Import trimmed version of ipfilter 3.2.7.

Obtained from:  Darren Reed via http://cheops.anu.edu.au/~avalon/

9 files changed, 57 insertions, 20 deletions

diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index 9d83550..3519d52 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -3,6 +3,7 @@
 ipf \- packet filtering kernel interface
 .SH SYNOPSIS
 #include <netinet/ip_compat.h>
+.br
 #include <netinet/ip_fil.h>
 .SH IOCTLS
 .PP
@@ -200,5 +201,13 @@ struct	filterstats {
 #endif
 };
 .fi
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipnat
+.br
+/dev/ipstate
 .SH SEE ALSO
-ipfstat(8), ipf(8), ipf(5)
+ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index 1ee1584..79ab393 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -1,6 +1,6 @@
 .TH IPF 5
 .SH NAME
-ipf \- IP packet filter rule syntax
+ipf, ipf.conf \- IP packet filter rule syntax
 .SH DESCRIPTION
 .PP
 A rule file for \fBipf\fP may have any name or even be stdin.  As
@@ -477,8 +477,14 @@ Note, that if we wanted to say "port = telnet", "proto tcp" would
 need to be specified as the parser interprets each rule on its own and
 qualifies all service/port names with the protocol specified.
 .SH FILES
-/etc/services
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
 .br
 /etc/hosts
+.br
+/etc/services
 .SH SEE ALSO
-ipf(8), ipftest(1), mkfilters(1), ipmon(8)
+ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index 11a1666..06d2723 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -66,7 +66,7 @@ lists.
 .B \-I
 Set the list to make changes to the inactive list.
 .TP
-.B \-l \0<param>
+.B \-l \0<pass|block|nomatch>
 Use of the \fB-l\fP flag toggles default logging of packets.  Valid
 arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
 When an option is set, any packet which exits filtering and matches the
@@ -106,12 +106,18 @@ display the statistics prior to them being zero'd.
 Zero global statistics held in the kernel for filtering only (this doesn't
 affect fragment or state statistics).
 .DT
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipstate
 .SH SEE ALSO
-ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
+ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
 .SH DIAGNOSTICS
 .PP
 Needs to be run as root for the packet filtering lists to actually
 be affected inside the kernel.
 .SH BUGS
 .PP
-If you find any, please send email to me at darrenr@cyber.com.au
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index 166a114..94525eb 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -69,6 +69,10 @@ kernel.
 .SH FILES
 /dev/kmem
 .br
+/dev/ipl
+.br
+/dev/ipstate
+.br
 /vmunix
 .SH SEE ALSO
 ipf(8)
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index e77ef96..aba216a 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -1,4 +1,4 @@
-.TH ipftest 8
+.TH ipftest 1
 .SH NAME
 ipftest \- test packet filter rules with arbitary input.
 .SH SYNOPSIS
@@ -119,9 +119,8 @@ Specify the filename from which to take input.  Default is stdin.
 .TP
 .BR \-r \0<filename>
 Specify the filename from which to read filter rules.
-.SH FILES
 .SH SEE ALSO
-ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
+ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
 .SH BUGS
 Not all of the input formats are sufficiently capable of introducing a
 wide enough variety of packets for them to be all useful in testing.
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index a4f7fc4..3fba05f 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -101,6 +101,10 @@ saved and will abort if it fails an assertion which detects an anomoly in the
 recorded data.
 .SH FILES
 /dev/ipl
+.br
+/dev/ipnat
+.br
+/dev/ipstate
 .SH SEE ALSO
-ipf(8), ipfstat(8)
+ipl(4), ipf(8), ipfstat(8), ipnat(8)
 .SH BUGS
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
index 9b29f4d..01b5100 100644
--- a/contrib/ipfilter/man/ipnat.1
+++ b/contrib/ipfilter/man/ipnat.1
@@ -41,5 +41,7 @@ Remove matching NAT rules rather than add them to the internal lists
 .B \-v
 Turn verbose mode on.  Displays information relating to rule processing.
 .DT
+.SH FILES
+/dev/ipnat
 .SH SEE ALSO
-ipfstat(1), ipftest(8), ipf(8), ipnat(5)
+ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 6af517f..578c7fb 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -3,8 +3,11 @@
 ipnat \- Network Address Translation kernel interface
 .SH SYNOPSIS
 #include <netinet/ip_compat.h>
+.br
 #include <netinet/ip_fil.h>
+.br
 #include <netinet/ip_proxy.h>
+.br
 #include <netinet/ip_nat.h>
 .SH IOCTLS
 .PP
@@ -87,5 +90,7 @@ typedef struct  natstat {
 .SH BUGS
 It would be nice if there were more flexibility when adding and deleting
 filter rules.
+.SH FILES
+/dev/ipnat
 .SH SEE ALSO
-ipfstat(8), ipf(8), ipf(4), ipnat(5)
+ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 7832623..576e9c2 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -1,6 +1,6 @@
 .TH IPNAT 5
 .SH NAME
-ipnat \- IP NAT file format
+ipnat, ipnat.conf \- IP NAT file format
 .SH DESCRIPTION
 The format for files accepted by ipnat is described by the following grammar:
 .LP
@@ -37,10 +37,10 @@ range of port numbers to remap into given as \fBport-number:port-number\fP.
 .SH Examples
 .PP
 To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0, the following would be used:
+subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
 .LP
 .nf
-map 10.0.0.0/8 -> 209.1.2.0/24
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24
 .fi
 .PP
 The obvious problem here is we're trying to squeeze over 16,000,000 IP
@@ -48,7 +48,7 @@ addresses into a 254 address space.  To increase the scope, remapping for TCP
 and/or UDP, port remapping can be used;
 .LP
 .nf
-map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
 .fi
 .PP
 which falls only 527,566 `addresses' short of the space available in network
@@ -56,15 +56,17 @@ which falls only 527,566 `addresses' short of the space available in network
 follows:
 .LP
 .nf
-map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-map 10.0.0.0/8 -> 209.1.2.0/24
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+map ppp0 10.0.0.0/8 -> 209.1.2.0/24
 .fi
 .PP
 so that all TCP/UDP packets were port mapped and only other protocols, such as
 ICMP, only have their IP# changed.
 .SH FILES
+/dev/ipnat
+.br
 /etc/services
 .br
 /etc/hosts
 .SH SEE ALSO
-ipnat(1), ipf(5), ipnat(4)
+ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)