Import IPFilter 3.4.25

7 files changed, 22 insertions, 10 deletions

diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
index c83337a..05164d7 100644
--- a/contrib/ipfilter/man/Makefile
+++ b/contrib/ipfilter/man/Makefile
@@ -10,7 +10,7 @@ all:
 
 install:
 	$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
-	$(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1
+	$(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
 	$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
 	$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
 	$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index 0e080a0..1bd1503 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -35,8 +35,8 @@ However, the full complement is as follows:
 	ioctl(fd, SIOCFRSYN, u_int *)
 	ioctl(fd, SIOCFRZST, struct friostat **)
 	ioctl(fd, SIOCZRLST, struct frentry **)
-	ioctl(fd, SIOCAUTHW, struct fr_info **)
-	ioctl(fd, SIOCAUTHR, struct fr_info **)
+	ioctl(fd, SIOCAUTHW, struct frauth_t **)
+	ioctl(fd, SIOCAUTHR, struct frauth_t **)
 	ioctl(fd, SIOCATHST, struct fr_authstat **)
 .fi
 .PP
@@ -122,7 +122,7 @@ Flags which are recognised in fr_flags:
      FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
      FR_RETICMP      0x000100   /* return an ICMP packet if blocked */
      FR_FAKEICMP     0x00180    /* Return ICMP unreachable with fake source */
-     FR_NOMATCH      0x000200   /* no match occured */
+     FR_NOMATCH      0x000200   /* No match occurred */
      FR_ACCOUNT      0x000400   /* count packet bytes */
      FR_KEEPFRAG     0x000800   /* keep fragment information */
      FR_KEEPSTATE    0x001000   /* keep `connection' state information */
diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5
index 95116e2..0bba0f4 100644
--- a/contrib/ipfilter/man/ipfilter.5
+++ b/contrib/ipfilter/man/ipfilter.5
@@ -1,10 +1,10 @@
 .TH IPFILTER 1
 .SH NAME
-IP FIlter
+IP Filter
 .SH DESCRIPTION
 .PP
 IP Filter is a package providing packet filtering capabilities for a variety
 of operating systems.  On a properly setup system, it can be used to build a
 firewall.
 .SH SEE ALSO
-ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
+ipf(8), ipf(1), ipf(5), ipnat(8), ipnat(5), mkfilters(1)
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
index a120744..04b8863 100644
--- a/contrib/ipfilter/man/ipfs.8
+++ b/contrib/ipfilter/man/ipfs.8
@@ -52,6 +52,7 @@ Change the default directory used with
 and
 .B \-W
 options for saving state information.
+.TP
 .B \-n
 Don't actually take any action that would effect information stored in
 the kernel or on disk.
@@ -59,6 +60,11 @@ the kernel or on disk.
 .B \-v
 Provides a verbose description of what's being done.
 .TP
+.B \-i <ifname1>,<ifname2>
+Change all instances of interface name ifname1 in the state save file to
+ifname2.  Useful if you're restoring state information after a hardware
+reconfiguration or change.
+.TP
 .B \-N
 Operate on NAT information.
 .TP
@@ -69,7 +75,7 @@ Operate on filtering state information.
 Unlock state tables in the kernel.
 .TP
 .B \-l
-Unlock state tables in the kernel.
+Lock state tables in the kernel.
 .TP
 .B \-r
 Read information in from the specified file and load it into the
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
index 15f587b..7c6d46e 100644
--- a/contrib/ipfilter/man/ipl.4
+++ b/contrib/ipfilter/man/ipl.4
@@ -49,7 +49,7 @@ When reading from the \fBipl\fP device, it is necessary to call read(2) with
 a buffer big enough to hold at least 1 complete log record - reading of partial
 log records is not supported.
 .PP
-If the packet contents is more then 128 bytes when \fBlog body\fP is used,
+If the packet contents are more than 128 bytes when \fBlog body\fP is used,
 then only 128 bytes of the packet contents is logged.
 .PP
 Although it is only possible to read from the \fBipl\fP device, opening it
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 7cd98f6..386f3a2 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -4,7 +4,7 @@ ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-aDFhnpstvxX
+.B \-abDFhnpstvxX
 ] [
 .B "\-N <device>"
 ] [
@@ -76,6 +76,10 @@ In order for \fBipmon\fP to properly work, the kernel option
 Open all of the device logfiles for reading log entries from.  All entries
 are displayed to the same output 'device' (stderr or syslog).
 .TP
+.B \-b
+For rules which log the body of a packet, generate hex output representing
+the packet contents afte the headers.
+.TP
 .B \-D
 Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
 of ipmon is not required to turn it into an orphan so it can run indefinately.
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index ec53059..7fb2e90 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -10,10 +10,11 @@ ipmap :: = mapblock | redir | map .
 map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
 map ::= mapit ifname fromto "->" ipmask [ mapport ] .
 mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
-redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
+redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
 
 dport ::= "port" portnum [ "-" portnum ] .
 ports ::= "ports" numports | "auto" .
+rdrport ::= "port" portnum .
 mapit ::= "map" | "bimap" .
 fromto ::= "from" object "to" object .
 ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
@@ -199,6 +200,7 @@ own.  As opposed to the above use of \fBmap\fP, if for some reason the user
 of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
 be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
 IP address with the \fBmap\fP command.
+.SH FILES
 /dev/ipnat
 .br
 /etc/services