Masquerading over a Link using Dynamic Addresses
        ------------------------------------------------

1. Your initial set up must allow packets to forwarded with *no*
   masquerading to diald's proxy. At this stage you do not know
   what to masquerade as...

2. Diald receives an unmasqueraded packet on its proxy and brings
   the link up.

3. You now allow packets to be forwarded on the real interface
   *with* masquerading. You can do this in your diald addroute script,
   or your ip-up script.
   [N.B. ip-up is non-blocking so your masq setup may not be
    completed before diald forwards buffered packets.]
   [Hint: do not use the defaultroute option. Use addroute to
    set the masq rules, then add a default route. That way there
    is no window where unmasqueraded packets may be sent over the
    real link.]

4. Diald forwards the buffered packets it received on the proxy
   link. Remember, these have not yet been masqueraded. If the
   dynamic option has been used diald sends the buffered packets
   *back* to the kernel via the proxy interface rather than
   sending them direct to the real interface. The kernel now
   handles them as any other incoming packet, routing them to
   the real interface and applying the masquerade rules.

5. When the real link goes down you should delete the masquerade
   rules. You can do this in your diald delroute script or ip-down
   script.