Merge IPFilter 4.1.23 back to HEAD

See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

3 files changed, 18 insertions, 1 deletions

diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index bcf9307..678010f 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -74,6 +74,17 @@ one of the two options may be given.  A fully established connection
 will show up in \fBipfstat -s\fP output as 5/5, with deviations either
 way indicating it is not fully established any more.
 .TP
+.BR \-F <5|6|7|8|9|10|11>
+For the TCP states that represent the closing of a connection has begun,
+be it only one side or the complete connection, it is possible to flush
+those states directly using the number corresponding to that state.
+The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1,
+7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
+.TP
+.BR \-F <number>
+If the argument supplied to \fB-F\fP is greater than 30, then state table
+entries that have been idle for more than this many seconds will be flushed.
+.TP
 .BR \-f \0<filename>
 This option specifies which files
 \fBipf\fP should use to get input from for modifying the packet filter rule
@@ -105,6 +116,7 @@ Remove matching filter rules rather than add them to the internal lists
 .TP
 .B \-s
 Swap the active filter list in use to be the "other" one.
+.TP
 .B \-T <optionlist>
 This option allows run-time changing of IPFilter kernel variables.  Some
 variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index d0cb2a9..44ba8ba 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -124,7 +124,11 @@ seconds between an update. Any positive integer can be used. The default (and
 minimal update time) is 1.
 .TP
 .B \-v
-Turn verbose mode on.  Displays more debugging information.
+Turn verbose mode on.  Displays more debugging information.  When used with
+either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the
+number of times it has been matched and the number of bytes from such packets
+is displayed.  For "keep state" rules, a count of the number of state sessions
+active against the rule is also displayed.
 .SH SYNOPSIS
 The role of \fBipfstat\fP is to display current kernel statistics gathered
 as a result of applying the filters in place (if any) to packets going in and
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 2a35d16..1082e06 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -107,6 +107,7 @@ even should the result be zero.
 .B \-L <facility>
 Using this option allows you to change the default syslog facility that
 ipmon uses for syslog messages.  The default is local0.
+.TP
 .B \-n
 IP addresses and port numbers will be mapped, where possible, back into
 hostnames and service names.