Import ipfilter 3.2.1 (update from 3.1.8)

1 files changed, 83 insertions, 35 deletions

diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index f8ceedd..c202be7 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -18,27 +18,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
 described using the following grammar in BNF:
 \fC
 .nf
-filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
+filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
+	      [ proto ] [ ip ] [ group ].
 
 insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | call .
+action	= block | "pass" | log | "count" | skip | auth | call .
 in-out	= "in" | "out" .
 options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
-match	= [ tos ] [ ttl ] [ proto ] [ ip ] .
-keep  	= "keep state" | "keep frags" .
+tos	= "tos" decnumber | "tos" hexnumber .
+ttl	= "ttl" decnumber .
+proto	= "proto" protocol .
+ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
+group	= [ "head" decnumber ] [ "group" decnumber ] .
 
 block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
-log   	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
-call  	= "call" [ "now" ] function-name .
-
-dup   	= "dup-to" interface-name[":"ipaddr] .
+auth    = "auth" | "preauth" .
+log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
+call	= "call" [ "now" ] function-name .
+skip	= "skip" decnumber .
+dup	= "dup-to" interface-name[":"ipaddr] .
 froute	= "fastroute" | "to" interface-name .
-
-tos   	= "tos" decnumber | "tos" hexnumber .
-ttl   	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip    	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" object "to" object .
@@ -47,11 +46,11 @@ object	= addr [ port-comp | port-range ] .
 addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
 port-comp = "port" compare port-num .
 port-range = "port" port-num range port-num .
-
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
 return-code = "("icmp-code")" .
+keep	= "keep" "state" | "keep" "frags" .
 
 nummask	= host-name [ "/" decnumber ] .
 host-name = ipaddr | hostname | "any" .
@@ -72,16 +71,16 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
 icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
 	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
 	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
-	  "visa" | "imitd" | "eip" | "finn" .
+optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
+	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
+	  "addext" | "visa" | "imitd" | "eip" | "finn" .
 
 hexnumber = "0" "x" hexstring .
 hexstring = hexdigit [ hexstring ] .
 decnumber = digit [ decnumber ] .
 
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
-	  "le" | "ge" .
+compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
+	  "gt" | "le" | "ge" .
 range	= "<>" | "><" .
 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
 digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
@@ -95,18 +94,9 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
 .PP
 The "briefest" valid rules are (currently) no-ops and are of the form:
 .nf
-       block in
-       pass in
-       log in
-       count in
-.fi
-.PP
-These are supposed to be the same as, but currently differ from:
-.\" XXX How, why do they differ??
-.nf
        block in all
-       pass in from any to any
-       log in all
+       pass in all
+       log out all
        count in all
 .fi
 .PP
@@ -153,6 +143,12 @@ must conform to a specific calling interface. Customised actions and
 semantics can thus be implemented to supplement those available. This
 feature is for use by knowledgeable hackers, and is not currently
 documented.
+.TP
+.B "skip <n>"
+.TP
+.B auth
+.TP
+.B preauth
 .PP
 The next word must be either \fBin\fP or \fBout\fP.  Each packet
 moving through the kernel is either inbound (just been received on an
@@ -221,7 +217,6 @@ packets with different Type-Of-Service values can be filtered.
 Individual service levels or combinations can be filtered upon.  The
 value for the TOS mask can either be represented as a hex number or a
 decimal integer value.
-.\" XXX TOS mask??  not in grammar!
 .TP
 .B ttl
 packets may also be selected by their Time-To-Live value.  The value given in
@@ -356,8 +351,9 @@ with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
 .SH KEEP HISTORY
 .PP
-The last parameter which can be set for a filter rule is whether on not to
-record historical information for that packet, and what sort to keep. The following information can be kept:
+The second last parameter which can be set for a filter rule is whether on not
+to record historical information for that packet, and what sort to keep. The
+following information can be kept:
 .TP
 .B state
 keeps information about the flow of a communication session. State can
@@ -369,6 +365,23 @@ fragments.
 .PP
 allowing packets which match these to flow straight through, rather
 than going through the access control list.
+.SH GROUPS
+The last pair of parameters control filter rule "grouping".  By default, all
+filter rules are placed in group 0 if no other group is specified.  To add a
+rule to a non-default group, the group must first be started by creating a
+group \fIhead\fP.  If a packet matches a rule which is the \fIhead\fP of a
+group, the filter processing then switches to the group, using that rule as
+the default for the group.  If \fBquick\fP is used with a \fBhead\fP rule, rule
+processing isn't stopped until it has returned from processing the group.
+.PP
+A rule may be both the head for a new group and a member of a non-default
+group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
+.TP
+.B "head <n>"
+indicates that a new group (number n) should be created.
+.TP
+.B "group <n>"
+indicates that the rule should be put in group (number n) rather than group 0.
 .SH LOGGING
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
@@ -427,7 +440,42 @@ rule such as:
         pass in quick from any to any port < 1024
 .fi
 .PP
-would be needed before the first block.  
+would be needed before the first block.  To create a new group for
+processing all inbould packets on le0/le1/lo0, with the default being to block
+all inbound packets, we would do something like:
+.LP
+.nf
+       block in all
+       block in on le0 quick all head 100
+       block in on le1 quick all head 200
+       block in on lo0 quick all head 300
+.fi
+.PP
+
+and to then allow ICMP packets in on le0, only, we would do:
+.LP
+.nf
+       pass in proto icmp all group 100
+.fi
+.PP
+Note that because only inbound packets on le0 are used processed by group 100,
+there is no need to respecify the interface name.  Likewise, we could further
+breakup processing of TCP, etc, as follows:
+.LP
+.nf
+       block in proto tcp all head 110 group 100
+       pass in from any to any port = 23 group 110
+.fi
+.PP
+and so on.  The last line, if written without the groups would be:
+.LP
+.nf
+       pass in on le0 proto tcp from any to any port = telnet
+.fi
+.PP
+Note, that if we wanted to say "port = telnet", "proto tcp" would
+need to be specified as the parser interprets each rule on its own and
+qualifies all service/port names with the protocol specified.
 .SH FILES
 /etc/services
 .br