Import IP Filter 4.1.10

19 files changed, 36 insertions, 46 deletions

diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index 7a0b20a..e2e5b5b 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPF 4
 .SH NAME
 ipf \- packet filtering kernel interface
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index ab7f935..3fd9e94 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPF 5
 .SH NAME
 ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
@@ -58,8 +56,8 @@ port-range = "port" port-num range port-num .
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "("icmp-code")" .
-keep	= "keep" "state" | "keep" "frags" .
+return-code = "(" icmp-code ")" .
+keep	= "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
 loglevel = facility"."priority | priority .
 
 nummask	= host-name [ "/" decnumber ] .
@@ -67,7 +65,10 @@ host-name = ipaddr | hostname | "any" .
 ipaddr	= host-num "." host-num "." host-num "." host-num .
 host-num = digit [ digit [ digit ] ] .
 port-num = service-name | decnumber .
+state-options = state-opts [ "," state-options ] .
 
+state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
+             "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
 withopt = [ "not" | "no" ] opttype [ withopt ] .
 opttype = "ipopts" | "short" | "frag" | "opt" optname .
 optname	= ipopts [ "," optname ] .
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index c7d07c0..4311577 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPF 8
 .SH NAME
 ipf \- alters packet filtering lists for IP packet input and output
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
index cf8ca9f..b2d2f2a 100644
--- a/contrib/ipfilter/man/ipfilter.4
+++ b/contrib/ipfilter/man/ipfilter.4
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IP\ FILTER 4
 .SH NAME
 ipfilter \- Introduction to IP packet filtering
diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5
index 9fbb675..0bba0f4 100644
--- a/contrib/ipfilter/man/ipfilter.5
+++ b/contrib/ipfilter/man/ipfilter.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPFILTER 1
 .SH NAME
 IP Filter
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
index 52f6fcb..d5bf460 100644
--- a/contrib/ipfilter/man/ipfs.8
+++ b/contrib/ipfilter/man/ipfs.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPFS 8
 .SH NAME
 ipfs \- saves and restores information for NAT and state tables.
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index 549b31a..a3ec72a 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH ipfstat 8
 .SH NAME
 ipfstat \- reports on packet filter statistics and filter list
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index 4a17576..5153687 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -1,12 +1,10 @@
-.\"	$NetBSD$
-.\"
 .TH ipftest 1
 .SH NAME
 ipftest \- test packet filter rules with arbitrary input.
 .SH SYNOPSIS
 .B ipftest
 [
-.B \-6bdDoRvx
+.B \-6bCdDoRvx
 ] [
 .B \-F
 input-format
@@ -29,6 +27,9 @@ interface
 .B \-r
 <filename>
 ] [
+.B \-S
+<ip_address>
+] [
 .B \-T
 <optionlist>
 ]
@@ -58,6 +59,11 @@ Cause the output to be a brief summary (one-word) of the result of passing
 the packet through the filter; either "pass", "block" or "nomatch".
 This is used in the regression testing.
 .TP
+.B \-C
+Force the checksums to be (re)calculated for all packets being input into
+\fBipftest\fP.  This may be necessary if pcap files from tcpdump are being
+fed in where there are partial checksums present due to hardware offloading.
+.TP
 .B \-d
 Turn on filter rule debugging.  Currently, this only shows you what caused
 the rule to not match in the IP header checking (addresses/netmasks, etc).
@@ -169,6 +175,14 @@ Specify the filename from which to read filter rules in \fBipf\fP(5) format.
 .B \-R
 Don't attempt to convert IP addresses to hostnames.
 .TP
+.BR \-S \0<ip_address>
+The IP address specifived with this option is used by ipftest to determine
+whether a packet should be treated as "input" or "output".  If the source
+address in an IP packet matches then it is considered to be inbound.  If it
+does not match then it is considered to be outbound.  This is primarily
+for use with tcpdump (pcap) files where there is no in/out information
+saved with each packet.
+.TP
 .BR \-T \0<optionlist>
 This option simulates the run-time changing of IPFilter kernel variables
 available with the \fB\-T\fP option of \fBipf\fP.
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
index d45749b..d8106cc 100644
--- a/contrib/ipfilter/man/ipl.4
+++ b/contrib/ipfilter/man/ipl.4
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPL 4
 .SH NAME
 ipl \- IP packet log device
diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5
index bc48466..2e3eebd 100644
--- a/contrib/ipfilter/man/ipmon.5
+++ b/contrib/ipfilter/man/ipmon.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPMON 5
 .SH NAME
 ipmon, ipmon.conf \- ipmon configuration file format
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 0c2861c..1ddc307 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -1,12 +1,10 @@
-.\"	$NetBSD$
-.\"
 .TH ipmon 8
 .SH NAME
 ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-abDFhnpstvxX
+.B \-abBDFhnpstvxX
 ] [
 .B "\-N <device>"
 ] [
@@ -73,6 +71,9 @@ unreachable message.
 In order for \fBipmon\fP to properly work, the kernel option
 \fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
 \fBoptions(4)\fP for more details.
+.LP
+\fBipmon\fP reopns its log file(s) and rereads its configuration file
+when it receives a SIGHUP signal.
 .SH OPTIONS
 .TP
 .B \-a
@@ -83,6 +84,11 @@ are displayed to the same output 'device' (stderr or syslog).
 For rules which log the body of a packet, generate hex output representing
 the packet contents after the headers.
 .TP
+.B \-B <binarylogfilename>
+Enable logging of the raw, unformatted binary data to the specified
+\fI<binarylogfilename>\fP file.  This can be read, later, using \fBipmon\fP
+with the \fB-f\fP option.
+.TP
 .B \-D
 Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
 of ipmon is not required to turn it into an orphan so it can run indefinitely.
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 6f696bd..54f55d3 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPNAT 4
 .SH NAME
 ipnat \- Network Address Translation kernel interface
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 7db3308..2d76a46 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPNAT 5
 .SH NAME
 ipnat, ipnat.conf \- IP NAT file format
@@ -12,9 +10,10 @@ ipmap :: = mapblock | redir | map .
 map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
         mapoptions .
 mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
-redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions .
+redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
 
 lhs ::= ipmask | fromto .
+rlhs ::= ipmask dport | fromto .
 dport ::= "port" portnum [ "-" portnum ] .
 ports ::= "ports" numports | "auto" .
 rdrport ::= "port" portnum .
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
index 49a09be..683e8f1 100644
--- a/contrib/ipfilter/man/ipnat.8
+++ b/contrib/ipfilter/man/ipnat.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPNAT 8
 .SH NAME
 ipnat \- user interface to the NAT subsystem
@@ -35,7 +33,7 @@ enabled.
 .TP
 .B \-C
 delete all entries in the current NAT rule listing (NAT rules)
- .TP
+.TP
 .B \-d
 Enable printing of some extra debugging information.
 .TP
@@ -54,10 +52,10 @@ This flag (no-change) prevents \fBipf\fP from actually making any ioctl
 calls or doing anything which would alter the currently running kernel.
 .TP
 .B \-r
-Remove matching NAT rules rather than add them to the internal lists
+Remove matching NAT rules rather than add them to the internal lists.
 .TP
 .B \-s
-Retrieve and display NAT statistics
+Retrieve and display NAT statistics.
 .TP
 .B \-v
 Turn verbose mode on.  Displays information relating to rule processing
diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5
index c9eaaca..1c720b9 100644
--- a/contrib/ipfilter/man/ippool.5
+++ b/contrib/ipfilter/man/ippool.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPPOOL 5
 .SH NAME
 ippool, ippool.conf \- IP Pool file format
diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8
index 6ed1e88..e27cb92 100644
--- a/contrib/ipfilter/man/ippool.8
+++ b/contrib/ipfilter/man/ippool.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPPOOL 8
 .SH NAME
 ippool \- user interface to the IPFilter pools
diff --git a/contrib/ipfilter/man/ipscan.5 b/contrib/ipfilter/man/ipscan.5
index 4a00174..cc12ca3 100644
--- a/contrib/ipfilter/man/ipscan.5
+++ b/contrib/ipfilter/man/ipscan.5
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPSCAN 5
 .SH NAME
 ipscan, ipscan.conf \- ipscan file format
diff --git a/contrib/ipfilter/man/ipscan.8 b/contrib/ipfilter/man/ipscan.8
index d3ce952..958c456 100644
--- a/contrib/ipfilter/man/ipscan.8
+++ b/contrib/ipfilter/man/ipscan.8
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH IPSCAN 8
 .SH NAME
 ipscan \- user interface to the IPFilter content scanning
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
index 3bac7d1..b5fd9dc 100644
--- a/contrib/ipfilter/man/mkfilters.1
+++ b/contrib/ipfilter/man/mkfilters.1
@@ -1,5 +1,3 @@
-.\"	$NetBSD$
-.\"
 .TH MKFILTERS 1
 .SH NAME
 mkfilters \- generate a minimal firewall ruleset for ipfilter