With a bit of luck, this will be a first-time right import of ipfilter 3.4.29

on to the vendor branch.

2 files changed, 14 insertions, 2 deletions

diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 0ec7854..0030c74 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -46,8 +46,11 @@ long).
 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
 viewed with \fBipfstat -n\fP.
 .LP
-5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
-packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
+5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
+packet, \fBn\fP did not match any rules, \fBL\fP for a log rule.  The order
+of precedence in showing flags is: S, p, b, n, L.  A capital \fBP\fP or
+\fBB\fP means that the packet has been logged due to a global logging
+setting, not a particular rule.
 .LP
 6. The addresses.
 This is actually three fields: the source address and port
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index a8beb6f..f0a4ac9 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -96,6 +96,15 @@ or as
 map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
 .fi
 .LP
+For even greater control, one may negate either of the "from" or "to" clauses
+with a preceding exclamation mark ("!").  Please note that one may not use a
+negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
+rule.  Such a rule might look like the following:
+.LP
+.nf
++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
+.fi
+.PP
 Only IP address and port numbers can be compared against.  This is available
 with all NAT rules.
 .SH TRANSLATION