it as a flag to	264	only.
		265	Specifying it as a flag to
264	.Fn LibAliasSetMode	266	.Fn LibAliasSetMode
265	has no effect. See section	267	has no effect.
		268	See section
266	.Sx NETWORK ADDRESS TRANSLATION	269	.Sx NETWORK ADDRESS TRANSLATION
267	in	270	in
268	.Xr ipfw 8	271	.Xr ipfw 8
Lines 273-282 Link Here
273	.Ft void	276	.Ft void
274	.Fn LibAliasSetFWBase "struct libalias *" "unsigned int base" "unsigned int num"	277	.Fn LibAliasSetFWBase "struct libalias *" "unsigned int base" "unsigned int num"
275	.Bd -ragged -offset indent	278	.Bd -ragged -offset indent
276	Set firewall range allocated for punching firewall holes (with the	279	Set the firewall range allocated for punching firewall holes (with the
277	.Dv PKT_ALIAS_PUNCH_FW	280	.Dv PKT_ALIAS_PUNCH_FW
278	flag).	281	flag).
279	The range will be cleared for all rules on initialization.	282	The range is cleared for all rules on initialization.
280	.Ed	283	.Ed
281	.Pp	284	.Pp
282	.Ft void	285	.Ft void
Lines 302-308 Link Here
302	.Fn LibAliasIn	305	.Fn LibAliasIn
303	and	306	and
304	.Fn LibAliasOut ,	307	.Fn LibAliasOut ,
305	comprise minimal set of functions needed for a basic IP masquerading	308	comprise the minimal set of functions needed for a basic IP masquerading
306	implementation.	309	implementation.
307	.Pp	310	.Pp
308	.Ft int	311	.Ft int
Lines 323-333 Link Here
323	The packet aliasing process was successful.	326	The packet aliasing process was successful.
324	.It Dv PKT_ALIAS_IGNORED	327	.It Dv PKT_ALIAS_IGNORED
325	The packet was ignored and not de-aliased.	328	The packet was ignored and not de-aliased.
326	This can happen if the protocol is unrecognized, possibly an ICMP message	329	This can happen if the protocol is unrecognized, as for an ICMP message
327	type is not handled or if incoming packets for new connections are being	330	type that is not handled, or if incoming packets for new connections are being
328	ignored (if	331	ignored (if the
329	.Dv PKT_ALIAS_DENY_INCOMING	332	.Dv PKT_ALIAS_DENY_INCOMING
330	mode bit was set by	333	mode bit was set using
331	.Fn LibAliasSetMode ) .	334	.Fn LibAliasSetMode ) .
332	.It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT	335	.It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT
333	This is returned when a fragment cannot be resolved because the header	336	This is returned when a fragment cannot be resolved because the header
Lines 418-424 Link Here
418	.Fn LibAliasRedirectPort	421	.Fn LibAliasRedirectPort
419	is called, a zero reference will track this change.	422	is called, a zero reference will track this change.
420	.Pp	423	.Pp
421	If the link is further set up to operate for a load sharing, then	424	If the link is further set up to operate with load sharing, then
422	.Fa local_addr	425	.Fa local_addr
423	and	426	and
424	.Fa local_port	427	.Fa local_port
Lines 433-439 Link Here
433	.Fa remote_port	436	.Fa remote_port
434	is zero, this indicates to redirect packets originating from any remote	437	is zero, this indicates to redirect packets originating from any remote
435	port number.	438	port number.
436	Almost always, the remote port specification will be zero, but non-zero	439	The remote port specification will almost always be zero, but non-zero
437	remote addresses can sometimes be useful for firewalling.	440	remote addresses can sometimes be useful for firewalling.
438	If two calls to	441	If two calls to
439	.Fn LibAliasRedirectPort	442	.Fn LibAliasRedirectPort
Lines 485-492 Link Here
485	.Fn LibAliasRedirectAddr	488	.Fn LibAliasRedirectAddr
486	is called, a zero reference will track this change.	489	is called, a zero reference will track this change.
487	.Pp	490	.Pp
488	If the link is further set up to operate for a load sharing, then	491	If the link is further set up to operate with load sharing, then the
489	.Fa local_addr	492	.Fa local_addr
		493	argument
490	is ignored, and is selected dynamically from the server pool, as described in	494	is ignored, and is selected dynamically from the server pool, as described in
491	.Fn LibAliasAddServer	495	.Fn LibAliasAddServer
492	below.	496	below.
Lines 542-553 Link Here
542	LSNAT operates as follows.	546	LSNAT operates as follows.
543	A client attempts to access a server by using the server virtual address.	547	A client attempts to access a server by using the server virtual address.
544	The LSNAT router transparently redirects the request to one of the hosts	548	The LSNAT router transparently redirects the request to one of the hosts
545	in server pool, selected using a real-time load sharing algorithm.	549	in the server pool, using a real-time load sharing algorithm.
546	Multiple sessions may be initiated from the same client, and each session	550	Multiple sessions may be initiated from the same client, and each session
547	could be directed to a different host based on load balance across server	551	could be directed to a different host based on the load balance across server
548	pool hosts at the time.	552	pool hosts when the sessions are initiated.
549	If load share is desired for just a few specific services, the configuration	553	If load sharing is desired for just a few specific services, the configuration
550	on LSNAT could be defined to restrict load share for just the services	554	on LSNAT could be defined to restrict load sharing to just the services
551	desired.	555	desired.
552	.Pp	556	.Pp
553	Currently, only the simplest selection algorithm is implemented, where a	557	Currently, only the simplest selection algorithm is implemented, where a
Lines 606-613 Link Here
606	is the pointer returned by either of the redirection functions.	610	is the pointer returned by either of the redirection functions.
607	If an invalid pointer is passed to	611	If an invalid pointer is passed to
608	.Fn LibAliasRedirectDelete ,	612	.Fn LibAliasRedirectDelete ,
609	then a program crash or unpredictable operation could result, so it is	613	then a program crash or unpredictable operation could result, so
610	necessary to be careful using this function.	614	care is needed when using this function.
611	.Ed	615	.Ed
612	.Pp	616	.Pp
613	.Ft int	617	.Ft int
Lines 714-720 Link Here
714	.Bd -ragged -offset indent	718	.Bd -ragged -offset indent
715	This function specifies that any IP packet with protocol number of	719	This function specifies that any IP packet with protocol number of
716	.Fa proto	720	.Fa proto
717	from a given remote address to an alias address be	721	from a given remote address to an alias address will be
718	redirected to a specified local address.	722	redirected to a specified local address.
719	.Pp	723	.Pp
720	If	724	If
Lines 829-838 Link Here
829	"struct in_addr alias_addr" "u_short src_port" "u_short dst_port" \	833	"struct in_addr alias_addr" "u_short src_port" "u_short dst_port" \
830	"int alias_param" "int link_type"	834	"int alias_param" "int link_type"
831	.Bd -ragged -offset indent	835	.Bd -ragged -offset indent
832	This function adds new state to instance hash table.	836	This function adds new state to the instance hash table.
833	Zero can be specified instead of dst_address and/or dst port.	837	The dst_address and/or dst_port may be given as zero, which
834	This makes link partially specified dynamic.	838	introduces some dynamic character into the link, since
835	However due to hashing method such links can be resolved on inbound (ext -> int) only.	839	LibAliasSetAddress can change the address that is used.
		840	However, in the current implementation, such links can only be used
		841	for inbound (ext -> int) traffic.
836	.Ed	842	.Ed
837	.Pp	843	.Pp
838	.Ft void	844	.Ft void
Lines 1119-1127 Link Here
1119	.Ed	1125	.Ed
1120	.Pp	1126	.Pp
1121	.Va handler_chain	1127	.Va handler_chain
1122	keep tracks of all the protocol handlers loaded, while	1128	keeps track of all the protocol handlers loaded, while
1123	.Va ddl_chain	1129	.Va ddl_chain
1124	takes care of userland modules loaded.	1130	tracks which userland modules are loaded.
1125	.Pp	1131	.Pp
1126	.Va handler_chain	1132	.Va handler_chain
1127	is composed of	1133	is composed of
Lines 1143-1154 Link Here
1143	where:	1149	where:
1144	.Bl -inset	1150	.Bl -inset
1145	.It Va pri	1151	.It Va pri
1146	is the priority assigned to a protocol handler, lower	1152	is the priority assigned to a protocol handler; lower priority
1147	is better.	1153	is better.
1148	.It Va dir	1154	.It Va dir
1149	is the direction of packets: ingoing or outgoing.	1155	is the direction of packets: ingoing or outgoing.
1150	.It Va proto	1156	.It Va proto
1151	says at which protocol this packet belongs: IP, TCP or UDP.	1157	indicates to which protocol this packet belongs: IP, TCP or UDP.
1152	.It Va fingerprint	1158	.It Va fingerprint
1153	points to the fingerprint function while protohandler points	1159	points to the fingerprint function while protohandler points
1154	to the protocol handler function.	1160	to the protocol handler function.
Lines 1156-1163 Link Here
1156	.Pp	1162	.Pp
1157	The	1163	The
1158	.Va fingerprint	1164	.Va fingerprint
1159	function has the double of scope of checking if the	1165	function has the dual role of checking if the
1160	incoming packet is found and if it belongs to any categories that this	1166	incoming packet is found, and if it belongs to any categories that this
1161	module can handle.	1167	module can handle.
1162	.Pp	1168	.Pp
1163	The	1169	The
Lines 1172-1178 Link Here
1172	if it meets a module hook,	1178	if it meets a module hook,
1173	.Va handler_chain	1179	.Va handler_chain
1174	is searched to see if there is an handler that matches	1180	is searched to see if there is an handler that matches
1175	this type of a packet (it checks protocol and direction of packet), then if	1181	this type of a packet (it checks protocol and direction of packet).
		1182	Then, if
1176	more than one handler is found, it starts with the module with	1183	more than one handler is found, it starts with the module with
1177	the lowest priority number: it calls the	1184	the lowest priority number: it calls the
1178	.Va fingerprint	1185	.Va fingerprint
Lines 1211-1218 Link Here
1211	is called.	1218	is called.
1212	The	1219	The
1213	.Fn find_handler	1220	.Fn find_handler
1214	function is responsible for walking out the handler	1221	function is responsible for walking the handler
1215	chain, it receives as input parameters:	1222	chain; it receives as input parameters:
1216	.Bl -tag -width indent	1223	.Bl -tag -width indent
1217	.It Fa IN	1224	.It Fa IN
1218	direction	1225	direction
Lines 1236-1244 Link Here
1236	.Pp	1243	.Pp
1237	As was mentioned earlier,	1244	As was mentioned earlier,
1238	.Nm	1245	.Nm
1239	in userland is a bit different, cause	1246	in userland is a bit different, as
1240	care has to be taken of module handling too (avoiding duplicate load of	1247	care must be taken in module handling as well (avoiding duplicate load of
1241	module, avoiding module with same name, etc.) so	1248	modules, avoiding modules with same name, etc.) so
1242	.Va dll_chain	1249	.Va dll_chain
1243	was introduced.	1250	was introduced.
1244	.Pp	1251	.Pp
Lines 1252-1260 Link Here
1252	.Nm	1259	.Nm
1253	first unloads all the loaded modules, then reloads all the modules listed in	1260	first unloads all the loaded modules, then reloads all the modules listed in
1254	.Pa /etc/libalias.conf :	1261	.Pa /etc/libalias.conf :
1255	for every module loaded, a new entry to	1262	for every module loaded, a new entry is added to
1256	.Va dll_chain	1263	.Va dll_chain .
1257	is added.
1258	.Pp	1264	.Pp
1259	.Va dll_chain	1265	.Va dll_chain
1260	is composed of	1266	is composed of
Lines 1291-1297 Link Here
1291	.Pa alias_dummy.[ch] )	1297	.Pa alias_dummy.[ch] )
1292	in	1298	in
1293	.Nm	1299	.Nm
1294	that can be used as a skeleton for future work, here we analyse some parts of that	1300	that can be used as a skeleton for future work.
		1301	Here we analyse some parts of that
1295	module.	1302	module.
1296	From	1303	From
1297	.Pa alias_dummy.c :	1304	.Pa alias_dummy.c :
Lines 1305-1311 Link Here
1305	is the	1312	is the
1306	.Dq "most important thing"	1313	.Dq "most important thing"
1307	in a module	1314	in a module
1308	cause it describes the handlers present and lets the outside world use	1315	since it describes the handlers present and lets the outside world use
1309	it in an opaque way.	1316	it in an opaque way.
1310	.Pp	1317	.Pp
1311	It must ALWAYS be present in every module, and it MUST retain	1318	It must ALWAYS be present in every module, and it MUST retain
Lines 1348-1354 Link Here
1348	.Ed	1355	.Ed
1349	When running as KLD,	1356	When running as KLD,
1350	.Fn mod_handler	1357	.Fn mod_handler
1351	register/deregister the module using	1358	registers/deregisters the module using
1352	.Fn attach_handlers	1359	.Fn attach_handlers
1353	and	1360	and
1354	.Fn detach_handlers ,	1361	.Fn detach_handlers ,