Resolve conflicts (and believe me...you don't want to know).

5 files changed, 36 insertions, 8 deletions

diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index d6b6ac1..8bdaedc 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -57,8 +57,8 @@ port-range = "port" port-num range port-num .
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "("icmp-code")" .
-keep	= "keep" "state" | "keep" "frags" .
+return-code = "(" icmp-code ")" .
+keep	= "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
 loglevel = facility"."priority | priority .
 
 nummask	= host-name [ "/" decnumber ] .
@@ -66,7 +66,10 @@ host-name = ipaddr | hostname | "any" .
 ipaddr	= host-num "." host-num "." host-num "." host-num .
 host-num = digit [ digit [ digit ] ] .
 port-num = service-name | decnumber .
+state-options = state-opts [ "," state-options ] .
 
+state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
+             "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
 withopt = [ "not" | "no" ] opttype [ withopt ] .
 opttype = "ipopts" | "short" | "frag" | "opt" optname .
 optname	= ipopts [ "," optname ] .
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index df8320a..402195f 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -5,7 +5,7 @@ ipftest \- test packet filter rules with arbitrary input.
 .SH SYNOPSIS
 .B ipftest
 [
-.B \-6bdDoRvx
+.B \-6bCdDoRvx
 ] [
 .B \-F
 input-format
@@ -28,6 +28,9 @@ interface
 .B \-r
 <filename>
 ] [
+.B \-S
+<ip_address>
+] [
 .B \-T
 <optionlist>
 ]
@@ -57,6 +60,11 @@ Cause the output to be a brief summary (one-word) of the result of passing
 the packet through the filter; either "pass", "block" or "nomatch".
 This is used in the regression testing.
 .TP
+.B \-C
+Force the checksums to be (re)calculated for all packets being input into
+\fBipftest\fP.  This may be necessary if pcap files from tcpdump are being
+fed in where there are partial checksums present due to hardware offloading.
+.TP
 .B \-d
 Turn on filter rule debugging.  Currently, this only shows you what caused
 the rule to not match in the IP header checking (addresses/netmasks, etc).
@@ -168,6 +176,14 @@ Specify the filename from which to read filter rules in \fBipf\fP(5) format.
 .B \-R
 Don't attempt to convert IP addresses to hostnames.
 .TP
+.BR \-S \0<ip_address>
+The IP address specifived with this option is used by ipftest to determine
+whether a packet should be treated as "input" or "output".  If the source
+address in an IP packet matches then it is considered to be inbound.  If it
+does not match then it is considered to be outbound.  This is primarily
+for use with tcpdump (pcap) files where there is no in/out information
+saved with each packet.
+.TP
 .BR \-T \0<optionlist>
 This option simulates the run-time changing of IPFilter kernel variables
 available with the \fB\-T\fP option of \fBipf\fP.
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 48b2a41..44ef53a 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -5,7 +5,7 @@ ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-abDFhnpstvxX
+.B \-abBDFhnpstvxX
 ] [
 .B "\-N <device>"
 ] [
@@ -72,6 +72,9 @@ unreachable message.
 In order for \fBipmon\fP to properly work, the kernel option
 \fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
 \fBoptions(4)\fP for more details.
+.LP
+\fBipmon\fP reopns its log file(s) and rereads its configuration file
+when it receives a SIGHUP signal.
 .SH OPTIONS
 .TP
 .B \-a
@@ -82,6 +85,11 @@ are displayed to the same output 'device' (stderr or syslog).
 For rules which log the body of a packet, generate hex output representing
 the packet contents after the headers.
 .TP
+.B \-B <binarylogfilename>
+Enable logging of the raw, unformatted binary data to the specified
+\fI<binarylogfilename>\fP file.  This can be read, later, using \fBipmon\fP
+with the \fB-f\fP option.
+.TP
 .B \-D
 Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
 of ipmon is not required to turn it into an orphan so it can run indefinitely.
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 210f09a..6d3f9bc 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -12,9 +12,10 @@ ipmap :: = mapblock | redir | map .
 map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
         mapoptions .
 mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
-redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions .
+redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
 
 lhs ::= ipmask | fromto .
+rlhs ::= ipmask dport | fromto .
 dport ::= "port" portnum [ "-" portnum ] .
 ports ::= "ports" numports | "auto" .
 rdrport ::= "port" portnum .
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
index 87f2da5..192c1e7 100644
--- a/contrib/ipfilter/man/ipnat.8
+++ b/contrib/ipfilter/man/ipnat.8
@@ -35,7 +35,7 @@ enabled.
 .TP
 .B \-C
 delete all entries in the current NAT rule listing (NAT rules)
- .TP
+.TP
 .B \-d
 Enable printing of some extra debugging information.
 .TP
@@ -54,10 +54,10 @@ This flag (no-change) prevents \fBipf\fP from actually making any ioctl
 calls or doing anything which would alter the currently running kernel.
 .TP
 .B \-r
-Remove matching NAT rules rather than add them to the internal lists
+Remove matching NAT rules rather than add them to the internal lists.
 .TP
 .B \-s
-Retrieve and display NAT statistics
+Retrieve and display NAT statistics.
 .TP
 .B \-v
 Turn verbose mode on.  Displays information relating to rule processing