Add ip6fw.

Yes it is almost code freeze, but as the result of many thought, now I
think this should be added before 4.0...

make world check, kernel build check is done.

Reviewed by: green
Obtained from: KAME project

14 files changed, 3195 insertions, 0 deletions

diff --git a/sbin/Makefile b/sbin/Makefile
index 5c4a891..2a1ee08 100644
--- a/sbin/Makefile
+++ b/sbin/Makefile
@@ -21,6 +21,7 @@ SUBDIR=	adjkerntz \
 	fsirand \
 	ifconfig \
 	init \
+	ip6fw \
 	ipf \
 	ipfstat \
 	ipfw \
diff --git a/sbin/ip6fw/Makefile b/sbin/ip6fw/Makefile
new file mode 100644
index 0000000..975aef5
--- /dev/null
+++ b/sbin/ip6fw/Makefile
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+PROG=   ip6fw
+MAN8=	ip6fw.8
+
+.include <bsd.prog.mk>
diff --git a/sbin/ip6fw/ip6fw.8 b/sbin/ip6fw/ip6fw.8
new file mode 100644
index 0000000..7a90ca9
--- /dev/null
+++ b/sbin/ip6fw/ip6fw.8
@@ -0,0 +1,478 @@
+.\"
+.\" $FreeBSD$
+.\"
+.Dd July 20, 1996
+.Dt IP6FW 8 SMM
+.Os FreeBSD
+.Sh NAME
+.Nm ip6fw
+.Nd controlling utility for IPv6 firewall
+.Sh SYNOPSIS
+.Nm
+.Ar file
+.Nm ip6fw
+.Oo
+.Fl f
+|
+.Fl q
+.Oc
+flush
+.Nm ip6fw
+.Oo
+.Fl q
+.Oc
+zero
+.Op Ar number ...
+.Nm ip6fw
+delete
+.Ar number ...
+.Nm ip6fw
+.Op Fl aftN
+list
+.Op Ar number ...
+.Nm ip6fw
+.Oo
+.Fl ftN
+.Oc
+show
+.Op Ar number ...
+.Nm ip6fw
+.Oo
+.Fl q
+.Oc
+add
+.Op Ar number
+.Ar action
+.Op log
+.Ar proto
+from
+.Ar src
+to
+.Ar dst
+.Op via Ar name | ipv6no
+.Op Ar options
+.Sh DESCRIPTION
+If used as shown in the first synopsis line, the
+.Ar file
+will be read line by line and applied as arguments to the
+.Nm
+command.
+.Pp
+The
+.Nm
+code works by going through the rule-list for each packet,
+until a match is found.
+All rules have two associated counters, a packet count and
+a byte count.
+These counters are updated when a packet matches the rule.
+.Pp
+The rules are ordered by a ``line-number'' from 1 to 65534 that is used
+to order and delete rules. Rules are tried in increasing order, and the
+first rule that matches a packet applies.
+Multiple rules may share the same number and apply in
+the order in which they were added.
+.Pp
+If a rule is added without a number, it is numbered 100 higher
+than the previous rule. If the highest defined rule number is
+greater than 65434, new rules are appended to the last rule.
+.Pp
+The delete operation deletes the first rule with number
+.Ar number ,
+if any.
+.Pp
+The list command prints out the current rule set.
+.Pp
+The show command is equivalent to `ip6fw -a list'.
+.Pp
+The zero operation zeroes the counters associated with rule number
+.Ar number .
+.Pp
+The flush operation removes all rules.
+.Pp
+Any command beginning with a '#', or being all blank, is ignored.
+.Pp
+One rule is always present:
+.Bd -literal -offset center
+65535 deny all from any to any
+.Ed
+.Pp
+This rule is the default policy, i.e., don't allow anything at all.
+Your job in setting up rules is to modify this policy to match your
+needs.
+.Pp
+The following options are available:
+.Bl -tag -width flag
+.It Fl a
+While listing, show counter values.  See also ``show'' command.
+.It Fl f
+Don't ask for confirmation for commands that can cause problems if misused
+(ie; flush).
+.Ar Note ,
+if there is no tty associated with the process, this is implied.
+.It Fl q
+While adding, zeroing or flushing, be quiet about actions (implies '-f').
+This is useful for adjusting rules by executing multiple ip6fw commands in a
+script (e.g. sh /etc/rc.firewall), or by processing a file of many ip6fw rules,
+across a remote login session.  If a flush is performed in normal
+(verbose) mode, it prints a message.  Because all rules are flushed, the
+message cannot be delivered to the login session, the login session is
+closed and the remainder of the ruleset is not processed.  Access to the
+console is required to recover.
+.It Fl t
+While listing, show last match timestamp.
+.It Fl N
+Try to resolve addresses and service names in output.
+.El
+.Pp
+.Ar action :
+.Bl -hang -offset flag -width 1234567890123456
+.It Ar allow
+Allow packets that match rule.
+The search terminates. Aliases are
+.Ar pass ,
+.Ar permit ,
+and
+.Ar accept .
+.It Ar deny
+Discard packets that match this rule.
+The search terminates.
+.Ar Drop
+is an alias for
+.Ar deny .
+.It Ar reject
+(Deprecated.) Discard packets that match this rule, and try to send an ICMPv6
+host unreachable notice.
+The search terminates.
+.It Ar unreach code
+Discard packets that match this rule, and try to send an ICMPv6
+unreachable notice with code
+.Ar code ,
+where
+.Ar code
+is a number from zero to 255, or one of these aliases:
+.Ar noroute ,
+.Ar admin ,
+.Ar notneighbor ,
+.Ar addr ,
+or
+.Ar noport ,
+The search terminates.
+.It Ar reset
+TCP packets only. Discard packets that match this rule,
+and try to send a TCP reset (RST) notice.
+The search terminates
+.Em (not working yet).
+.It Ar count
+Update counters for all packets that match rule.
+The search continues with the next rule.
+.It Ar skipto number
+Skip all subsequent rules numbered less than
+.Ar number .
+The search continues with the first rule numbered
+.Ar number
+or higher.
+.El
+.Pp
+If the kernel was compiled with
+.Dv IP6FIREWALL_VERBOSE ,
+then when a packet matches a rule with the ``log''
+keyword a message will be printed on the console.
+If the kernel was compiled with the
+.Dv IP6FIREWALL_VERBOSE_LIMIT
+option, then logging will cease after the number of packets
+specified by the option are received for that particular
+chain entry.  Logging may then be re-enabled by clearing
+the packet counter for that entry.
+.Pp
+Console logging and the log limit are adjustable dynamically
+through the
+.Xr sysctl 8
+interface.
+.Pp
+.Ar proto :
+.Bl -hang -offset flag -width 1234567890123456
+.It Ar ipv6
+All packets match. The alias
+.Ar all
+has the same effect.
+.It Ar tcp
+Only TCP packets match.
+.It Ar udp
+Only UDP packets match.
+.It Ar ipv6-icmp
+Only ICMPv6 packets match.
+.It Ar <number|name>
+Only packets for the specified protocol matches (see
+.Pa /etc/protocols
+for a complete list).
+.El
+.Pp
+.Ar src
+and
+.Ar dst :
+.Bl -hang -offset flag
+.It Ar <address/prefixlen>
+.Op Ar ports
+.El
+.Pp
+The
+.Em <address/prefixlen>
+may be specified as:
+.Bl -hang -offset flag -width 1234567890123456
+.It Ar ipv6no
+An ipv6number of the form fec0::1:2:3:4.
+.It Ar ipv6no/prefixlen
+An ipv6number with a prefix length of the form fec0::1:2:3:4/112.
+.El
+.Pp
+The sense of the match can be inverted by preceding an address with the
+``not'' modifier, causing all other addresses to be matched instead. This
+does not affect the selection of port numbers.
+.Pp
+With the TCP and UDP protocols, optional
+.Em ports
+may be specified as:
+.Pp
+.Bl -hang -offset flag
+.It Ns {port|port-port} Ns Op ,port Ns Op ,...
+.El
+.Pp
+Service names (from
+.Pa /etc/services )
+may be used instead of numeric port values.
+A range may only be specified as the first value,
+and the length of the port list is limited to
+.Dv IP6_FW_MAX_PORTS
+(as defined in
+.Pa /usr/src/sys/netinet/ip6_fw.h )
+ports.
+.Pp
+Fragmented packets which have a non-zero offset (i.e. not the first
+fragment) will never match a rule which has one or more port
+specifications.  See the
+.Ar frag
+option for details on matching fragmented packets.
+.Pp
+Rules can apply to packets when they are incoming, or outgoing, or both.
+The
+.Ar in
+keyword indicates the rule should only match incoming packets.
+The
+.Ar out
+keyword indicates the rule should only match outgoing packets.
+.Pp
+To match packets going through a certain interface, specify
+the interface using
+.Ar via :
+.Bl -hang -offset flag -width 1234567890123456
+.It Ar via ifX
+Packet must be going through interface
+.Ar ifX.
+.It Ar via if*
+Packet must be going through interface
+.Ar ifX ,
+where X is any unit number.
+.It Ar via any
+Packet must be going through
+.Em some
+interface.
+.It Ar via ipv6no
+Packet must be going through the interface having IPv6 address
+.Ar ipv6no .
+.El
+.Pp
+The
+.Ar via
+keyword causes the interface to always be checked.
+If
+.Ar recv
+or
+.Ar xmit
+is used instead of
+.Ar via ,
+then the only receive or transmit interface (respectively) is checked.
+By specifying both, it is possible to match packets based on both receive
+and transmit interface, e.g.:
+.Pp
+.Dl "ip6fw add 100 deny ip from any to any out recv ed0 xmit ed1"
+.Pp
+The
+.Ar recv
+interface can be tested on either incoming or outgoing packets, while the
+.Ar xmit
+interface can only be tested on outgoing packets. So
+.Ar out
+is required (and
+.Ar in
+invalid) whenver
+.Ar xmit
+is used. Specifying
+.Ar via
+together with
+.Ar xmit
+or
+.Ar recv
+is invalid.
+.Pp
+A packet may not have a receive or transmit interface: packets originating
+from the local host have no receive interface. while packets destined for
+the local host have no transmit interface.
+.Pp
+Additional
+.Ar options :
+.Bl -hang -offset flag -width 1234567890123456
+.It frag
+Matches if the packet is a fragment and this is not the first fragment
+of the datagram.
+.Ar frag
+may not be used in conjunction with either
+.Ar tcpflags
+or TCP/UDP port specifications.
+.It in
+Matches if this packet was on the way in.
+.It out
+Matches if this packet was on the way out.
+.It ipv6options Ar spec
+Matches if the IPv6 header contains the comma separated list of
+options specified in
+.Ar spec .
+The supported IPv6 options are:
+.Ar hopopt
+(hop-by-hop options header),
+.Ar route
+(routing header),
+.Ar frag
+(fragment header),
+.Ar esp
+(encapsulating security payload),
+.Ar ah
+(authentication header),
+.Ar nonxt
+(no next header), and
+.Ar opts
+(destination options header).
+The absence of a particular option may be denoted
+with a ``!''
+.Em (not working yet).
+.It established
+Matches packets that have the RST or ACK bits set.
+TCP packets only.
+.It setup
+Matches packets that have the SYN bit set but no ACK bit.
+TCP packets only.
+.It tcpflags Ar spec
+Matches if the TCP header contains the comma separated list of
+flags specified in
+.Ar spec .
+The supported TCP flags are:
+.Ar fin ,
+.Ar syn ,
+.Ar rst ,
+.Ar psh ,
+.Ar ack ,
+and
+.Ar urg .
+The absence of a particular flag may be denoted
+with a ``!''.
+A rule which contains a
+.Ar tcpflags
+specification can never match a fragmented packet which has
+a non-zero offset.  See the
+.Ar frag
+option for details on matching fragmented packets.
+.It icmptypes Ar types
+Matches if the ICMPv6 type is in the list
+.Ar types .
+The list may be specified as any combination of ranges
+or individual types separated by commas.
+.El
+.Sh CHECKLIST
+Here are some important points to consider when designing your
+rules:
+.Bl -bullet -hang -offset flag
+.It
+Remember that you filter both packets going in and out.
+Most connections need packets going in both directions.
+.It
+Remember to test very carefully.
+It is a good idea to be near the console when doing this.
+.It
+Don't forget the loopback interface.
+.El
+.Sh FINE POINTS
+There is one kind of packet that the firewall will always discard,
+that is an IPv6 fragment with a fragment offset of one.
+This is a valid packet, but it only has one use, to try to circumvent
+firewalls.
+.Pp
+If you are logged in over a network, loading the LKM version of
+.Nm
+is probably not as straightforward as you would think
+.Em (not supported).
+I recommend this command line:
+.Bd -literal -offset center
+modload /lkm/ip6fw_mod.o && \e
+ip6fw add 32000 allow all from any to any
+.Ed
+.Pp
+Along the same lines, doing an
+.Bd -literal -offset center
+ip6fw flush
+.Ed
+.Pp
+in similar surroundings is also a bad idea.
+.Sh PACKET DIVERSION
+not supported.
+.Sh EXAMPLES
+This command adds an entry which denies all tcp packets from
+.Em hacker.evil.org
+to the telnet port of
+.Em wolf.tambov.su
+from being forwarded by the host:
+.Pp
+.Dl ip6fw add deny tcp from hacker.evil.org to wolf.tambov.su 23
+.Pp
+This one disallows any connection from the entire hackers network to
+my host:
+.Pp
+.Dl ip6fw addf deny all from fec0::123:45:67:0/112 to my.host.org
+.Pp
+Here is a good usage of the list command to see accounting records
+and timestamp information:
+.Pp
+.Dl ip6fw -at l
+.Pp
+or in short form without timestamps:
+.Pp
+.Dl ip6fw -a l
+.Pp
+.Sh SEE ALSO
+.Xr ip 4 ,
+.Xr ipfirewall 4 ,
+.Xr protocols 5 ,
+.Xr services 5 ,
+.Xr reboot 8 ,
+.Xr syslogd 8 ,
+.Xr sysctl 8
+.Sh BUGS
+.Pp
+.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
+.Pp
+This program can put your computer in rather unusable state. When
+using it for the first time, work on the console of the computer, and
+do
+.Em NOT
+do anything you don't understand.
+.Pp
+When manipulating/adding chain entries, service and protocol names are
+not accepted.
+.Sh AUTHORS
+Ugen J. S. Antsilevich,
+Poul-Henning Kamp,
+Alex Nash,
+Archie Cobbs.
+API based upon code written by Daniel Boulet for BSDI.
+.Sh HISTORY
+.Nm
+first appeared in
+.Fx 2.0 .
diff --git a/sbin/ip6fw/ip6fw.c b/sbin/ip6fw/ip6fw.c
new file mode 100644
index 0000000..9c3a7e5
--- /dev/null
+++ b/sbin/ip6fw/ip6fw.c
@@ -0,0 +1,1290 @@
+/*
+ * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
+ * Copyright (c) 1994 Ugen J.S.Antsilevich
+ *
+ * Idea and grammar partially left from:
+ * Copyright (c) 1993 Daniel Boulet
+ *
+ * Redistribution and use in source forms, with and without modification,
+ * are permitted provided that this entire comment appears intact.
+ *
+ * Redistribution in binary form may occur without any restrictions.
+ * Obviously, it would be nice if you gave credit where credit is due
+ * but requiring it would be too onerous.
+ *
+ * This software is provided ``AS IS'' without any warranties of any kind.
+ *
+ * NEW command line interface for IP firewall facility
+ *
+ * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+
+#include <ctype.h>
+#include <err.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet6/ip6_fw.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+
+int 		lineno = -1;
+
+int 		s;				/* main RAW socket 	   */
+int 		do_resolv=0;			/* Would try to resolv all */
+int		do_acct=0;			/* Show packet/byte count  */
+int		do_time=0;			/* Show time stamps        */
+int		do_quiet=0;			/* Be quiet in add and flush  */
+int		do_force=0;			/* Don't ask for confirmation */
+
+struct icmpcode {
+	int	code;
+	char	*str;
+};
+
+static struct icmpcode icmp6codes[] = {
+      { ICMP6_DST_UNREACH_NOROUTE,	"noroute" },
+      { ICMP6_DST_UNREACH_ADMIN,	"admin" },
+      { ICMP6_DST_UNREACH_NOTNEIGHBOR,	"notneighbor" },
+      { ICMP6_DST_UNREACH_ADDR,		"addr" },
+      { ICMP6_DST_UNREACH_NOPORT,	"noport" },
+      { 0, NULL }
+};
+
+static char ntop_buf[INET6_ADDRSTRLEN];
+
+static void show_usage(const char *fmt, ...);
+
+static int
+mask_bits(u_char *m_ad, int m_len)
+{
+	int h_num = 0,i;
+
+	for (i = 0; i < m_len; i++, m_ad++) {
+		if (*m_ad != 0xff)
+			break;
+		h_num += 8;
+	}
+	if (i < m_len) {
+		switch (*m_ad) {
+#define	MASKLEN(m, l)	case m: h_num += l; break
+		MASKLEN(0xfe, 7);
+		MASKLEN(0xfc, 6);
+		MASKLEN(0xf8, 5);
+		MASKLEN(0xf0, 4);
+		MASKLEN(0xe0, 3);
+		MASKLEN(0xc0, 2);
+		MASKLEN(0x80, 1);
+#undef	MASKLEN
+		}
+	}
+	return h_num;
+}
+
+static int pl2m[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
+
+struct in6_addr *plen2mask(int n)
+{
+	static struct in6_addr ia;
+	u_char	*p;
+	int	i;
+
+	memset(&ia, 0, sizeof(struct in6_addr));
+	p = (u_char *)&ia;
+	for (i = 0; i < 16; i++, p++, n -= 8) {
+		if (n >= 8) {
+			*p = 0xff;
+			continue;
+		}
+		*p = pl2m[n];
+		break;
+	}
+	return &ia;
+}
+
+void
+print_port(prot, port, comma)
+	u_char  prot;
+	u_short port;
+	const char *comma;
+{
+	struct servent *se;
+	struct protoent *pe;
+	const char *protocol;
+	int printed = 0;
+
+	if (do_resolv) {
+		pe = getprotobynumber(prot);
+		if (pe)
+			protocol = pe->p_name;
+		else
+			protocol = NULL;
+
+		se = getservbyport(htons(port), protocol);
+		if (se) {
+			printf("%s%s", comma, se->s_name);
+			printed = 1;
+		}
+	}
+	if (!printed)
+		printf("%s%d",comma,port);
+}
+
+static void
+print_iface(char *key, union ip6_fw_if *un, int byname)
+{
+	char ifnb[FW_IFNLEN+1];
+
+	if (byname) {
+		strncpy(ifnb, un->fu_via_if.name, FW_IFNLEN);
+		ifnb[FW_IFNLEN]='\0';
+		if (un->fu_via_if.unit == -1)
+			printf(" %s %s*", key, ifnb);
+		else
+			printf(" %s %s%d", key, ifnb, un->fu_via_if.unit);
+	} else if (!IN6_IS_ADDR_UNSPECIFIED(&un->fu_via_ip6)) {
+		printf(" %s %s", key, inet_ntop(AF_INET6,&un->fu_via_ip6,ntop_buf,sizeof(ntop_buf)));
+	} else
+		printf(" %s any", key);
+}
+
+static void
+print_reject_code(int code)
+{
+	struct icmpcode *ic;
+
+	for (ic = icmp6codes; ic->str; ic++)
+		if (ic->code == code) {
+			printf("%s", ic->str);
+			return;
+		}
+	printf("%u", code);
+}
+
+static void
+show_ip6fw(struct ip6_fw *chain)
+{
+	char *comma;
+	struct hostent *he;
+	struct protoent *pe;
+	int i, mb;
+	int nsp = IPV6_FW_GETNSRCP(chain);
+	int ndp = IPV6_FW_GETNDSTP(chain);
+
+	if (do_resolv)
+		setservent(1/*stayopen*/);
+
+	printf("%05u ", chain->fw_number);
+
+	if (do_acct)
+		printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
+
+	if (do_time)
+	{
+		if (chain->timestamp)
+		{
+			char timestr[30];
+
+			strcpy(timestr, ctime((time_t *)&chain->timestamp));
+			*strchr(timestr, '\n') = '\0';
+			printf("%s ", timestr);
+		}
+		else
+			printf("                         ");
+	}
+
+	switch (chain->fw_flg & IPV6_FW_F_COMMAND)
+	{
+		case IPV6_FW_F_ACCEPT:
+			printf("allow");
+			break;
+		case IPV6_FW_F_DENY:
+			printf("deny");
+			break;
+		case IPV6_FW_F_COUNT:
+			printf("count");
+			break;
+		case IPV6_FW_F_DIVERT:
+			printf("divert %u", chain->fw_divert_port);
+			break;
+		case IPV6_FW_F_TEE:
+			printf("tee %u", chain->fw_divert_port);
+			break;
+		case IPV6_FW_F_SKIPTO:
+			printf("skipto %u", chain->fw_skipto_rule);
+			break;
+		case IPV6_FW_F_REJECT:
+			if (chain->fw_reject_code == IPV6_FW_REJECT_RST)
+				printf("reset");
+			else {
+				printf("unreach ");
+				print_reject_code(chain->fw_reject_code);
+			}
+			break;
+		default:
+			errx(1, "impossible");
+	}
+
+	if (chain->fw_flg & IPV6_FW_F_PRN)
+		printf(" log");
+
+	pe = getprotobynumber(chain->fw_prot);
+	if (pe)
+		printf(" %s", pe->p_name);
+	else
+		printf(" %u", chain->fw_prot);
+
+	printf(" from %s", chain->fw_flg & IPV6_FW_F_INVSRC ? "not " : "");
+
+	mb=mask_bits((u_char *)&chain->fw_smsk,sizeof(chain->fw_smsk));
+	if (mb==128 && do_resolv) {
+		he=gethostbyaddr((char *)&(chain->fw_src),sizeof(chain->fw_src),AF_INET6);
+		if (he==NULL) {
+			printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
+		} else
+			printf("%s",he->h_name);
+	} else {
+		if (mb!=128) {
+			if (mb == 0) {
+				printf("any");
+			} else {
+				printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
+				printf("/%d",mb);
+			}
+		} else
+			printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
+	}
+
+	if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
+		comma = " ";
+		for (i = 0; i < nsp; i++) {
+			print_port(chain->fw_prot, chain->fw_pts[i], comma);
+			if (i==0 && (chain->fw_flg & IPV6_FW_F_SRNG))
+				comma = "-";
+			else
+				comma = ",";
+		}
+	}
+
+	printf(" to %s", chain->fw_flg & IPV6_FW_F_INVDST ? "not " : "");
+
+	mb=mask_bits((u_char *)&chain->fw_dmsk,sizeof(chain->fw_dmsk));
+	if (mb==128 && do_resolv) {
+		he=gethostbyaddr((char *)&(chain->fw_dst),sizeof(chain->fw_dst),AF_INET);
+		if (he==NULL) {
+			printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
+		} else
+			printf("%s",he->h_name);
+	} else {
+		if (mb!=128) {
+			if (mb == 0) {
+				printf("any");
+			} else {
+				printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
+				printf("/%d",mb);
+			}
+		} else
+			printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
+	}
+
+	if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
+		comma = " ";
+		for (i = 0; i < ndp; i++) {
+			print_port(chain->fw_prot, chain->fw_pts[nsp+i], comma);
+			if (i==0 && (chain->fw_flg & IPV6_FW_F_DRNG))
+				comma = "-";
+			else
+				comma = ",";
+		}
+	}
+
+	/* Direction */
+	if ((chain->fw_flg & IPV6_FW_F_IN) && !(chain->fw_flg & IPV6_FW_F_OUT))
+		printf(" in");
+	if (!(chain->fw_flg & IPV6_FW_F_IN) && (chain->fw_flg & IPV6_FW_F_OUT))
+		printf(" out");
+
+	/* Handle hack for "via" backwards compatibility */
+	if ((chain->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
+		print_iface("via",
+		    &chain->fw_in_if, chain->fw_flg & IPV6_FW_F_IIFNAME);
+	} else {
+		/* Receive interface specified */
+		if (chain->fw_flg & IPV6_FW_F_IIFACE)
+			print_iface("recv", &chain->fw_in_if,
+			    chain->fw_flg & IPV6_FW_F_IIFNAME);
+		/* Transmit interface specified */
+		if (chain->fw_flg & IPV6_FW_F_OIFACE)
+			print_iface("xmit", &chain->fw_out_if,
+			    chain->fw_flg & IPV6_FW_F_OIFNAME);
+	}
+
+	if (chain->fw_flg & IPV6_FW_F_FRAG)
+		printf(" frag");
+
+	if (chain->fw_ip6opt || chain->fw_ip6nopt) {
+		int 	_opt_printed = 0;
+#define	PRINTOPT(x)	{if (_opt_printed) printf(",");\
+			printf(x); _opt_printed = 1;}
+
+		printf(" ip6opt ");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("hopopt");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("!hopopt");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_ROUTE)  PRINTOPT("route");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ROUTE)  PRINTOPT("!route");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_FRAG)  PRINTOPT("frag");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_FRAG)  PRINTOPT("!frag");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_ESP)    PRINTOPT("esp");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ESP)    PRINTOPT("!esp");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_AH)     PRINTOPT("ah");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_AH)     PRINTOPT("!ah");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_NONXT)  PRINTOPT("nonxt");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_NONXT)  PRINTOPT("!nonxt");
+		if (chain->fw_ip6opt  & IPV6_FW_IP6OPT_OPTS)   PRINTOPT("opts");
+		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS)   PRINTOPT("!opts");
+	}
+
+	if (chain->fw_tcpf & IPV6_FW_TCPF_ESTAB)
+		printf(" established");
+	else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
+	    chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
+		printf(" setup");
+	else if (chain->fw_tcpf || chain->fw_tcpnf) {
+		int 	_flg_printed = 0;
+#define	PRINTFLG(x)	{if (_flg_printed) printf(",");\
+			printf(x); _flg_printed = 1;}
+
+		printf(" tcpflg ");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_FIN)  PRINTFLG("fin");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_FIN)  PRINTFLG("!fin");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_SYN)  PRINTFLG("syn");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_SYN)  PRINTFLG("!syn");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_RST)  PRINTFLG("rst");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_RST)  PRINTFLG("!rst");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_PSH)  PRINTFLG("psh");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_PSH)  PRINTFLG("!psh");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_ACK)  PRINTFLG("ack");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_ACK)  PRINTFLG("!ack");
+		if (chain->fw_tcpf  & IPV6_FW_TCPF_URG)  PRINTFLG("urg");
+		if (chain->fw_tcpnf & IPV6_FW_TCPF_URG)  PRINTFLG("!urg");
+	}
+	if (chain->fw_flg & IPV6_FW_F_ICMPBIT) {
+		int type_index;
+		int first = 1;
+
+		printf(" icmptype");
+
+		for (type_index = 0; type_index < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index)
+			if (chain->fw_icmp6types[type_index / (sizeof(unsigned) * 8)] &
+				(1U << (type_index % (sizeof(unsigned) * 8)))) {
+				printf("%c%d", first == 1 ? ' ' : ',', type_index);
+				first = 0;
+			}
+	}
+	printf("\n");
+	if (do_resolv)
+		endservent();
+}
+
+void
+list(ac, av)
+	int	ac;
+	char 	**av;
+{
+	struct ip6_fw *r;
+	struct ip6_fw rules[1024];
+	int l,i;
+	unsigned long rulenum;
+	int bytes;
+
+	/* extract rules from kernel */
+	memset(rules,0,sizeof rules);
+	bytes = sizeof rules;
+	i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);
+	if (i < 0)
+		err(2,"getsockopt(IPV6_FW_GET)");
+	if (!ac) {
+		/* display all rules */
+		for (r = rules, l = bytes; l >= sizeof rules[0];
+			 r++, l-=sizeof rules[0])
+			show_ip6fw(r);
+	}
+	else {
+		/* display specific rules requested on command line */
+		int exitval = 0;
+
+		while (ac--) {
+			char *endptr;
+			int seen;
+
+			/* convert command line rule # */
+			rulenum = strtoul(*av++, &endptr, 10);
+			if (*endptr) {
+				exitval = 1;
+				warn("invalid rule number: %s", av[-1]);
+				continue;
+			}
+			seen = 0;
+			for (r = rules, l = bytes;
+				 l >= sizeof rules[0] && r->fw_number <= rulenum;
+				 r++, l-=sizeof rules[0])
+				if (rulenum == r->fw_number) {
+					show_ip6fw(r);
+					seen = 1;
+				}
+			if (!seen) {
+				exitval = 1;
+				warnx("rule %lu does not exist", rulenum);
+			}
+		}
+		if (exitval != 0)
+			exit(exitval);
+	}
+}
+
+static void
+show_usage(const char *fmt, ...)
+{
+	if (fmt) {
+		char buf[100];
+		va_list args;
+
+		va_start(args, fmt);
+		vsnprintf(buf, sizeof(buf), fmt, args);
+		va_end(args);
+		warnx("error: %s", buf);
+	}
+	fprintf(stderr, "usage: ipfw6 [options]\n"
+"    flush\n"
+"    add [number] rule\n"
+"    delete number ...\n"
+"    list [number ...]\n"
+"    show [number ...]\n"
+"    zero [number ...]\n"
+"  rule:  action proto src dst extras...\n"
+"    action:\n"
+"      {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
+"       reset|count|skipto num} [log]\n"
+"    proto: {ipv6|tcp|udp|ipv6-icmp|<number>}\n"
+"    src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
+"    dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
+"  extras:\n"
+"    fragment     (may not be used with ports or tcpflags)\n"
+"    in\n"
+"    out\n"
+"    {xmit|recv|via} {iface|ipv6|any}\n"
+"    {established|setup}\n"
+"    tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
+"    ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n"
+"    icmptypes {type[,type]}...\n");
+
+	exit(1);
+}
+
+static int
+lookup_host (host, addr, family)
+	char *host;
+	u_char *addr;
+{
+	struct hostent *he = gethostbyname2(host, family);
+
+	if (!he)
+		return(-1);
+
+	memcpy(addr, he->h_addr_list[0], he->h_length);
+
+	return(0);
+}
+
+void
+fill_ip6(ipno, mask, acp, avp)
+	struct in6_addr *ipno, *mask;
+	int *acp;
+	char ***avp;
+{
+	int ac = *acp;
+	char **av = *avp;
+	char *p = 0, md = 0;
+	int i;
+
+	if (ac && !strncmp(*av,"any",strlen(*av))) {
+		*ipno = *mask = in6addr_any; av++; ac--;
+	} else {
+		p = strchr(*av, '/');
+		if (p) {
+			md = *p;
+			*p++ = '\0';
+		}
+
+		if (lookup_host(*av, ipno, AF_INET6) != 0)
+			show_usage("hostname ``%s'' unknown", *av);
+		switch (md) {
+			case '/':
+				if (atoi(p) == 0) {
+					*mask = in6addr_any;
+				} else if (atoi(p) > 128) {
+					show_usage("bad width ``%s''", p);
+				} else {
+					*mask = *(plen2mask(atoi(p)));
+				}
+				break;
+			default:
+				*mask = *(plen2mask(128));
+				break;
+		}
+		for (i = 0; i < sizeof(*ipno); i++)
+			ipno->s6_addr[i] &= mask->s6_addr[i];
+		av++;
+		ac--;
+	}
+	*acp = ac;
+	*avp = av;
+}
+
+static void
+fill_reject_code6(u_short *codep, char *str)
+{
+	struct icmpcode *ic;
+	u_long val;
+	char *s;
+
+	val = strtoul(str, &s, 0);
+	if (s != str && *s == '\0' && val < 0x100) {
+		*codep = val;
+		return;
+	}
+	for (ic = icmp6codes; ic->str; ic++)
+		if (!strcasecmp(str, ic->str)) {
+			*codep = ic->code;
+			return;
+		}
+	show_usage("unknown ICMP6 unreachable code ``%s''", str);
+}
+
+static void
+add_port(cnt, ptr, off, port)
+	u_short *cnt, *ptr, off, port;
+{
+	if (off + *cnt >= IPV6_FW_MAX_PORTS)
+		errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS);
+	ptr[off+*cnt] = port;
+	(*cnt)++;
+}
+
+static int
+lookup_port(const char *arg, int test, int nodash)
+{
+	int		val;
+	char		*earg, buf[32];
+	struct servent	*s;
+
+	snprintf(buf, sizeof(buf), "%s", arg);
+	buf[strcspn(arg, nodash ? "-," : ",")] = 0;
+	val = (int) strtoul(buf, &earg, 0);
+	if (!*buf || *earg) {
+		setservent(1);
+		if ((s = getservbyname(buf, NULL))) {
+			val = htons(s->s_port);
+		} else {
+			if (!test) {
+				errx(1, "unknown port ``%s''", arg);
+			}
+			val = -1;
+		}
+	} else {
+		if (val < 0 || val > 0xffff) {
+			if (!test) {
+				errx(1, "port ``%s'' out of range", arg);
+			}
+			val = -1;
+		}
+	}
+	return(val);
+}
+
+int
+fill_port(cnt, ptr, off, arg)
+	u_short *cnt, *ptr, off;
+	char *arg;
+{
+	char *s;
+	int initial_range = 0;
+
+	s = arg + strcspn(arg, "-,");	/* first port name can't have a dash */
+	if (*s == '-') {
+		*s++ = '\0';
+		if (strchr(arg, ','))
+			errx(1, "port range must be first in list");
+		add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000);
+		arg = s;
+		s = strchr(arg,',');
+		if (s)
+			*s++ = '\0';
+		add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff);
+		arg = s;
+		initial_range = 1;
+	}
+	while (arg != NULL) {
+		s = strchr(arg,',');
+		if (s)
+			*s++ = '\0';
+		add_port(cnt, ptr, off, lookup_port(arg, 0, 0));
+		arg = s;
+	}
+	return initial_range;
+}
+
+void
+fill_tcpflag(set, reset, vp)
+	u_char *set, *reset;
+	char **vp;
+{
+	char *p = *vp,*q;
+	u_char *d;
+
+	while (p && *p) {
+		struct tpcflags {
+			char * name;
+			u_char value;
+		} flags[] = {
+			{ "syn", IPV6_FW_TCPF_SYN },
+			{ "fin", IPV6_FW_TCPF_FIN },
+			{ "ack", IPV6_FW_TCPF_ACK },
+			{ "psh", IPV6_FW_TCPF_PSH },
+			{ "rst", IPV6_FW_TCPF_RST },
+			{ "urg", IPV6_FW_TCPF_URG }
+		};
+		int i;
+
+		if (*p == '!') {
+			p++;
+			d = reset;
+		} else {
+			d = set;
+		}
+		q = strchr(p, ',');
+		if (q)
+			*q++ = '\0';
+		for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
+			if (!strncmp(p, flags[i].name, strlen(p))) {
+				*d |= flags[i].value;
+				break;
+			}
+		if (i == sizeof(flags) / sizeof(flags[0]))
+			show_usage("invalid tcp flag ``%s''", p);
+		p = q;
+	}
+}
+
+static void
+fill_ip6opt(u_char *set, u_char *reset, char **vp)
+{
+	char *p = *vp,*q;
+	u_char *d;
+
+	while (p && *p) {
+		if (*p == '!') {
+			p++;
+			d = reset;
+		} else {
+			d = set;
+		}
+		q = strchr(p, ',');
+		if (q)
+			*q++ = '\0';
+		if (!strncmp(p,"hopopt",strlen(p))) *d |= IPV6_FW_IP6OPT_HOPOPT;
+		if (!strncmp(p,"route",strlen(p)))  *d |= IPV6_FW_IP6OPT_ROUTE;
+		if (!strncmp(p,"frag",strlen(p)))   *d |= IPV6_FW_IP6OPT_FRAG;
+		if (!strncmp(p,"esp",strlen(p)))    *d |= IPV6_FW_IP6OPT_ESP;
+		if (!strncmp(p,"ah",strlen(p)))     *d |= IPV6_FW_IP6OPT_AH;
+		if (!strncmp(p,"nonxt",strlen(p)))  *d |= IPV6_FW_IP6OPT_NONXT;
+		if (!strncmp(p,"opts",strlen(p)))   *d |= IPV6_FW_IP6OPT_OPTS;
+		p = q;
+	}
+}
+
+void
+fill_icmptypes(types, vp, fw_flg)
+	u_long *types;
+	char **vp;
+	u_short *fw_flg;
+{
+	char *c = *vp;
+
+	while (*c)
+	{
+		unsigned long icmptype;
+
+		if ( *c == ',' )
+			++c;
+
+		icmptype = strtoul(c, &c, 0);
+
+		if ( *c != ',' && *c != '\0' )
+			show_usage("invalid ICMP6 type");
+
+		if (icmptype >= IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8)
+			show_usage("ICMP6 type out of range");
+
+		types[icmptype / (sizeof(unsigned) * 8)] |=
+			1 << (icmptype % (sizeof(unsigned) * 8));
+		*fw_flg |= IPV6_FW_F_ICMPBIT;
+	}
+}
+
+void
+delete(ac,av)
+	int ac;
+	char **av;
+{
+	struct ip6_fw rule;
+	int i;
+	int exitval = 0;
+
+	memset(&rule, 0, sizeof rule);
+
+	av++; ac--;
+
+	/* Rule number */
+	while (ac && isdigit(**av)) {
+		rule.fw_number = atoi(*av); av++; ac--;
+		i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
+		if (i) {
+			exitval = 1;
+			warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
+		}
+	}
+	if (exitval != 0)
+		exit(exitval);
+}
+
+static void
+verify_interface(union ip6_fw_if *ifu)
+{
+	struct ifreq ifr;
+
+	/*
+	 *	If a unit was specified, check for that exact interface.
+	 *	If a wildcard was specified, check for unit 0.
+	 */
+	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d",
+			 ifu->fu_via_if.name,
+			 ifu->fu_via_if.unit == -1 ? 0 : ifu->fu_via_if.unit);
+
+	if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0)
+		warnx("warning: interface ``%s'' does not exist", ifr.ifr_name);
+}
+
+static void
+fill_iface(char *which, union ip6_fw_if *ifu, int *byname, int ac, char *arg)
+{
+	if (!ac)
+	    show_usage("missing argument for ``%s''", which);
+
+	/* Parse the interface or address */
+	if (!strcmp(arg, "any")) {
+		ifu->fu_via_ip6 = in6addr_any;
+		*byname = 0;
+	} else if (!isdigit(*arg)) {
+		char *q;
+
+		*byname = 1;
+		strncpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name));
+		ifu->fu_via_if.name[sizeof(ifu->fu_via_if.name) - 1] = '\0';
+		for (q = ifu->fu_via_if.name;
+		    *q && !isdigit(*q) && *q != '*'; q++)
+			continue;
+		ifu->fu_via_if.unit = (*q == '*') ? -1 : atoi(q);
+		*q = '\0';
+		verify_interface(ifu);
+	} else if (inet_pton(AF_INET6, arg, &ifu->fu_via_ip6) != 1) {
+		show_usage("bad ip6 address ``%s''", arg);
+	} else
+		*byname = 0;
+}
+
+static void
+add(ac,av)
+	int ac;
+	char **av;
+{
+	struct ip6_fw rule;
+	int i;
+	u_char proto;
+	struct protoent *pe;
+	int saw_xmrc = 0, saw_via = 0;
+
+	memset(&rule, 0, sizeof rule);
+
+	av++; ac--;
+
+	/* Rule number */
+	if (ac && isdigit(**av)) {
+		rule.fw_number = atoi(*av); av++; ac--;
+	}
+
+	/* Action */
+	if (ac == 0)
+		show_usage("missing action");
+	if (!strncmp(*av,"accept",strlen(*av))
+		    || !strncmp(*av,"pass",strlen(*av))
+		    || !strncmp(*av,"allow",strlen(*av))
+		    || !strncmp(*av,"permit",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_ACCEPT; av++; ac--;
+	} else if (!strncmp(*av,"count",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_COUNT; av++; ac--;
+	}
+#if 0
+	else if (!strncmp(*av,"divert",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_DIVERT; av++; ac--;
+		if (!ac)
+			show_usage("missing divert port");
+		rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
+		if (rule.fw_divert_port == 0) {
+			struct servent *s;
+			setservent(1);
+			s = getservbyname(av[-1], "divert");
+			if (s != NULL)
+				rule.fw_divert_port = ntohs(s->s_port);
+			else
+				show_usage("illegal divert port");
+		}
+	} else if (!strncmp(*av,"tee",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_TEE; av++; ac--;
+		if (!ac)
+			show_usage("missing divert port");
+		rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
+		if (rule.fw_divert_port == 0) {
+			struct servent *s;
+			setservent(1);
+			s = getservbyname(av[-1], "divert");
+			if (s != NULL)
+				rule.fw_divert_port = ntohs(s->s_port);
+			else
+				show_usage("illegal divert port");
+		}
+	}
+#endif
+	else if (!strncmp(*av,"skipto",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_SKIPTO; av++; ac--;
+		if (!ac)
+			show_usage("missing skipto rule number");
+		rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--;
+	} else if ((!strncmp(*av,"deny",strlen(*av))
+		    || !strncmp(*av,"drop",strlen(*av)))) {
+		rule.fw_flg |= IPV6_FW_F_DENY; av++; ac--;
+	} else if (!strncmp(*av,"reject",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
+		rule.fw_reject_code = ICMP6_DST_UNREACH_NOROUTE;
+	} else if (!strncmp(*av,"reset",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
+		rule.fw_reject_code = IPV6_FW_REJECT_RST;	/* check TCP later */
+	} else if (!strncmp(*av,"unreach",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
+		fill_reject_code6(&rule.fw_reject_code, *av); av++; ac--;
+	} else {
+		show_usage("invalid action ``%s''", *av);
+	}
+
+	/* [log] */
+	if (ac && !strncmp(*av,"log",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_PRN; av++; ac--;
+	}
+
+	/* protocol */
+	if (ac == 0)
+		show_usage("missing protocol");
+	if ((proto = atoi(*av)) > 0) {
+		rule.fw_prot = proto; av++; ac--;
+	} else if (!strncmp(*av,"all",strlen(*av))) {
+		rule.fw_prot = IPPROTO_IPV6; av++; ac--;
+	} else if ((pe = getprotobyname(*av)) != NULL) {
+		rule.fw_prot = pe->p_proto; av++; ac--;
+	} else {
+		show_usage("invalid protocol ``%s''", *av);
+	}
+
+	if (rule.fw_prot != IPPROTO_TCP
+	    && (rule.fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT
+	    && rule.fw_reject_code == IPV6_FW_REJECT_RST)
+		show_usage("``reset'' is only valid for tcp packets");
+
+	/* from */
+	if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
+	else
+		show_usage("missing ``from''");
+
+	if (ac && !strncmp(*av,"not",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_INVSRC;
+		av++; ac--;
+	}
+	if (!ac)
+		show_usage("missing arguments");
+
+	fill_ip6(&rule.fw_src, &rule.fw_smsk, &ac, &av);
+
+	if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
+		u_short nports = 0;
+
+		if (fill_port(&nports, rule.fw_pts, 0, *av))
+			rule.fw_flg |= IPV6_FW_F_SRNG;
+		IPV6_FW_SETNSRCP(&rule, nports);
+		av++; ac--;
+	}
+
+	/* to */
+	if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
+	else
+		show_usage("missing ``to''");
+
+	if (ac && !strncmp(*av,"not",strlen(*av))) {
+		rule.fw_flg |= IPV6_FW_F_INVDST;
+		av++; ac--;
+	}
+	if (!ac)
+		show_usage("missing arguments");
+
+	fill_ip6(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
+
+	if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
+		u_short	nports = 0;
+
+		if (fill_port(&nports,
+		    rule.fw_pts, IPV6_FW_GETNSRCP(&rule), *av))
+			rule.fw_flg |= IPV6_FW_F_DRNG;
+		IPV6_FW_SETNDSTP(&rule, nports);
+		av++; ac--;
+	}
+
+	if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP)
+	    && (IPV6_FW_GETNSRCP(&rule) || IPV6_FW_GETNDSTP(&rule))) {
+		show_usage("only TCP and UDP protocols are valid"
+		    " with port specifications");
+	}
+
+	while (ac) {
+		if (!strncmp(*av,"in",strlen(*av))) {
+			rule.fw_flg |= IPV6_FW_F_IN;
+			av++; ac--; continue;
+		}
+		if (!strncmp(*av,"out",strlen(*av))) {
+			rule.fw_flg |= IPV6_FW_F_OUT;
+			av++; ac--; continue;
+		}
+		if (ac && !strncmp(*av,"xmit",strlen(*av))) {
+			union ip6_fw_if ifu;
+			int byname;
+
+			if (saw_via) {
+badviacombo:
+				show_usage("``via'' is incompatible"
+				    " with ``xmit'' and ``recv''");
+			}
+			saw_xmrc = 1;
+			av++; ac--;
+			fill_iface("xmit", &ifu, &byname, ac, *av);
+			rule.fw_out_if = ifu;
+			rule.fw_flg |= IPV6_FW_F_OIFACE;
+			if (byname)
+				rule.fw_flg |= IPV6_FW_F_OIFNAME;
+			av++; ac--; continue;
+		}
+		if (ac && !strncmp(*av,"recv",strlen(*av))) {
+			union ip6_fw_if ifu;
+			int byname;
+
+			if (saw_via)
+				goto badviacombo;
+			saw_xmrc = 1;
+			av++; ac--;
+			fill_iface("recv", &ifu, &byname, ac, *av);
+			rule.fw_in_if = ifu;
+			rule.fw_flg |= IPV6_FW_F_IIFACE;
+			if (byname)
+				rule.fw_flg |= IPV6_FW_F_IIFNAME;
+			av++; ac--; continue;
+		}
+		if (ac && !strncmp(*av,"via",strlen(*av))) {
+			union ip6_fw_if ifu;
+			int byname = 0;
+
+			if (saw_xmrc)
+				goto badviacombo;
+			saw_via = 1;
+			av++; ac--;
+			fill_iface("via", &ifu, &byname, ac, *av);
+			rule.fw_out_if = rule.fw_in_if = ifu;
+			if (byname)
+				rule.fw_flg |=
+				    (IPV6_FW_F_IIFNAME | IPV6_FW_F_OIFNAME);
+			av++; ac--; continue;
+		}
+		if (!strncmp(*av,"fragment",strlen(*av))) {
+			rule.fw_flg |= IPV6_FW_F_FRAG;
+			av++; ac--; continue;
+		}
+		if (!strncmp(*av,"ipv6options",strlen(*av))) {
+			av++; ac--;
+			if (!ac)
+				show_usage("missing argument"
+				    " for ``ipv6options''");
+			fill_ip6opt(&rule.fw_ip6opt, &rule.fw_ip6nopt, av);
+			av++; ac--; continue;
+		}
+		if (rule.fw_prot == IPPROTO_TCP) {
+			if (!strncmp(*av,"established",strlen(*av))) {
+				rule.fw_tcpf  |= IPV6_FW_TCPF_ESTAB;
+				av++; ac--; continue;
+			}
+			if (!strncmp(*av,"setup",strlen(*av))) {
+				rule.fw_tcpf  |= IPV6_FW_TCPF_SYN;
+				rule.fw_tcpnf  |= IPV6_FW_TCPF_ACK;
+				av++; ac--; continue;
+			}
+			if (!strncmp(*av,"tcpflags",strlen(*av))) {
+				av++; ac--;
+				if (!ac)
+					show_usage("missing argument"
+					    " for ``tcpflags''");
+				fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av);
+				av++; ac--; continue;
+			}
+		}
+		if (rule.fw_prot == IPPROTO_ICMPV6) {
+			if (!strncmp(*av,"icmptypes",strlen(*av))) {
+				av++; ac--;
+				if (!ac)
+					show_usage("missing argument"
+					    " for ``icmptypes''");
+				fill_icmptypes(rule.fw_icmp6types,
+				    av, &rule.fw_flg);
+				av++; ac--; continue;
+			}
+		}
+		show_usage("unknown argument ``%s''", *av);
+	}
+
+	/* No direction specified -> do both directions */
+	if (!(rule.fw_flg & (IPV6_FW_F_OUT|IPV6_FW_F_IN)))
+		rule.fw_flg |= (IPV6_FW_F_OUT|IPV6_FW_F_IN);
+
+	/* Sanity check interface check, but handle "via" case separately */
+	if (saw_via) {
+		if (rule.fw_flg & IPV6_FW_F_IN)
+			rule.fw_flg |= IPV6_FW_F_IIFACE;
+		if (rule.fw_flg & IPV6_FW_F_OUT)
+			rule.fw_flg |= IPV6_FW_F_OIFACE;
+	} else if ((rule.fw_flg & IPV6_FW_F_OIFACE) && (rule.fw_flg & IPV6_FW_F_IN))
+		show_usage("can't check xmit interface of incoming packets");
+
+	/* frag may not be used in conjunction with ports or TCP flags */
+	if (rule.fw_flg & IPV6_FW_F_FRAG) {
+		if (rule.fw_tcpf || rule.fw_tcpnf)
+			show_usage("can't mix 'frag' and tcpflags");
+
+		if (rule.fw_nports)
+			show_usage("can't mix 'frag' and port specifications");
+	}
+
+	if (!do_quiet)
+		show_ip6fw(&rule);
+	i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
+	if (i)
+		err(1, "setsockopt(%s)", "IPV6_FW_ADD");
+}
+
+static void
+zero (ac, av)
+	int ac;
+	char **av;
+{
+	av++; ac--;
+
+	if (!ac) {
+		/* clear all entries */
+		if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
+			err(1, "setsockopt(%s)", "IPV6_FW_ZERO");
+		if (!do_quiet)
+			printf("Accounting cleared.\n");
+	} else {
+		struct ip6_fw rule;
+		int failed = 0;
+
+		memset(&rule, 0, sizeof rule);
+		while (ac) {
+			/* Rule number */
+			if (isdigit(**av)) {
+				rule.fw_number = atoi(*av); av++; ac--;
+				if (setsockopt(s, IPPROTO_IPV6,
+				    IPV6_FW_ZERO, &rule, sizeof rule)) {
+					warn("rule %u: setsockopt(%s)", rule.fw_number,
+						 "IPV6_FW_ZERO");
+					failed = 1;
+				}
+				else if (!do_quiet)
+					printf("Entry %d cleared\n",
+					    rule.fw_number);
+			} else
+				show_usage("invalid rule number ``%s''", *av);
+		}
+		if (failed != 0)
+			exit(failed);
+	}
+}
+
+int
+ip6fw_main(ac,av)
+	int 	ac;
+	char 	**av;
+{
+	int 		ch;
+	extern int 	optind;
+
+	/* init optind to 1 */
+	optind = 1;
+
+	if ( ac == 1 ) {
+		show_usage(NULL);
+	}
+
+	/* Set the force flag for non-interactive processes */
+	do_force = !isatty(STDIN_FILENO);
+
+	while ((ch = getopt(ac, av ,"afqtN")) != -1)
+	switch(ch) {
+		case 'a':
+			do_acct=1;
+			break;
+		case 'f':
+			do_force=1;
+			break;
+		case 'q':
+			do_quiet=1;
+			break;
+		case 't':
+			do_time=1;
+			break;
+		case 'N':
+	 		do_resolv=1;
+			break;
+		default:
+			show_usage(NULL);
+	}
+
+	ac -= optind;
+	if (*(av+=optind)==NULL) {
+		 show_usage("Bad arguments");
+	}
+
+	if (!strncmp(*av, "add", strlen(*av))) {
+		add(ac,av);
+	} else if (!strncmp(*av, "delete", strlen(*av))) {
+		delete(ac,av);
+	} else if (!strncmp(*av, "flush", strlen(*av))) {
+		int do_flush = 0;
+
+		if ( do_force || do_quiet )
+			do_flush = 1;
+		else {
+			int c;
+
+			/* Ask the user */
+			printf("Are you sure? [yn] ");
+			do {
+                    		fflush(stdout);
+				c = toupper(getc(stdin));
+				while (c != '\n' && getc(stdin) != '\n')
+					if (feof(stdin))
+						return (0);
+			} while (c != 'Y' && c != 'N');
+			printf("\n");
+			if (c == 'Y')
+				do_flush = 1;
+		}
+		if ( do_flush ) {
+			if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
+				err(1, "setsockopt(%s)", "IPV6_FW_FLUSH");
+			if (!do_quiet)
+				printf("Flushed all rules.\n");
+		}
+	} else if (!strncmp(*av, "zero", strlen(*av))) {
+		zero(ac,av);
+	} else if (!strncmp(*av, "print", strlen(*av))) {
+		list(--ac,++av);
+	} else if (!strncmp(*av, "list", strlen(*av))) {
+		list(--ac,++av);
+	} else if (!strncmp(*av, "show", strlen(*av))) {
+		do_acct++;
+		list(--ac,++av);
+	} else {
+		show_usage("Bad arguments");
+	}
+	return 0;
+}
+
+int
+main(ac, av)
+	int	ac;
+	char	**av;
+{
+#define	MAX_ARGS	32
+#define	WHITESP		" \t\f\v\n\r"
+	char	buf[BUFSIZ];
+	char	*a, *args[MAX_ARGS];
+	char	linename[10];
+	int 	i;
+	FILE	*f;
+
+	s = socket( AF_INET6, SOCK_RAW, IPPROTO_RAW );
+	if ( s < 0 )
+		err(1, "socket");
+
+	setbuf(stdout,0);
+
+	if (av[1] && !access(av[1], R_OK)) {
+		lineno = 0;
+		if ((f = fopen(av[1], "r")) == NULL)
+			err(1, "fopen: %s", av[1]);
+		while (fgets(buf, BUFSIZ, f)) {
+
+			lineno++;
+			sprintf(linename, "Line %d", lineno);
+			args[0] = linename;
+
+			if (*buf == '#')
+				continue;
+			for (i = 1, a = strtok(buf, WHITESP);
+			    a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
+				args[i] = a;
+			if (i == 1)
+				continue;
+			if (i == MAX_ARGS)
+				errx(1, "%s: too many arguments", linename);
+			args[i] = NULL;
+
+			ip6fw_main(i, args);
+		}
+		fclose(f);
+	} else
+		ip6fw_main(ac,av);
+	return 0;
+}
diff --git a/sbin/ip6fw/sample.sh b/sbin/ip6fw/sample.sh
new file mode 100644
index 0000000..32d7621
--- /dev/null
+++ b/sbin/ip6fw/sample.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -
+# $FreeBSD$
+
+fwcmd=/usr/local/v6/sbin/ip6fw
+
+$fwcmd -f flush
+
+#
+# loopback
+#
+$fwcmd add 1000 pass      all from any to any via lo0
+
+#
+# ND
+#
+# DAD
+$fwcmd add 2000 pass ipv6-icmp from ff02::/16 to ::
+$fwcmd add 2100 pass ipv6-icmp from :: to ff02::/16
+# RS, RA, NS, NA, redirect...
+$fwcmd add 2300 pass ipv6-icmp from fe80::/10 to fe80::/10
+$fwcmd add 2400 pass ipv6-icmp from fe80::/10 to ff02::/16
+
+$fwcmd add 5000 pass tcp from any to any established
+
+# RIPng
+$fwcmd add 6000 pass udp from fe80::/10 521 to ff02::9 521
+
+$fwcmd add 65000 pass log all from any to any
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 903f375..c1ad637 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -525,6 +525,10 @@ options 	IPFIREWALL_VERBOSE	#print information about
 options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
+options 	IPV6FIREWALL		#firewall for IPv6
+options 	IPV6FIREWALL_VERBOSE
+options 	IPV6FIREWALL_VERBOSE_LIMIT=100
+options 	IPV6FIREWALL_DEFAULT_TO_ACCEPT
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/conf/files b/sys/conf/files
index 1df944b..63a2261 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -721,6 +721,7 @@ netinet6/in6.c		optional inet6
 netinet6/in6_cksum.c	optional inet6
 netinet6/in6_gif.c	optional gif inet6
 netinet6/ip6_forward.c	optional inet6
+netinet6/ip6_fw.c	optional inet6
 netinet6/in6_ifattach.c	optional inet6
 netinet6/ip6_input.c	optional inet6
 netinet6/ip6_mroute.c	optional inet6
diff --git a/sys/conf/options b/sys/conf/options
index 2033ead..133869f 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -251,6 +251,10 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD		opt_ipfw.h
+IPV6FIREWALL		opt_ip6fw.h
+IPV6FIREWALL_VERBOSE	opt_ip6fw.h
+IPV6FIREWALL_VERBOSE_LIMIT	opt_ip6fw.h
+IPV6FIREWALL_DEFAULT_TO_ACCEPT	opt_ip6fw.h
 IPSTEALTH
 IPX			opt_ipx.h
 IPXIP			opt_ipx.h
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT
index 903f375..c1ad637 100644
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@@ -525,6 +525,10 @@ options 	IPFIREWALL_VERBOSE	#print information about
 options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
+options 	IPV6FIREWALL		#firewall for IPv6
+options 	IPV6FIREWALL_VERBOSE
+options 	IPV6FIREWALL_VERBOSE_LIMIT=100
+options 	IPV6FIREWALL_DEFAULT_TO_ACCEPT
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 903f375..c1ad637 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -525,6 +525,10 @@ options 	IPFIREWALL_VERBOSE	#print information about
 options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
+options 	IPV6FIREWALL		#firewall for IPv6
+options 	IPV6FIREWALL_VERBOSE
+options 	IPV6FIREWALL_VERBOSE_LIMIT=100
+options 	IPV6FIREWALL_DEFAULT_TO_ACCEPT
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
diff --git a/sys/netinet6/ip6_fw.c b/sys/netinet6/ip6_fw.c
new file mode 100644
index 0000000..8fa5838
--- /dev/null
+++ b/sys/netinet6/ip6_fw.c
@@ -0,0 +1,1171 @@
+/*
+ * Copyright (c) 1993 Daniel Boulet
+ * Copyright (c) 1994 Ugen J.S.Antsilevich
+ * Copyright (c) 1996 Alex Nash
+ *
+ * Redistribution and use in source forms, with and without modification,
+ * are permitted provided that this entire comment appears intact.
+ *
+ * Redistribution in binary form may occur without any restrictions.
+ * Obviously, it would be nice if you gave credit where credit is due
+ * but requiring it would be too onerous.
+ *
+ * This software is provided ``AS IS'' without any warranties of any kind.
+ *
+ *	$Id: ip6_fw.c,v 1.7 1999/08/31 12:25:57 shin Exp $
+ * $FreeBSD$
+ */
+
+/*
+ * Implement IPv6 packet firewall
+ */
+
+#include "opt_ip6fw.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/malloc.h>
+#include <sys/mbuf.h>
+#include <sys/queue.h>
+#include <sys/kernel.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/time.h>
+#include <net/if.h>
+#include <net/route.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/in_pcb.h>
+#include <netinet6/in6_var.h>
+#include <netinet6/ip6.h>
+#include <netinet6/icmp6.h>
+#include <netinet6/ip6_fw.h>
+#include <netinet/ip_var.h>
+#include <netinet/tcp.h>
+#include <netinet/tcp_seq.h>
+#include <netinet/tcp_timer.h>
+#include <netinet/tcp_var.h>
+#include <netinet/udp.h>
+
+#include <sys/sysctl.h>
+
+#include <net/net_osdep.h>
+
+MALLOC_DEFINE(M_IP6FW, "Ip6Fw/Ip6Acct", "Ip6Fw/Ip6Acct chain's");
+
+static int fw6_debug = 1;
+#ifdef IPV6FIREWALL_VERBOSE
+static int fw6_verbose = 1;
+#else
+static int fw6_verbose = 0;
+#endif
+#ifdef IPV6FIREWALL_VERBOSE_LIMIT
+static int fw6_verbose_limit = IPV6FIREWALL_VERBOSE_LIMIT;
+#else
+static int fw6_verbose_limit = 0;
+#endif
+
+LIST_HEAD (ip6_fw_head, ip6_fw_chain) ip6_fw_chain;
+
+#ifdef SYSCTL_NODE
+SYSCTL_DECL(_net_inet6_ip6);
+SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, "");
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "");
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, "");
+#endif
+
+#define	dprintf(a)	if (!fw6_debug); else printf a
+
+#define	print_ip6(a)	printf("[%s]", ip6_sprintf(a))
+
+#define	dprint_ip6(a)	if (!fw6_debug); else print_ip6(a)
+
+static int	add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl));
+static int	del_entry6 __P((struct ip6_fw_head *chainptr, u_short number));
+static int	zero_entry6 __P((struct mbuf *m));
+static struct ip6_fw *check_ip6fw_struct __P((struct ip6_fw *m));
+static struct ip6_fw *check_ip6fw_mbuf __P((struct mbuf *fw));
+static int	ip6opts_match __P((struct ip6_hdr **ip6, struct ip6_fw *f,
+				   struct mbuf **m,
+				   int *off, int *nxt, u_short *offset));
+static int	port_match6 __P((u_short *portptr, int nports, u_short port,
+				int range_flag));
+static int	tcp6flg_match __P((struct tcphdr *tcp6, struct ip6_fw *f));
+static int	icmp6type_match __P((struct icmp6_hdr *  icmp, struct ip6_fw * f));
+static void	ip6fw_report __P((struct ip6_fw *f, struct ip6_hdr *ip6,
+				struct ifnet *rif, struct ifnet *oif, int off, int nxt));
+
+static int	ip6_fw_chk __P((struct ip6_hdr **pip6,
+			struct ifnet *oif, u_int16_t *cookie, struct mbuf **m));
+static int	ip6_fw_ctl __P((int stage, struct mbuf **mm));
+
+static char err_prefix[] = "ip6_fw_ctl:";
+
+/*
+ * Returns 1 if the port is matched by the vector, 0 otherwise
+ */
+static
+__inline int
+port_match6(u_short *portptr, int nports, u_short port, int range_flag)
+{
+	if (!nports)
+		return 1;
+	if (range_flag) {
+		if (portptr[0] <= port && port <= portptr[1]) {
+			return 1;
+		}
+		nports -= 2;
+		portptr += 2;
+	}
+	while (nports-- > 0) {
+		if (*portptr++ == port) {
+			return 1;
+		}
+	}
+	return 0;
+}
+
+static int
+tcp6flg_match(struct tcphdr *tcp6, struct ip6_fw *f)
+{
+	u_char		flg_set, flg_clr;
+
+	if ((f->fw_tcpf & IPV6_FW_TCPF_ESTAB) &&
+	    (tcp6->th_flags & (IPV6_FW_TCPF_RST | IPV6_FW_TCPF_ACK)))
+		return 1;
+
+	flg_set = tcp6->th_flags & f->fw_tcpf;
+	flg_clr = tcp6->th_flags & f->fw_tcpnf;
+
+	if (flg_set != f->fw_tcpf)
+		return 0;
+	if (flg_clr)
+		return 0;
+
+	return 1;
+}
+
+static int
+icmp6type_match(struct icmp6_hdr *icmp6, struct ip6_fw *f)
+{
+	int type;
+
+	if (!(f->fw_flg & IPV6_FW_F_ICMPBIT))
+		return(1);
+
+	type = icmp6->icmp6_type;
+
+	/* check for matching type in the bitmap */
+	if (type < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8 &&
+		(f->fw_icmp6types[type / (sizeof(unsigned) * 8)] &
+		(1U << (type % (8 * sizeof(unsigned))))))
+		return(1);
+
+	return(0); /* no match */
+}
+
+static int
+is_icmp6_query(struct ip6_hdr *ip6, int off)
+{
+	const struct icmp6_hdr *icmp6;
+	int icmp6_type;
+
+	icmp6 = (struct icmp6_hdr *)((caddr_t)ip6 + off);
+	icmp6_type = icmp6->icmp6_type;
+
+	if (icmp6_type == ICMP6_ECHO_REQUEST ||
+	    icmp6_type == ICMP6_MEMBERSHIP_QUERY ||
+	    icmp6_type == ICMP6_WRUREQUEST ||
+	    icmp6_type == ICMP6_FQDN_QUERY ||
+	    icmp6_type == ICMP6_NI_QUERY)
+		return(1);
+
+	return(0);
+}
+
+static int
+ip6opts_match(struct ip6_hdr **pip6, struct ip6_fw *f, struct mbuf **m,
+	      int *off, int *nxt, u_short *offset)
+{
+	int len;
+	struct ip6_hdr *ip6 = *pip6;
+	struct ip6_ext *ip6e;
+	u_char	opts, nopts, nopts_sve;
+
+	opts = f->fw_ip6opt;
+	nopts = nopts_sve = f->fw_ip6nopt;
+
+	*nxt = ip6->ip6_nxt;
+	*off = sizeof(struct ip6_hdr);
+	len = ntohs(ip6->ip6_plen) + sizeof(struct ip6_hdr);
+	while (*off < len) {
+		ip6e = (struct ip6_ext *)((caddr_t) ip6 + *off);
+		if ((*m)->m_len < *off + sizeof(*ip6e))
+			goto opts_check;	/* XXX */
+
+		switch(*nxt) {
+		case IPPROTO_FRAGMENT:
+			if ((*m)->m_len < *off + sizeof(struct ip6_frag)) {
+				struct ip6_frag *ip6f;
+
+				ip6f = (struct ip6_frag *) ((caddr_t)ip6 + *off);
+				*offset = ip6f->ip6f_offlg | IP6F_OFF_MASK;
+			}
+			opts &= ~IPV6_FW_IP6OPT_FRAG;
+			nopts &= ~IPV6_FW_IP6OPT_FRAG;
+			*off += sizeof(struct ip6_frag);
+			break;
+		case IPPROTO_AH:
+			opts &= ~IPV6_FW_IP6OPT_AH;
+			nopts &= ~IPV6_FW_IP6OPT_AH;
+			*off += (ip6e->ip6e_len + 2) << 2;
+			break;
+		default:
+			switch (*nxt) {
+			case IPPROTO_HOPOPTS:
+				opts &= ~IPV6_FW_IP6OPT_HOPOPT;
+				nopts &= ~IPV6_FW_IP6OPT_HOPOPT;
+				break;
+			case IPPROTO_ROUTING:
+				opts &= ~IPV6_FW_IP6OPT_ROUTE;
+				nopts &= ~IPV6_FW_IP6OPT_ROUTE;
+				break;
+			case IPPROTO_ESP:
+				opts &= ~IPV6_FW_IP6OPT_ESP;
+				nopts &= ~IPV6_FW_IP6OPT_ESP;
+				break;
+			case IPPROTO_NONE:
+				opts &= ~IPV6_FW_IP6OPT_NONXT;
+				nopts &= ~IPV6_FW_IP6OPT_NONXT;
+				goto opts_check;
+				break;
+			case IPPROTO_DSTOPTS:
+				opts &= ~IPV6_FW_IP6OPT_OPTS;
+				nopts &= ~IPV6_FW_IP6OPT_OPTS;
+				break;
+			default:
+				goto opts_check;
+				break;
+			}
+			*off += (ip6e->ip6e_len + 1) << 3;
+			break;
+		}
+		*nxt = ip6e->ip6e_nxt;
+
+	}
+ opts_check:
+	if (f->fw_ip6opt == f->fw_ip6nopt)	/* XXX */
+		return 1;
+
+	if (opts == 0 && nopts == nopts_sve)
+		return 1;
+	else
+		return 0;
+}
+
+static
+__inline int
+iface_match(struct ifnet *ifp, union ip6_fw_if *ifu, int byname)
+{
+	/* Check by name or by IP address */
+	if (byname) {
+		/* Check unit number (-1 is wildcard) */
+		if (ifu->fu_via_if.unit != -1
+		    && ifp->if_unit != ifu->fu_via_if.unit)
+			return(0);
+		/* Check name */
+		if (strncmp(ifp->if_name, ifu->fu_via_if.name, FW_IFNLEN))
+			return(0);
+		return(1);
+	} else if (!IN6_IS_ADDR_UNSPECIFIED(&ifu->fu_via_ip6)) {	/* Zero == wildcard */
+		struct ifaddr *ia;
+
+		for (ia = ifp->if_addrlist.tqh_first; ia; ia = ia->ifa_list.tqe_next)
+		{
+
+			if (ia->ifa_addr == NULL)
+				continue;
+			if (ia->ifa_addr->sa_family != AF_INET6)
+				continue;
+			if (!IN6_ARE_ADDR_EQUAL(&ifu->fu_via_ip6,
+			    &(((struct sockaddr_in6 *)
+			    (ia->ifa_addr))->sin6_addr)))
+				continue;
+			return(1);
+		}
+		return(0);
+	}
+	return(1);
+}
+
+static void
+ip6fw_report(struct ip6_fw *f, struct ip6_hdr *ip6,
+	struct ifnet *rif, struct ifnet *oif, int off, int nxt)
+{
+	static int counter;
+	struct tcphdr *const tcp6 = (struct tcphdr *) ((caddr_t) ip6+ off);
+	struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off);
+	struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off);
+	int count;
+
+	count = f ? f->fw_pcnt : ++counter;
+	if (fw6_verbose_limit != 0 && count > fw6_verbose_limit)
+		return;
+
+	/* Print command name */
+	printf("ip6fw: %d ", f ? f->fw_number : -1);
+	if (!f)
+		printf("Refuse");
+	else
+		switch (f->fw_flg & IPV6_FW_F_COMMAND) {
+		case IPV6_FW_F_DENY:
+			printf("Deny");
+			break;
+		case IPV6_FW_F_REJECT:
+			if (f->fw_reject_code == IPV6_FW_REJECT_RST)
+				printf("Reset");
+			else
+				printf("Unreach");
+			break;
+		case IPV6_FW_F_ACCEPT:
+			printf("Accept");
+			break;
+		case IPV6_FW_F_COUNT:
+			printf("Count");
+			break;
+		case IPV6_FW_F_DIVERT:
+			printf("Divert %d", f->fw_divert_port);
+			break;
+		case IPV6_FW_F_TEE:
+			printf("Tee %d", f->fw_divert_port);
+			break;
+		case IPV6_FW_F_SKIPTO:
+			printf("SkipTo %d", f->fw_skipto_rule);
+			break;
+		default:
+			printf("UNKNOWN");
+			break;
+		}
+	printf(" ");
+
+	switch (nxt) {
+	case IPPROTO_TCP:
+		printf("TCP ");
+		print_ip6(&ip6->ip6_src);
+		if (off > 0)
+			printf(":%d ", ntohs(tcp6->th_sport));
+		else
+			printf(" ");
+		print_ip6(&ip6->ip6_dst);
+		if (off > 0)
+			printf(":%d", ntohs(tcp6->th_dport));
+		break;
+	case IPPROTO_UDP:
+		printf("UDP ");
+		print_ip6(&ip6->ip6_src);
+		if (off > 0)
+			printf(":%d ", ntohs(udp->uh_sport));
+		else
+			printf(" ");
+		print_ip6(&ip6->ip6_dst);
+		if (off > 0)
+			printf(":%d", ntohs(udp->uh_dport));
+		break;
+	case IPPROTO_ICMPV6:
+		if (off > 0)
+			printf("IPV6-ICMP:%u.%u ", icmp6->icmp6_type, icmp6->icmp6_code);
+		else
+			printf("IPV6-ICMP ");
+		print_ip6(&ip6->ip6_src);
+		printf(" ");
+		print_ip6(&ip6->ip6_dst);
+		break;
+	default:
+		printf("P:%d ", nxt);
+		print_ip6(&ip6->ip6_src);
+		printf(" ");
+		print_ip6(&ip6->ip6_dst);
+		break;
+	}
+	if (oif)
+		printf(" out via %s", if_name(oif));
+	else if (rif)
+		printf(" in via %s", if_name(rif));
+	printf("\n");
+	if (fw6_verbose_limit != 0 && count == fw6_verbose_limit)
+		printf("ip6fw: limit reached on rule #%d\n",
+		f ? f->fw_number : -1);
+}
+
+/*
+ * Parameters:
+ *
+ *	ip	Pointer to packet header (struct ip6_hdr *)
+ *	hlen	Packet header length
+ *	oif	Outgoing interface, or NULL if packet is incoming
+ * #ifndef IP6FW_DIVERT_RESTART
+ *	*cookie	Ignore all divert/tee rules to this port (if non-zero)
+ * #else
+ *	*cookie Skip up to the first rule past this rule number;
+ * #endif
+ *	*m	The packet; we set to NULL when/if we nuke it.
+ *
+ * Return value:
+ *
+ *	0	The packet is to be accepted and routed normally OR
+ *      	the packet was denied/rejected and has been dropped;
+ *		in the latter case, *m is equal to NULL upon return.
+ *	port	Divert the packet to port.
+ */
+
+static int
+ip6_fw_chk(struct ip6_hdr **pip6,
+	struct ifnet *oif, u_int16_t *cookie, struct mbuf **m)
+{
+	struct ip6_fw_chain *chain;
+	struct ip6_fw *rule = NULL;
+	struct ip6_hdr *ip6 = *pip6;
+	struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
+	u_short offset = 0;
+	int off = sizeof(struct ip6_hdr), nxt = ip6->ip6_nxt;
+	u_short src_port, dst_port;
+#ifdef	IP6FW_DIVERT_RESTART
+	u_int16_t skipto = *cookie;
+#else
+	u_int16_t ignport = ntohs(*cookie);
+#endif
+
+	*cookie = 0;
+	/*
+	 * Go down the chain, looking for enlightment
+	 * #ifdef IP6FW_DIVERT_RESTART
+	 * If we've been asked to start at a given rule immediatly, do so.
+	 * #endif
+	 */
+	chain = LIST_FIRST(&ip6_fw_chain);
+#ifdef IP6FW_DIVERT_RESTART
+	if (skipto) {
+		if (skipto >= 65535)
+			goto dropit;
+		while (chain && (chain->rule->fw_number <= skipto)) {
+			chain = LIST_NEXT(chain, chain);
+		}
+		if (! chain) goto dropit;
+	}
+#endif /* IP6FW_DIVERT_RESTART */
+	for (; chain; chain = LIST_NEXT(chain, chain)) {
+		register struct ip6_fw *const f = chain->rule;
+
+		if (oif) {
+			/* Check direction outbound */
+			if (!(f->fw_flg & IPV6_FW_F_OUT))
+				continue;
+		} else {
+			/* Check direction inbound */
+			if (!(f->fw_flg & IPV6_FW_F_IN))
+				continue;
+		}
+
+#define	IN6_ARE_ADDR_MASKEQUAL(x,y,z) (\
+	(((x)->s6_addr32[0] & (y)->s6_addr32[0]) == (z)->s6_addr32[0]) && \
+	(((x)->s6_addr32[1] & (y)->s6_addr32[1]) == (z)->s6_addr32[1]) && \
+	(((x)->s6_addr32[2] & (y)->s6_addr32[2]) == (z)->s6_addr32[2]) && \
+	(((x)->s6_addr32[3] & (y)->s6_addr32[3]) == (z)->s6_addr32[3]))
+
+		/* If src-addr doesn't match, not this rule. */
+		if (((f->fw_flg & IPV6_FW_F_INVSRC) != 0) ^
+			(!IN6_ARE_ADDR_MASKEQUAL(&ip6->ip6_src,&f->fw_smsk,&f->fw_src)))
+			continue;
+
+		/* If dest-addr doesn't match, not this rule. */
+		if (((f->fw_flg & IPV6_FW_F_INVDST) != 0) ^
+			(!IN6_ARE_ADDR_MASKEQUAL(&ip6->ip6_dst,&f->fw_dmsk,&f->fw_dst)))
+			continue;
+
+#undef IN6_ARE_ADDR_MASKEQUAL
+		/* Interface check */
+		if ((f->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
+			struct ifnet *const iface = oif ? oif : rif;
+
+			/* Backwards compatibility hack for "via" */
+			if (!iface || !iface_match(iface,
+			    &f->fw_in_if, f->fw_flg & IPV6_FW_F_OIFNAME))
+				continue;
+		} else {
+			/* Check receive interface */
+			if ((f->fw_flg & IPV6_FW_F_IIFACE)
+			    && (!rif || !iface_match(rif,
+			      &f->fw_in_if, f->fw_flg & IPV6_FW_F_IIFNAME)))
+				continue;
+			/* Check outgoing interface */
+			if ((f->fw_flg & IPV6_FW_F_OIFACE)
+			    && (!oif || !iface_match(oif,
+			      &f->fw_out_if, f->fw_flg & IPV6_FW_F_OIFNAME)))
+				continue;
+		}
+
+		/* Check IP options */
+		if (!ip6opts_match(&ip6, f, m, &off, &nxt, &offset))
+			continue;
+
+		/* Fragments */
+		if ((f->fw_flg & IPV6_FW_F_FRAG) && !offset)
+			continue;
+
+		/* Check protocol; if wildcard, match */
+		if (f->fw_prot == IPPROTO_IPV6)
+			goto got_match;
+
+		/* If different, don't match */
+		if (nxt != f->fw_prot)
+			continue;
+
+#define	PULLUP_TO(len)	do {						\
+			    if ((*m)->m_len < (len)			\
+				&& (*m = m_pullup(*m, (len))) == 0) {	\
+				    goto dropit;			\
+			    }						\
+			    *pip6 = ip6 = mtod(*m, struct ip6_hdr *);	\
+			} while (0)
+
+		/* Protocol specific checks */
+		switch (nxt) {
+		case IPPROTO_TCP:
+		    {
+			struct tcphdr *tcp6;
+
+			if (offset == 1) {	/* cf. RFC 1858 */
+				PULLUP_TO(off + 4); /* XXX ? */
+				goto bogusfrag;
+			}
+			if (offset != 0) {
+				/*
+				 * TCP flags and ports aren't available in this
+				 * packet -- if this rule specified either one,
+				 * we consider the rule a non-match.
+				 */
+				if (f->fw_nports != 0 ||
+				    f->fw_tcpf != f->fw_tcpnf)
+					continue;
+
+				break;
+			}
+			PULLUP_TO(off + 14);
+			tcp6 = (struct tcphdr *) ((caddr_t)ip6 + off);
+			if (f->fw_tcpf != f->fw_tcpnf && !tcp6flg_match(tcp6, f))
+				continue;
+			src_port = ntohs(tcp6->th_sport);
+			dst_port = ntohs(tcp6->th_dport);
+			goto check_ports;
+		    }
+
+		case IPPROTO_UDP:
+		    {
+			struct udphdr *udp;
+
+			if (offset != 0) {
+				/*
+				 * Port specification is unavailable -- if this
+				 * rule specifies a port, we consider the rule
+				 * a non-match.
+				 */
+				if (f->fw_nports != 0)
+					continue;
+
+				break;
+			}
+			PULLUP_TO(off + 4);
+			udp = (struct udphdr *) ((caddr_t)ip6 + off);
+			src_port = ntohs(udp->uh_sport);
+			dst_port = ntohs(udp->uh_dport);
+check_ports:
+			if (!port_match6(&f->fw_pts[0],
+			    IPV6_FW_GETNSRCP(f), src_port,
+			    f->fw_flg & IPV6_FW_F_SRNG))
+				continue;
+			if (!port_match6(&f->fw_pts[IPV6_FW_GETNSRCP(f)],
+			    IPV6_FW_GETNDSTP(f), dst_port,
+			    f->fw_flg & IPV6_FW_F_DRNG))
+				continue;
+			break;
+		    }
+
+		case IPPROTO_ICMPV6:
+		    {
+			struct icmp6_hdr *icmp;
+
+			if (offset != 0)	/* Type isn't valid */
+				break;
+			PULLUP_TO(off + 2);
+			icmp = (struct icmp6_hdr *) ((caddr_t)ip6 + off);
+			if (!icmp6type_match(icmp, f))
+				continue;
+			break;
+		    }
+#undef PULLUP_TO
+
+bogusfrag:
+			if (fw6_verbose)
+				ip6fw_report(NULL, ip6, rif, oif, off, nxt);
+			goto dropit;
+		}
+
+got_match:
+#ifndef IP6FW_DIVERT_RESTART
+		/* Ignore divert/tee rule if socket port is "ignport" */
+		switch (f->fw_flg & IPV6_FW_F_COMMAND) {
+		case IPV6_FW_F_DIVERT:
+		case IPV6_FW_F_TEE:
+			if (f->fw_divert_port == ignport)
+				continue;       /* ignore this rule */
+			break;
+		}
+
+#endif /* IP6FW_DIVERT_RESTART */
+		/* Update statistics */
+		f->fw_pcnt += 1;
+		f->fw_bcnt += ntohs(ip6->ip6_plen);
+		f->timestamp = time_second;
+
+		/* Log to console if desired */
+		if ((f->fw_flg & IPV6_FW_F_PRN) && fw6_verbose)
+			ip6fw_report(f, ip6, rif, oif, off, nxt);
+
+		/* Take appropriate action */
+		switch (f->fw_flg & IPV6_FW_F_COMMAND) {
+		case IPV6_FW_F_ACCEPT:
+			return(0);
+		case IPV6_FW_F_COUNT:
+			continue;
+		case IPV6_FW_F_DIVERT:
+#ifdef IP6FW_DIVERT_RESTART
+			*cookie = f->fw_number;
+#else
+			*cookie = htons(f->fw_divert_port);
+#endif /* IP6FW_DIVERT_RESTART */
+			return(f->fw_divert_port);
+		case IPV6_FW_F_TEE:
+			/*
+			 * XXX someday tee packet here, but beware that you
+			 * can't use m_copym() or m_copypacket() because
+			 * the divert input routine modifies the mbuf
+			 * (and these routines only increment reference
+			 * counts in the case of mbuf clusters), so need
+			 * to write custom routine.
+			 */
+			continue;
+		case IPV6_FW_F_SKIPTO:
+#ifdef DIAGNOSTIC
+			while (chain->chain.le_next
+			    && chain->chain.le_next->rule->fw_number
+				< f->fw_skipto_rule)
+#else
+			while (chain->chain.le_next->rule->fw_number
+			    < f->fw_skipto_rule)
+#endif
+				chain = chain->chain.le_next;
+			continue;
+		}
+
+		/* Deny/reject this packet using this rule */
+		rule = f;
+		break;
+	}
+
+#ifdef DIAGNOSTIC
+	/* Rule 65535 should always be there and should always match */
+	if (!chain)
+		panic("ip6_fw: chain");
+#endif
+
+	/*
+	 * At this point, we're going to drop the packet.
+	 * Send a reject notice if all of the following are true:
+	 *
+	 * - The packet matched a reject rule
+	 * - The packet is not an ICMP packet, or is an ICMP query packet
+	 * - The packet is not a multicast or broadcast packet
+	 */
+	if ((rule->fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT
+	    && (nxt != IPPROTO_ICMPV6 || is_icmp6_query(ip6, off))
+	    && !((*m)->m_flags & (M_BCAST|M_MCAST))
+	    && !IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
+		switch (rule->fw_reject_code) {
+		case IPV6_FW_REJECT_RST:
+		  {
+			struct tcphdr *const tcp =
+				(struct tcphdr *) ((caddr_t)ip6 + off);
+			struct {
+				struct ip6_hdr ip6;
+				struct tcphdr th;
+			} ti;
+			tcp_seq ack, seq;
+			int flags;
+
+			if (offset != 0 || (tcp->th_flags & TH_RST))
+				break;
+
+			ti.ip6 = *ip6;
+			ti.th = *tcp;
+			NTOHL(ti.th.th_seq);
+			NTOHL(ti.th.th_ack);
+			ti.ip6.ip6_nxt = IPPROTO_TCP;
+			if (ti.th.th_flags & TH_ACK) {
+				ack = 0;
+				seq = ti.th.th_ack;
+				flags = TH_RST;
+			} else {
+				ack = ti.th.th_seq;
+				if (((*m)->m_flags & M_PKTHDR) != 0) {
+					ack += (*m)->m_pkthdr.len - off
+						- (ti.th.th_off << 2);
+				} else if (ip6->ip6_plen) {
+					ack += ntohs(ip6->ip6_plen) + sizeof(*ip6)
+						- off - (ti.th.th_off << 2);
+				} else {
+					m_freem(*m);
+					*m = 0;
+					break;
+				}
+				seq = 0;
+				flags = TH_RST|TH_ACK;
+			}
+			bcopy(&ti, ip6, sizeof(ti));
+			m_freem(*m);
+			*m = NULL;
+			break;
+		  }
+		default:	/* Send an ICMP unreachable using code */
+			icmp6_error(*m, ICMP6_DST_UNREACH,
+			    rule->fw_reject_code, 0);
+			*m = NULL;
+			break;
+		}
+	}
+
+dropit:
+	/*
+	 * Finally, drop the packet.
+	 */
+	if (*m) {
+		m_freem(*m);
+		*m = NULL;
+	}
+	return(0);
+}
+
+static int
+add_entry6(struct ip6_fw_head *chainptr, struct ip6_fw *frwl)
+{
+	struct ip6_fw *ftmp = 0;
+	struct ip6_fw_chain *fwc = 0, *fcp, *fcpl = 0;
+	u_short nbr = 0;
+	int s;
+
+	fwc = malloc(sizeof *fwc, M_IP6FW, M_DONTWAIT);
+	ftmp = malloc(sizeof *ftmp, M_IP6FW, M_DONTWAIT);
+	if (!fwc || !ftmp) {
+		dprintf(("%s malloc said no\n", err_prefix));
+		if (fwc)  free(fwc, M_IP6FW);
+		if (ftmp) free(ftmp, M_IP6FW);
+		return (ENOSPC);
+	}
+
+	bcopy(frwl, ftmp, sizeof(struct ip6_fw));
+	ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
+	ftmp->fw_pcnt = 0L;
+	ftmp->fw_bcnt = 0L;
+	fwc->rule = ftmp;
+
+	s = splnet();
+
+	if (!chainptr->lh_first) {
+		LIST_INSERT_HEAD(chainptr, fwc, chain);
+		splx(s);
+		return(0);
+        } else if (ftmp->fw_number == (u_short)-1) {
+		if (fwc)  free(fwc, M_IP6FW);
+		if (ftmp) free(ftmp, M_IP6FW);
+		splx(s);
+		dprintf(("%s bad rule number\n", err_prefix));
+		return (EINVAL);
+        }
+
+	/* If entry number is 0, find highest numbered rule and add 100 */
+	if (ftmp->fw_number == 0) {
+		for (fcp = chainptr->lh_first; fcp; fcp = fcp->chain.le_next) {
+			if (fcp->rule->fw_number != (u_short)-1)
+				nbr = fcp->rule->fw_number;
+			else
+				break;
+		}
+		if (nbr < (u_short)-1 - 100)
+			nbr += 100;
+		ftmp->fw_number = nbr;
+	}
+
+	/* Got a valid number; now insert it, keeping the list ordered */
+	for (fcp = chainptr->lh_first; fcp; fcp = fcp->chain.le_next) {
+		if (fcp->rule->fw_number > ftmp->fw_number) {
+			if (fcpl) {
+				LIST_INSERT_AFTER(fcpl, fwc, chain);
+			} else {
+				LIST_INSERT_HEAD(chainptr, fwc, chain);
+			}
+			break;
+		} else {
+			fcpl = fcp;
+		}
+	}
+
+	splx(s);
+	return (0);
+}
+
+static int
+del_entry6(struct ip6_fw_head *chainptr, u_short number)
+{
+	struct ip6_fw_chain *fcp;
+	int s;
+
+	s = splnet();
+
+	fcp = chainptr->lh_first;
+	if (number != (u_short)-1) {
+		for (; fcp; fcp = fcp->chain.le_next) {
+			if (fcp->rule->fw_number == number) {
+				LIST_REMOVE(fcp, chain);
+				splx(s);
+				free(fcp->rule, M_IP6FW);
+				free(fcp, M_IP6FW);
+				return 0;
+			}
+		}
+	}
+
+	splx(s);
+	return (EINVAL);
+}
+
+static int
+zero_entry6(struct mbuf *m)
+{
+	struct ip6_fw *frwl;
+	struct ip6_fw_chain *fcp;
+	int s;
+
+	if (m) {
+		if (m->m_len != sizeof(struct ip6_fw))
+			return(EINVAL);
+		frwl = mtod(m, struct ip6_fw *);
+	}
+	else
+		frwl = NULL;
+
+	/*
+	 *	It's possible to insert multiple chain entries with the
+	 *	same number, so we don't stop after finding the first
+	 *	match if zeroing a specific entry.
+	 */
+	s = splnet();
+	for (fcp = ip6_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
+		if (!frwl || frwl->fw_number == fcp->rule->fw_number) {
+			fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
+			fcp->rule->timestamp = 0;
+		}
+	splx(s);
+
+	if (fw6_verbose) {
+		if (frwl)
+			printf("ip6fw: Entry %d cleared.\n", frwl->fw_number);
+		else
+			printf("ip6fw: Accounting cleared.\n");
+	}
+
+	return(0);
+}
+
+static struct ip6_fw *
+check_ip6fw_mbuf(struct mbuf *m)
+{
+	/* Check length */
+	if (m->m_len != sizeof(struct ip6_fw)) {
+		dprintf(("%s len=%d, want %d\n", err_prefix, m->m_len,
+		    sizeof(struct ip6_fw)));
+		return (NULL);
+	}
+	return(check_ip6fw_struct(mtod(m, struct ip6_fw *)));
+}
+
+static struct ip6_fw *
+check_ip6fw_struct(struct ip6_fw *frwl)
+{
+	/* Check for invalid flag bits */
+	if ((frwl->fw_flg & ~IPV6_FW_F_MASK) != 0) {
+		dprintf(("%s undefined flag bits set (flags=%x)\n",
+		    err_prefix, frwl->fw_flg));
+		return (NULL);
+	}
+	/* Must apply to incoming or outgoing (or both) */
+	if (!(frwl->fw_flg & (IPV6_FW_F_IN | IPV6_FW_F_OUT))) {
+		dprintf(("%s neither in nor out\n", err_prefix));
+		return (NULL);
+	}
+	/* Empty interface name is no good */
+	if (((frwl->fw_flg & IPV6_FW_F_IIFNAME)
+	      && !*frwl->fw_in_if.fu_via_if.name)
+	    || ((frwl->fw_flg & IPV6_FW_F_OIFNAME)
+	      && !*frwl->fw_out_if.fu_via_if.name)) {
+		dprintf(("%s empty interface name\n", err_prefix));
+		return (NULL);
+	}
+	/* Sanity check interface matching */
+	if ((frwl->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
+		;		/* allow "via" backwards compatibility */
+	} else if ((frwl->fw_flg & IPV6_FW_F_IN)
+	    && (frwl->fw_flg & IPV6_FW_F_OIFACE)) {
+		dprintf(("%s outgoing interface check on incoming\n",
+		    err_prefix));
+		return (NULL);
+	}
+	/* Sanity check port ranges */
+	if ((frwl->fw_flg & IPV6_FW_F_SRNG) && IPV6_FW_GETNSRCP(frwl) < 2) {
+		dprintf(("%s src range set but n_src_p=%d\n",
+		    err_prefix, IPV6_FW_GETNSRCP(frwl)));
+		return (NULL);
+	}
+	if ((frwl->fw_flg & IPV6_FW_F_DRNG) && IPV6_FW_GETNDSTP(frwl) < 2) {
+		dprintf(("%s dst range set but n_dst_p=%d\n",
+		    err_prefix, IPV6_FW_GETNDSTP(frwl)));
+		return (NULL);
+	}
+	if (IPV6_FW_GETNSRCP(frwl) + IPV6_FW_GETNDSTP(frwl) > IPV6_FW_MAX_PORTS) {
+		dprintf(("%s too many ports (%d+%d)\n",
+		    err_prefix, IPV6_FW_GETNSRCP(frwl), IPV6_FW_GETNDSTP(frwl)));
+		return (NULL);
+	}
+	/*
+	 *	Protocols other than TCP/UDP don't use port range
+	 */
+	if ((frwl->fw_prot != IPPROTO_TCP) &&
+	    (frwl->fw_prot != IPPROTO_UDP) &&
+	    (IPV6_FW_GETNSRCP(frwl) || IPV6_FW_GETNDSTP(frwl))) {
+		dprintf(("%s port(s) specified for non TCP/UDP rule\n",
+		    err_prefix));
+		return(NULL);
+	}
+
+	/*
+	 *	Rather than modify the entry to make such entries work,
+	 *	we reject this rule and require user level utilities
+	 *	to enforce whatever policy they deem appropriate.
+	 */
+	if ((frwl->fw_src.s6_addr32[0] & (~frwl->fw_smsk.s6_addr32[0])) ||
+		(frwl->fw_src.s6_addr32[1] & (~frwl->fw_smsk.s6_addr32[1])) ||
+		(frwl->fw_src.s6_addr32[2] & (~frwl->fw_smsk.s6_addr32[2])) ||
+		(frwl->fw_src.s6_addr32[3] & (~frwl->fw_smsk.s6_addr32[3])) ||
+		(frwl->fw_dst.s6_addr32[0] & (~frwl->fw_dmsk.s6_addr32[0])) ||
+		(frwl->fw_dst.s6_addr32[1] & (~frwl->fw_dmsk.s6_addr32[1])) ||
+		(frwl->fw_dst.s6_addr32[2] & (~frwl->fw_dmsk.s6_addr32[2])) ||
+		(frwl->fw_dst.s6_addr32[3] & (~frwl->fw_dmsk.s6_addr32[3]))) {
+		dprintf(("%s rule never matches\n", err_prefix));
+		return(NULL);
+	}
+
+	if ((frwl->fw_flg & IPV6_FW_F_FRAG) &&
+		(frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
+		if (frwl->fw_nports) {
+			dprintf(("%s cannot mix 'frag' and ports\n", err_prefix));
+			return(NULL);
+		}
+		if (frwl->fw_prot == IPPROTO_TCP &&
+			frwl->fw_tcpf != frwl->fw_tcpnf) {
+			dprintf(("%s cannot mix 'frag' with TCP flags\n", err_prefix));
+			return(NULL);
+		}
+	}
+
+	/* Check command specific stuff */
+	switch (frwl->fw_flg & IPV6_FW_F_COMMAND)
+	{
+	case IPV6_FW_F_REJECT:
+		if (frwl->fw_reject_code >= 0x100
+		    && !(frwl->fw_prot == IPPROTO_TCP
+		      && frwl->fw_reject_code == IPV6_FW_REJECT_RST)) {
+			dprintf(("%s unknown reject code\n", err_prefix));
+			return(NULL);
+		}
+		break;
+	case IPV6_FW_F_DIVERT:		/* Diverting to port zero is invalid */
+	case IPV6_FW_F_TEE:
+		if (frwl->fw_divert_port == 0) {
+			dprintf(("%s can't divert to port 0\n", err_prefix));
+			return (NULL);
+		}
+		break;
+	case IPV6_FW_F_DENY:
+	case IPV6_FW_F_ACCEPT:
+	case IPV6_FW_F_COUNT:
+	case IPV6_FW_F_SKIPTO:
+		break;
+	default:
+		dprintf(("%s invalid command\n", err_prefix));
+		return(NULL);
+	}
+
+	return frwl;
+}
+
+static int
+ip6_fw_ctl(int stage, struct mbuf **mm)
+{
+	int error;
+	struct mbuf *m;
+
+	if (stage == IPV6_FW_GET) {
+		struct ip6_fw_chain *fcp = ip6_fw_chain.lh_first;
+		*mm = m = m_get(M_WAIT, MT_DATA); /* XXX */
+		if (!m)
+			return(ENOBUFS);
+		if (sizeof *(fcp->rule) > MLEN) {
+			MCLGET(m, M_WAIT);
+			if ((m->m_flags & M_EXT) == 0) {
+				m_free(m);
+				return(ENOBUFS);
+			}
+		}
+		for (; fcp; fcp = fcp->chain.le_next) {
+			memcpy(m->m_data, fcp->rule, sizeof *(fcp->rule));
+			m->m_len = sizeof *(fcp->rule);
+			m->m_next = m_get(M_WAIT, MT_DATA); /* XXX */
+			if (!m->m_next) {
+				m_freem(*mm);
+				return(ENOBUFS);
+			}
+			m = m->m_next;
+			if (sizeof *(fcp->rule) > MLEN) {
+				MCLGET(m, M_WAIT);
+				if ((m->m_flags & M_EXT) == 0) {
+					m_freem(*mm);
+					return(ENOBUFS);
+				}
+			}
+			m->m_len = 0;
+		}
+		return (0);
+	}
+	m = *mm;
+	/* only allow get calls if secure mode > 2 */
+	if (securelevel > 2) {
+		if (m) {
+			(void)m_freem(m);
+			*mm = 0;
+		}
+		return(EPERM);
+	}
+	if (stage == IPV6_FW_FLUSH) {
+		while (ip6_fw_chain.lh_first != NULL &&
+		    ip6_fw_chain.lh_first->rule->fw_number != (u_short)-1) {
+			struct ip6_fw_chain *fcp = ip6_fw_chain.lh_first;
+			int s = splnet();
+			LIST_REMOVE(ip6_fw_chain.lh_first, chain);
+			splx(s);
+			free(fcp->rule, M_IP6FW);
+			free(fcp, M_IP6FW);
+		}
+		if (m) {
+			(void)m_freem(m);
+			*mm = 0;
+		}
+		return (0);
+	}
+	if (stage == IPV6_FW_ZERO) {
+		error = zero_entry6(m);
+		if (m) {
+			(void)m_freem(m);
+			*mm = 0;
+		}
+		return (error);
+	}
+	if (m == NULL) {
+		printf("%s NULL mbuf ptr\n", err_prefix);
+		return (EINVAL);
+	}
+
+	if (stage == IPV6_FW_ADD) {
+		struct ip6_fw *frwl = check_ip6fw_mbuf(m);
+
+		if (!frwl)
+			error = EINVAL;
+		else
+			error = add_entry6(&ip6_fw_chain, frwl);
+		if (m) {
+			(void)m_freem(m);
+			*mm = 0;
+		}
+		return error;
+	}
+	if (stage == IPV6_FW_DEL) {
+		if (m->m_len != sizeof(struct ip6_fw)) {
+			dprintf(("%s len=%d, want %d\n", err_prefix, m->m_len,
+			    sizeof(struct ip6_fw)));
+			error = EINVAL;
+		} else if (mtod(m, struct ip6_fw *)->fw_number == (u_short)-1) {
+			dprintf(("%s can't delete rule 65535\n", err_prefix));
+			error = EINVAL;
+		} else
+			error = del_entry6(&ip6_fw_chain,
+			    mtod(m, struct ip6_fw *)->fw_number);
+		if (m) {
+			(void)m_freem(m);
+			*mm = 0;
+		}
+		return error;
+	}
+
+	dprintf(("%s unknown request %d\n", err_prefix, stage));
+	if (m) {
+		(void)m_freem(m);
+		*mm = 0;
+	}
+	return (EINVAL);
+}
+
+void
+ip6_fw_init(void)
+{
+	struct ip6_fw default_rule;
+
+	ip6_fw_chk_ptr = ip6_fw_chk;
+	ip6_fw_ctl_ptr = ip6_fw_ctl;
+	LIST_INIT(&ip6_fw_chain);
+
+	bzero(&default_rule, sizeof default_rule);
+	default_rule.fw_prot = IPPROTO_IPV6;
+	default_rule.fw_number = (u_short)-1;
+#ifdef IPV6FIREWALL_DEFAULT_TO_ACCEPT
+	default_rule.fw_flg |= IPV6_FW_F_ACCEPT;
+#else
+	default_rule.fw_flg |= IPV6_FW_F_DENY;
+#endif
+	default_rule.fw_flg |= IPV6_FW_F_IN | IPV6_FW_F_OUT;
+	if (check_ip6fw_struct(&default_rule) == NULL ||
+		add_entry6(&ip6_fw_chain, &default_rule))
+		panic(__FUNCTION__);
+
+	printf("IPv6 packet filtering initialized, ");
+#ifdef IPV6FIREWALL_DEFAULT_TO_ACCEPT
+	printf("default to accept, ");
+#endif
+#ifndef IPV6FIREWALL_VERBOSE
+	printf("logging disabled\n");
+#else
+	if (fw6_verbose_limit == 0)
+		printf("unlimited logging\n");
+	else
+		printf("logging limited to %d packets/entry\n",
+		    fw6_verbose_limit);
+#endif
+}
diff --git a/sys/netinet6/ip6_fw.h b/sys/netinet6/ip6_fw.h
new file mode 100644
index 0000000..a356ac3
--- /dev/null
+++ b/sys/netinet6/ip6_fw.h
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1993 Daniel Boulet
+ * Copyright (c) 1994 Ugen J.S.Antsilevich
+ *
+ * Redistribution and use in source forms, with and without modification,
+ * are permitted provided that this entire comment appears intact.
+ *
+ * Redistribution in binary form may occur without any restrictions.
+ * Obviously, it would be nice if you gave credit where credit is due
+ * but requiring it would be too onerous.
+ *
+ * This software is provided ``AS IS'' without any warranties of any kind.
+ *
+ *	$Id: ip6_fw.h,v 1.1 1999/08/06 14:10:09 itojun Exp $
+ * $FreeBSD$
+ */
+
+#ifndef _IP6_FW_H
+#define _IP6_FW_H
+
+#include <net/if.h>
+
+/*
+ * This union structure identifies an interface, either explicitly
+ * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
+ * and IP_FW_F_OIFNAME say how to interpret this structure. An
+ * interface unit number of -1 matches any unit number, while an
+ * IP address of 0.0.0.0 indicates matches any interface.
+ *
+ * The receive and transmit interfaces are only compared against the
+ * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
+ * is set. Note some packets lack a receive or transmit interface
+ * (in which case the missing "interface" never matches).
+ */
+
+union ip6_fw_if {
+	struct	in6_addr fu_via_ip6;	/* Specified by IPv6 address */
+	struct {			/* Specified by interface name */
+#define FW_IFNLEN     IFNAMSIZ
+		char	name[FW_IFNLEN];
+		short	unit;		/* -1 means match any unit */
+    } fu_via_if;
+};
+
+/*
+ * Format of an IP firewall descriptor
+ *
+ * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
+ * fw_flg and fw_n*p are stored in host byte order (of course).
+ * Port numbers are stored in HOST byte order.
+ * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
+ */
+
+struct ip6_fw {
+	u_long	fw_pcnt,fw_bcnt;		/* Packet and byte counters */
+	struct	in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */
+	/* Mask for src and dest IPv6 addr */
+	struct	in6_addr fw_smsk, fw_dmsk;
+	u_short	fw_number;			/* Rule number */
+	u_short	fw_flg;				/* Flags word */
+#define	IPV6_FW_MAX_PORTS	10		/* A reasonable maximum */
+	/* Array of port numbers to match */
+	u_short	fw_pts[IPV6_FW_MAX_PORTS];
+	u_char	fw_ip6opt,fw_ip6nopt;		/* IPv6 options set/unset */
+	u_char	fw_tcpf,fw_tcpnf;		/* TCP flags set/unset */
+#define	IPV6_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8))
+	/* ICMP types bitmap */
+	unsigned	fw_icmp6types[IPV6_FW_ICMPTYPES_DIM];
+	long	timestamp;		/* timestamp (tv_sec) of last match */
+	/* Incoming and outgoing interfaces */
+	union	ip6_fw_if fw_in_if, fw_out_if;
+	union {
+		u_short	fu_divert_port;		/* Divert/tee port (options IP6DIVERT) */
+		u_short	fu_skipto_rule;		/* SKIPTO command rule number */
+		u_short	fu_reject_code;		/* REJECT response code */
+	} fw_un;
+	u_char	fw_prot;			/* IPv6 protocol */
+	u_char	fw_nports;	/* N'of src ports and # of dst ports */
+				/* in ports array (dst ports follow */
+				/* src ports; max of 10 ports in all; */
+				/* count of 0 means match all ports) */
+};
+
+#define	IPV6_FW_GETNSRCP(rule)		((rule)->fw_nports & 0x0f)
+#define	IPV6_FW_SETNSRCP(rule, n)		do {			\
+					  (rule)->fw_nports &= ~0x0f;	\
+					  (rule)->fw_nports |= (n);	\
+					} while (0)
+#define	IPV6_FW_GETNDSTP(rule)		((rule)->fw_nports >> 4)
+#define	IPV6_FW_SETNDSTP(rule, n)		do {			\
+					  (rule)->fw_nports &= ~0xf0;	\
+					  (rule)->fw_nports |= (n) << 4;\
+					} while (0)
+
+#define	fw_divert_port	fw_un.fu_divert_port
+#define	fw_skipto_rule	fw_un.fu_skipto_rule
+#define	fw_reject_code	fw_un.fu_reject_code
+
+struct	ip6_fw_chain {
+	LIST_ENTRY(ip6_fw_chain) chain;
+	struct	ip6_fw    *rule;
+};
+
+/*
+ * Values for "flags" field .
+ */
+#define	IPV6_FW_F_IN		0x0001	/* Check inbound packets	*/
+#define	IPV6_FW_F_OUT		0x0002	/* Check outbound packets	*/
+#define	IPV6_FW_F_IIFACE	0x0004	/* Apply inbound interface test	*/
+#define	IPV6_FW_F_OIFACE	0x0008	/* Apply outbound interface test */
+
+#define	IPV6_FW_F_COMMAND 	0x0070	/* Mask for type of chain entry: */
+#define	IPV6_FW_F_DENY		0x0000	/* This is a deny rule		*/
+#define	IPV6_FW_F_REJECT	0x0010	/* Deny and send a response packet */
+#define	IPV6_FW_F_ACCEPT	0x0020	/* This is an accept rule	*/
+#define	IPV6_FW_F_COUNT		0x0030	/* This is a count rule		*/
+#define	IPV6_FW_F_DIVERT	0x0040	/* This is a divert rule	*/
+#define	IPV6_FW_F_TEE		0x0050	/* This is a tee rule		*/
+#define	IPV6_FW_F_SKIPTO	0x0060	/* This is a skipto rule	*/
+
+#define	IPV6_FW_F_PRN		0x0080	/* Print if this rule matches	*/
+
+#define	IPV6_FW_F_SRNG		0x0100	/* The first two src ports are a min  *
+					 * and max range (stored in host byte *
+					 * order). */
+
+#define	IPV6_FW_F_DRNG	0x0200	/* The first two dst ports are a min	*
+				 * and max range (stored in host byte	*
+				 * order).				*/
+
+/* In interface by name/unit (not IP)	*/
+#define	IPV6_FW_F_IIFNAME	0x0400
+/* Out interface by name/unit (not IP)	*/
+#define	IPV6_FW_F_OIFNAME	0x0800
+
+#define	IPV6_FW_F_INVSRC	0x1000	/* Invert sense of src check	*/
+#define	IPV6_FW_F_INVDST	0x2000	/* Invert sense of dst check	*/
+
+#define	IPV6_FW_F_FRAG		0x4000	/* Fragment			*/
+
+#define	IPV6_FW_F_ICMPBIT 	0x8000	/* ICMP type bitmap is valid	*/
+
+#define	IPV6_FW_F_MASK		0xFFFF	/* All possible flag bits mask	*/
+
+/*
+ * For backwards compatibility with rules specifying "via iface" but
+ * not restricted to only "in" or "out" packets, we define this combination
+ * of bits to represent this configuration.
+ */
+
+#define	IF6_FW_F_VIAHACK	(IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|\
+				 IPV6_FW_F_OIFACE)
+
+/*
+ * Definitions for REJECT response codes.
+ * Values less than 256 correspond to ICMP unreachable codes.
+ */
+#define	IPV6_FW_REJECT_RST	0x0100		/* TCP packets: send RST */
+
+/*
+ * Definitions for IPv6 option names.
+ */
+#define	IPV6_FW_IP6OPT_HOPOPT	0x01
+#define	IPV6_FW_IP6OPT_ROUTE	0x02
+#define	IPV6_FW_IP6OPT_FRAG	0x04
+#define	IPV6_FW_IP6OPT_ESP	0x08
+#define	IPV6_FW_IP6OPT_AH	0x10
+#define	IPV6_FW_IP6OPT_NONXT	0x20
+#define	IPV6_FW_IP6OPT_OPTS	0x40
+
+/*
+ * Definitions for TCP flags.
+ */
+#define	IPV6_FW_TCPF_FIN	TH_FIN
+#define	IPV6_FW_TCPF_SYN	TH_SYN
+#define	IPV6_FW_TCPF_RST	TH_RST
+#define	IPV6_FW_TCPF_PSH	TH_PUSH
+#define	IPV6_FW_TCPF_ACK	TH_ACK
+#define	IPV6_FW_TCPF_URG	TH_URG
+#define	IPV6_FW_TCPF_ESTAB	0x40
+
+/*
+ * Main firewall chains definitions and global var's definitions.
+ */
+#ifdef _KERNEL
+
+/*
+ * Function definitions.
+ */
+void	ip6_fw_init(void);
+
+/* Firewall hooks */
+struct	ip6_hdr;
+typedef	int	ip6_fw_chk_t __P((struct ip6_hdr**, struct ifnet*,
+				u_short *, struct mbuf**));
+typedef	int	ip6_fw_ctl_t __P((int, struct mbuf**));
+extern	ip6_fw_chk_t *ip6_fw_chk_ptr;
+extern	ip6_fw_ctl_t *ip6_fw_ctl_ptr;
+
+#endif /* _KERNEL */
+
+#endif /* _IP6_FW_H */
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 083f780..9c1ca0f 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -65,6 +65,7 @@
  */
 
 #include "opt_ipsec.h"
+#include "opt_ip6fw.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 0909e9b..b901751 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -65,6 +65,7 @@
  */
 
 #include "opt_ipsec.h"
+#include "opt_ip6fw.h"
 
 #include <sys/param.h>
 #include <sys/malloc.h>