Import ipfilter 3.2.1 (update from 3.1.8)

8 files changed, 332 insertions, 115 deletions

diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
index c62e54c..972fbf5 100644
--- a/contrib/ipfilter/man/Makefile
+++ b/contrib/ipfilter/man/Makefile
@@ -1,14 +1,14 @@
 #
-# (C)opyright 1993, 1994, 1995 by Darren Reed.
+# Copyright (C) 1993-1997 by Darren Reed.
+#
+# Redistribution and use in source and binary forms are permitted
+# provided that this notice is preserved and due credit is given
+# to the original author and the contributors.
 #
-# This code may be freely distributed as long as it retains this notice
-# and is not changed in any way.  The author accepts no responsibility
-# for the use of this software.  I hate legaleese, don't you ?
 
 all:
 
 install:
-	$(INSTALL) -m 0644 -c -o root -g bin ipf.1 $(MANDIR)/man1
 	$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
 	$(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1
 	$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
@@ -16,6 +16,7 @@ install:
 	$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
 	$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
 	$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
+	$(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
 	$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
 	$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
 	@echo "Remember to rebuild the whatis database."
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index ebeaceb..6cf9f20 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -2,7 +2,8 @@
 .SH NAME
 ipf \- packet filtering kernel interface
 .SH SYNOPSIS
-#include <sys/ip_fil.h>
+#include <netinet/ip_compat.h>
+#include <netinet/ip_fil.h>
 .SH IOCTLS
 .PP
 To add and delete rules to the filter list, three 'basic' ioctls are provided
@@ -41,10 +42,17 @@ which it is inserted is stored in the "fr_hits" field, below.
 .nf
 typedef struct  frentry {
         struct  frentry *fr_next;
+        u_short fr_group;       /* group to which this rule belongs */
+        u_short fr_head;        /* group # which this rule starts */
+        struct  frentry *fr_grp;
+        int     fr_ref;         /* reference count - for grouping */
         struct  ifnet   *fr_ifa;
-        u_long  fr_hits;
-        u_long  fr_bytes;       /* this is only incremented when a packet */
-                                /* stops matching on this rule */
+        /*
+         * These are only incremented when a packet  matches this rule and
+         * it is the last match
+         */
+        U_QUAD_T  fr_hits;
+        U_QUAD_T  fr_bytes;
         /*
          * Fields after this may not change whilst in the kernel.
          */
@@ -64,6 +72,7 @@ typedef struct  frentry {
         u_short fr_stop;        /* top port for <> and >< */
         u_short fr_dtop;        /* top port for <> and >< */
         u_long  fr_flags;       /* per-rule flags && options (see below) */
+        int     fr_skip;        /* # of rules to skip */
         int     (*fr_func)();   /* call this function */
         char    fr_icode;       /* return ICMP code */
         char    fr_ifname[IFNAMSIZ];
@@ -81,26 +90,31 @@ be put in the "fr_hits" field (the first rule is number 0).
 Flags which are recognised in fr_pass:
 .nf
 
-	FR_BLOCK        0x00001    /* do not allow packet to pass */
-	FR_PASS         0x00002    /* allow packet to pass */
-	FR_OUTQUE       0x00004    /* outgoing packets */
-	FR_INQUE        0x00008    /* ingoing packets */
-	FR_LOG          0x00010    /* Log */
-	FR_LOGP         0x00011    /* Log-pass */
-	FR_LOGB         0x00012    /* Log-fail */
-        FR_LOGBODY      0x00020    /* log the body of packets too */
-        FR_LOGFIRST     0x00040    /* log only the first packet to match */
-	FR_RETRST       0x00080    /* return a TCP RST packet if blocked */
-	FR_RETICMP      0x00100    /* return an ICMP packet if blocked */
-        FR_NOMATCH      0x00200    /* no match occured */
-        FR_ACCOUNT      0x00400    /* count packet bytes */
-        FR_KEEPFRAG     0x00800
-        FR_KEEPSTATE    0x01000    /* keep packet flow state information */
-        FR_INACTIVE     0x02000
-        FR_QUICK        0x04000    /* quick-match and return */
-        FR_FASTROUTE    0x08000
-        FR_CALLNOW      0x10000
-        FR_DUP          0x20000    /* duplicate the packet (not Solaris2)
+     FR_BLOCK        0x000001   /* do not allow packet to pass */
+     FR_PASS         0x000002   /* allow packet to pass */
+     FR_OUTQUE       0x000004   /* outgoing packets */
+     FR_INQUE        0x000008   /* ingoing packets */
+     FR_LOG          0x000010   /* Log */
+     FR_LOGP         0x000011   /* Log-pass */
+     FR_LOGB         0x000012   /* Log-fail */
+     FR_LOGBODY      0x000020   /* log the body of packets too */
+     FR_LOGFIRST     0x000040   /* log only the first packet to match */
+     FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
+     FR__RETICMP     0x000100   /* return an ICMP packet if blocked */
+     FR_NOMATCH      0x000200   /* no match occured */
+     FR_ACCOUNT      0x000400   /* count packet bytes */
+     FR_KEEPFRAG     0x000800   /* keep fragment information */
+     FR_KEEPSTATE    0x001000   /* keep `connection' state information */
+     FR_INACTIVE     0x002000
+     FR_QUICK        0x004000   /* match & stop processing list */
+     FR_FASTROUTE    0x008000   /* bypass normal routing */
+     FR_CALLNOW      0x010000   /* call another function (fr_func) if matches */
+     FR_DUP          0x020000   /* duplicate the packet */
+     FR_LOGORBLOCK   0x040000   /* block the packet if it can't be logged */
+     FR_NOTSRCIP     0x080000   /* not the src IP# */
+     FR_NOTDSTIP     0x100000   /* not the dst IP# */
+     FR_AUTH         0x200000   /* use authentication */
+     FR_PREAUTH      0x400000   /* require preauthentication */
 	
 .fi
 .PP
@@ -134,8 +148,10 @@ Takes an unsigned integer as the parameter.  The flags are then set to
 those provided (clearing/setting all in one).
 .nf
 
-	FF_LOGPASS	1
-	FF_LOGBLOCK	2
+	FF_LOGPASS	0x10000000
+	FF_LOGBLOCK	0x20000000
+	FF_LOGNOMATCH	0x40000000
+	FF_BLOCKNONIP	0x80000000    /* Solaris 2.x only */
 .fi
 .IP SIOCGETFF 16
 Takes a pointer to an unsigned integer as the parameter.  A copy of the
@@ -149,10 +165,14 @@ through the kernel.  To retrieve this structure, use this ioctl:
 
 	ioctl(fd, SIOCGETFS, struct friostat *)
 
-struct	friostat        {
-	struct  filterstats     f_st[2];
-	struct  frentry *f_fin;
-	struct  frentry *f_fout;
+struct  friostat        {
+        struct  filterstats     f_st[2];
+        struct  frentry         *f_fin[2];
+        struct  frentry         *f_fout[2];
+        struct  frentry         *f_acctin[2];
+        struct  frentry         *f_acctout[2];
+        struct  frentry         *f_auth;
+        int     f_active;
 };
 
 struct	filterstats {
@@ -172,6 +192,7 @@ struct	filterstats {
         u_long  fr_bads;        /* bad attempts to allocate packet state */
         u_long  fr_ads;         /* new packet state kept */
         u_long  fr_chit;        /* cached hit */
+        u_long  fr_pull[2];     /* good and bad pullup attempts */
 #if SOLARIS
         u_long  fr_bad;         /* bad IP packets to the filter */
         u_long  fr_notip;       /* packets passed through no on ip queue */
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index f8ceedd..c202be7 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -18,27 +18,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
 described using the following grammar in BNF:
 \fC
 .nf
-filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
+filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
+	      [ proto ] [ ip ] [ group ].
 
 insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | call .
+action	= block | "pass" | log | "count" | skip | auth | call .
 in-out	= "in" | "out" .
 options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
-match	= [ tos ] [ ttl ] [ proto ] [ ip ] .
-keep  	= "keep state" | "keep frags" .
+tos	= "tos" decnumber | "tos" hexnumber .
+ttl	= "ttl" decnumber .
+proto	= "proto" protocol .
+ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
+group	= [ "head" decnumber ] [ "group" decnumber ] .
 
 block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
-log   	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
-call  	= "call" [ "now" ] function-name .
-
-dup   	= "dup-to" interface-name[":"ipaddr] .
+auth    = "auth" | "preauth" .
+log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
+call	= "call" [ "now" ] function-name .
+skip	= "skip" decnumber .
+dup	= "dup-to" interface-name[":"ipaddr] .
 froute	= "fastroute" | "to" interface-name .
-
-tos   	= "tos" decnumber | "tos" hexnumber .
-ttl   	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip    	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" object "to" object .
@@ -47,11 +46,11 @@ object	= addr [ port-comp | port-range ] .
 addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
 port-comp = "port" compare port-num .
 port-range = "port" port-num range port-num .
-
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
 return-code = "("icmp-code")" .
+keep	= "keep" "state" | "keep" "frags" .
 
 nummask	= host-name [ "/" decnumber ] .
 host-name = ipaddr | hostname | "any" .
@@ -72,16 +71,16 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
 icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
 	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
 	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
-	  "visa" | "imitd" | "eip" | "finn" .
+optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
+	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
+	  "addext" | "visa" | "imitd" | "eip" | "finn" .
 
 hexnumber = "0" "x" hexstring .
 hexstring = hexdigit [ hexstring ] .
 decnumber = digit [ decnumber ] .
 
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
-	  "le" | "ge" .
+compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
+	  "gt" | "le" | "ge" .
 range	= "<>" | "><" .
 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
 digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
@@ -95,18 +94,9 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
 .PP
 The "briefest" valid rules are (currently) no-ops and are of the form:
 .nf
-       block in
-       pass in
-       log in
-       count in
-.fi
-.PP
-These are supposed to be the same as, but currently differ from:
-.\" XXX How, why do they differ??
-.nf
        block in all
-       pass in from any to any
-       log in all
+       pass in all
+       log out all
        count in all
 .fi
 .PP
@@ -153,6 +143,12 @@ must conform to a specific calling interface. Customised actions and
 semantics can thus be implemented to supplement those available. This
 feature is for use by knowledgeable hackers, and is not currently
 documented.
+.TP
+.B "skip <n>"
+.TP
+.B auth
+.TP
+.B preauth
 .PP
 The next word must be either \fBin\fP or \fBout\fP.  Each packet
 moving through the kernel is either inbound (just been received on an
@@ -221,7 +217,6 @@ packets with different Type-Of-Service values can be filtered.
 Individual service levels or combinations can be filtered upon.  The
 value for the TOS mask can either be represented as a hex number or a
 decimal integer value.
-.\" XXX TOS mask??  not in grammar!
 .TP
 .B ttl
 packets may also be selected by their Time-To-Live value.  The value given in
@@ -356,8 +351,9 @@ with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
 .SH KEEP HISTORY
 .PP
-The last parameter which can be set for a filter rule is whether on not to
-record historical information for that packet, and what sort to keep. The following information can be kept:
+The second last parameter which can be set for a filter rule is whether on not
+to record historical information for that packet, and what sort to keep. The
+following information can be kept:
 .TP
 .B state
 keeps information about the flow of a communication session. State can
@@ -369,6 +365,23 @@ fragments.
 .PP
 allowing packets which match these to flow straight through, rather
 than going through the access control list.
+.SH GROUPS
+The last pair of parameters control filter rule "grouping".  By default, all
+filter rules are placed in group 0 if no other group is specified.  To add a
+rule to a non-default group, the group must first be started by creating a
+group \fIhead\fP.  If a packet matches a rule which is the \fIhead\fP of a
+group, the filter processing then switches to the group, using that rule as
+the default for the group.  If \fBquick\fP is used with a \fBhead\fP rule, rule
+processing isn't stopped until it has returned from processing the group.
+.PP
+A rule may be both the head for a new group and a member of a non-default
+group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
+.TP
+.B "head <n>"
+indicates that a new group (number n) should be created.
+.TP
+.B "group <n>"
+indicates that the rule should be put in group (number n) rather than group 0.
 .SH LOGGING
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
@@ -427,7 +440,42 @@ rule such as:
         pass in quick from any to any port < 1024
 .fi
 .PP
-would be needed before the first block.  
+would be needed before the first block.  To create a new group for
+processing all inbould packets on le0/le1/lo0, with the default being to block
+all inbound packets, we would do something like:
+.LP
+.nf
+       block in all
+       block in on le0 quick all head 100
+       block in on le1 quick all head 200
+       block in on lo0 quick all head 300
+.fi
+.PP
+
+and to then allow ICMP packets in on le0, only, we would do:
+.LP
+.nf
+       pass in proto icmp all group 100
+.fi
+.PP
+Note that because only inbound packets on le0 are used processed by group 100,
+there is no need to respecify the interface name.  Likewise, we could further
+breakup processing of TCP, etc, as follows:
+.LP
+.nf
+       block in proto tcp all head 110 group 100
+       pass in from any to any port = 23 group 110
+.fi
+.PP
+and so on.  The last line, if written without the groups would be:
+.LP
+.nf
+       pass in on le0 proto tcp from any to any port = telnet
+.fi
+.PP
+Note, that if we wanted to say "port = telnet", "proto tcp" would
+need to be specified as the parser interprets each rule on its own and
+qualifies all service/port names with the protocol specified.
 .SH FILES
 /etc/services
 .br
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
new file mode 100644
index 0000000..b13e2dd
--- /dev/null
+++ b/contrib/ipfilter/man/ipf.8
@@ -0,0 +1,109 @@
+.TH IPF 8
+.SH NAME
+ipf \- alters packet filtering lists for IP packet input and output
+.SH SYNOPSIS
+.B ipf
+[
+.B \-AdDEInorsUvyzZ
+] [
+.B \-l
+<block|pass|nomatch>
+] [
+.B \-F
+<i|o|a>
+]
+.B \-f
+<\fIfilename\fP>
+[
+.B \-f
+<\fIfilename\fP>
+[...]]
+.SH DESCRIPTION
+.PP
+\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
+file for a set of rules which are to be added or removed from the packet
+filter rule set.
+.PP
+Each rule processed by \fBipf\fP
+is added to the kernel's internal lists if there are no parsing problems.
+Rules are added to the end of the internal lists, matching the order in
+which they appear when given to \fBipf\fP.
+.SH OPTIONS
+.TP
+.B \-A
+Set the list to make changes to the active list (default).
+.TP
+.B \-d
+Turn debug mode on.  Causes a hexdump of filter rules to be generated as
+it processes each one.
+.TP
+.B \-D
+Disable the filter (if enabled).  Not effective for loadable kernel versions.
+.TP
+.B \-E
+Enable the filter (if disabled).  Not effective for loadable kernel versions.
+.TP
+.BR \-F \0<param>
+This option specifies which filter list to flush.  The parameter should
+either be "i" (input), "o" (output) or "a" (remove all filter rules).
+Either a single letter or an entire word starting with the appropriate
+letter maybe used.  This option maybe before, or after, any other with
+the order on the command line being that used to execute options.
+.TP
+.BR \-f \0<filename>
+This option specifies which files
+\fBipf\fP should use to get input from for modifying the packet filter rule
+lists.
+.TP
+.B \-I
+Set the list to make changes to the inactive list.
+.TP
+.B \-l \0<param>
+Use of the \fB-l\fP flag toggles default logging of packets.  Valid
+arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
+When an option is set, any packet which exits filtering and matches the
+set category is logged.  This is most useful for causing all packets
+which don't match any of the loaded rules to be logged.
+.TP
+.B \-n
+This flag (no-change) prevents \fBipf\fP from actually making any ioctl
+calls or doing anything which would alter the currently running kernel.
+.TP
+.B \-o
+Force rules by default to be added/deleted to/from the output list, rather
+than the (default) input list.
+.TP
+.B \-r
+Remove matching filter rules rather than add them to the internal lists
+.TP
+.B \-s
+Swap the active filter list in use to be the "other" one.
+.TP
+.B \-U
+(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
+recognised as IP packets.  They will be printed out on the console.
+.TP
+.B \-v
+Turn verbose mode on.  Displays information relating to rule processing.
+.TP
+.B \-y
+Manually resync the in-kernel interface list maintained by IP Filter with
+the current interface status list.
+.TP
+.B \-z
+For each rule in the input file, reset the statistics for it to zero and
+display the statistics prior to them being zero'd.
+.TP
+.B \-Z
+Zero global statistics held in the kernel for filtering only (this doesn't
+affect fragment or state statistics).
+.DT
+.SH SEE ALSO
+ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
+.SH DIAGNOSTICS
+.PP
+Needs to be run as root for the packet filtering lists to actually
+be affected inside the kernel.
+.SH BUGS
+.PP
+If you find any, please send email to me at darrenr@cyber.com.au
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index db23e39..c8679f1 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -4,7 +4,7 @@ ipfstat \- reports on packet filter statistics and filter list
 .SH SYNOPSIS
 .B ipfstat
 [
-.B \-hIinov
+.B \-aAfhIinosv
 ] [
 .B \-d
 <device>
@@ -24,6 +24,9 @@ accumulated over time as the kernel has put packets through the filter.
 .B \-a
 Display the accounting filter list and show bytes counted against each rule.
 .TP
+.B \-A
+Display packet authentication statistics.
+.TP
 .BR \-d \0<device>
 Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
 .TP
@@ -68,6 +71,6 @@ kernel.
 .br
 /vmunix
 .SH SEE ALSO
-ipf(1), ipfstat(1)
+ipf(1)
 .SH BUGS
 none known.
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
index 0e58a50..26aa604 100644
--- a/contrib/ipfilter/man/ipl.4
+++ b/contrib/ipfilter/man/ipl.4
@@ -6,50 +6,67 @@ The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
 packet headers of packets you wish to log.  If a packet header is to be
 logged, the entire header is logged (including any IP options \- TCP/UDP
 options are not included when it calculates header size) or not at all.
-The packet contents are also logged after the header.
+The packet contents are also logged after the header.  If the log reader
+is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the
+default) bytes of data are stored.
 .PP
 Prepending every packet header logged is a structure containing information
 relevant to the packet following and why it was logged.  The structure's
 format is as follows:
 .LP
 .nf
-struct ipl_ci   {
-        u_long  sec;    /* time when the packet was logged */
-        u_long  usec;
-        u_long  plen;   /* length of packet data logged */
-        u_short hlen;   /* length of headers logged */
-        u_short rule;   /* rule number (for log ...) or 0 if result = log */
-        u_long  flags:24; /* XXX FIXME do we care about the extra bytes? */
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
-        u_long  filler:8;                       /* XXX FIXME do we care? */
-        u_char  ifname[IFNAMSIZ];
+/*
+ * Log structure.  Each packet header logged is prepended by one of these.
+ * Following this in the log records read from the device will be an ipflog
+ * structure which is then followed by any packet data.
+ */
+typedef struct iplog    {
+        u_long  ipl_sec;
+        u_long  ipl_usec;
+        u_int   ipl_len;
+        u_int   ipl_count;
+        size_t  ipl_dsize;
+        struct  iplog   *ipl_next;
+} iplog_t;
+
+
+typedef struct  ipflog  {
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
+        u_char  fl_ifname[IFNAMSIZ];
 #else
-        u_long  unit:8;
-        u_char  ifname[4];
+        u_int   fl_unit;
+        u_char  fl_ifname[4];
 #endif
-};
+        u_char  fl_plen;        /* extra data after hlen */
+        u_char  fl_hlen;        /* length of IP headers saved */
+        u_short fl_rule;        /* assume never more than 64k rules, total */
+        u_32_t  fl_flags;
+} ipflog_t;
+
 .fi
 .PP
-In the case of the header causing the buffer to finish on a non-32bit
-boundary, padding will be `appended' to ensure that the next log entry
-is aligned to a 32bit boundary.
-.LP
+When reading from the \fBipl\fP device, it is necessary to call read(2) with
+a buffer big enough to hold at least 1 complete log record - reading of partial
+log records is not supported.
+.PP
+If the packet contents is more then 128 bytes when \fBlog body\fP is used,
+then only 128 bytes of the packet contents is logged.
+.PP
+Although it is only possible to read from the \fBipl\fP device, opening it
+for writing is required when using an ioctl which changes any kernel data.
 .PP
-If the packet contents is more then 128 bytes, then only 128 bytes of the
-packet contents is logged. Should the packet contents finish on a non-32bit
-boundary, then the last few bytes are not logged to ensure the log entry
-is aligned to a 32bit boundary.
-
-\fBipl\fP is a read-only (sequential) character pseudo-device.
-
 The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
-The only ioctl which is used for logging and doesn't affect the filter is:
+The ioctls which are for use with logging and don't affect the filter are:
 .LP
 .nf
         ioctl(fd, SIOCIPFFB, int *)
+        ioctl(fd, FIONREAD, int *)
 .fi
 .PP
-This ioctl flushes the log buffer and returns the number of bytes flushed.
+The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes
+flushed.  FIONREAD returns the number of bytes currently used for storing
+log data.  If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not
+available and FIONREAD will return but not do anything.
 .PP
 There is currently no support for non-blocking IO with this device, meaning
 all read operations should be considered blocking in nature (if there is no
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index e793352..32f4cbd 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -4,9 +4,11 @@ ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-asfnSN
+.B \-aFhnNsStvxX
 ] [
-<filename>
+.B "\-f <device>"
+] [
+.B <filename>
 ]
 .SH DESCRIPTION
 .LP
@@ -20,6 +22,24 @@ via syslog have the day, month and year removed from the message, but the
 time (including microseconds), as recorded in the log, is still included.
 .SH OPTIONS
 .TP
+.B \-a
+Open all of the device logfiles for reading log entries from.  All entries
+are displayed to the same output 'device' (stderr or syslog).
+.TP
+.B "\-f <device>"
+specify an alternative device/file from which to read the log information.
+.TP
+.B \-F
+Flush the current packet log buffer.  The number of bytes flushed is displayed,
+even should the result be zero.
+.TP
+.B \-n
+IP addresses and port numbers will be mapped, where possible, back into
+hostnames and service names.
+.TP
+.B \-N
+Treat the logfile as being composed of NAT log records.
+.TP
 .B \-s
 Packet information read in will be sent through syslogd rather than
 saved to a file.  The following levels are used:
@@ -38,22 +58,17 @@ than pass or block.
 \- packets which have been logged and which can be considered
 "short".
 .TP
-.B \-a
-Open all of the device logfiles for reading log entries from.
+.B \-S
+Treat the logfile as being composed of state log records.
 .TP
-.B \-f
-Flush the current packet log buffer.  The number of bytes flushed is displayed,
-even should the result be zero.
+.B \-t
+read the input file/device in a manner akin to tail(1).
 .TP
-.B \-n
-IP addresses and port numbers will be mapped, where possible, back into
-hostnames and service names.
-.TP
-.B \-N
-Treat the logfile as being composed of NAT log records.
+.B \-x
+show the packet data in hex.
 .TP
-.B \-S
-Treat the logfile as being composed of state log records.
+.B \-X
+show the log header record data in hex.
 .SH DIAGNOSTICS
 \fBipmon\fP expects data that it reads to be consistant with how it should be
 saved and will abort if it fails an assertion which detects an anomoly in the
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 3346ef9..ea78936 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -2,7 +2,10 @@
 .SH NAME
 ipnat \- Network Address Translation kernel interface
 .SH SYNOPSIS
-#include <sys/ip_fil.h>
+#include <netinet/ip_compat.h>
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
 .SH IOCTLS
 .PP
 To add and delete rules to the NAT list, two 'basic' ioctls are provided