This commit was generated by cvs2svn to compensate for changes in r53024,

which included commits to RCS files with non-trunk default branches.

3 files changed, 98 insertions, 11 deletions

diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
index 972fbf5..5e029de 100644
--- a/contrib/ipfilter/man/Makefile
+++ b/contrib/ipfilter/man/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 1993-1997 by Darren Reed.
+# Copyright (C) 1993-1998 by Darren Reed.
 #
 # Redistribution and use in source and binary forms are permitted
 # provided that this notice is preserved and due credit is given
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
index 01b5100..f241415 100644
--- a/contrib/ipfilter/man/ipnat.1
+++ b/contrib/ipfilter/man/ipnat.1
@@ -19,11 +19,11 @@ which they appear when given to \fBipnat\fP.
 .SH OPTIONS
 .TP
 .B \-C
-delete all entries in the current NAT listing (NAT rules)
+delete all entries in the current NAT rule listing (NAT rules)
 .TP
 .B \-F
-delete all active entries in the current NAT table (currently active
-NAT mappings)
+delete all active entries in the current NAT translation table (currently
+active NAT mappings)
 .TP
 .B \-l
 Show the list of current NAT table entry mappings.
@@ -39,7 +39,8 @@ Retrieve and display NAT statistics
 Remove matching NAT rules rather than add them to the internal lists
 .TP
 .B \-v
-Turn verbose mode on.  Displays information relating to rule processing.
+Turn verbose mode on.  Displays information relating to rule processing
+and active rules/table entries.
 .DT
 .SH FILES
 /dev/ipnat
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 576e9c2..e15fa0d 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -5,14 +5,19 @@ ipnat, ipnat.conf \- IP NAT file format
 The format for files accepted by ipnat is described by the following grammar:
 .LP
 .nf
-ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] .
+ipmap :: = mapblock | redir | map .
 
-mapit ::= "map" | "rdr" .
+map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
+mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
+redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] .
+ports ::= "ports" numports | "auto" .
+mapit ::= "map" | "bimap" .
 ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
 mapport ::= "portmap" tcpudp portnumber ":" portnumber .
 
+fromspec ::= "from" ip "/" ipmask .
 tcpudp ::= "tcp" | "udp" | "tcp/udp" .
-portnumber ::= number { numbers } .
+portnumber ::= number { numbers } | "auto" .
 ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
 
 numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
@@ -34,7 +39,63 @@ addresses.
 When remapping TCP and UDP packets, it is also possible to change the source
 port number.  Either TCP or UDP or both can be selected by each rule, with a
 range of port numbers to remap into given as \fBport-number:port-number\fP.
-.SH Examples
+.SH COMMANDS
+There are found commands recognised by IP Filter's NAT code:
+.TP
+.B map
+that is used for mapping one address or network to another in an unregulated
+round robin fashion;
+.TP
+.B rdr
+that is used for redirecting packets to one IP address and port pair to
+another;
+.TP
+.B bimap
+for setting up bidirectional NAT between an external IP address and an internal
+IP address and
+.TP
+.B map-block
+which sets up static IP address based translation, based on a algorithm to
+squeeze the addresses to be translated into the destination range.
+.SH MATCHING
+.PP
+For basic NAT and redirection of packets, the address subject to change is used
+along with its protocol to check if a packet should be altered.  In the case
+of redirects, it is also possible to select packets on a source address basis
+using the \fBfrom\fP keyword, as well as the manditory destination port.  The
+packet \fImatching\fP part of the rule is to the left of the "->" in each rule.
+.SH TRANSLATION
+.PP
+To the right of the "->" is the address and port specificaton which will be
+written into the packet providing it has already successful matched the
+prior constraints.  The case of redirections (\fBrdr\fP) is the simpliest:
+the new destination address is that specified in the rule.  For \fBmap\fP
+rules, the destination address will be one for which the tuple combining
+the new source and destination is known to be unique.  If the packet is
+either a TCP or UDP packet, the destination and source ports come into the
+equation too.  If the tuple already exists, IP Filter will increment the
+port number first, within the available range specified with \fBportmap\fP
+and if there exists no unique tuple, the source address will be incremented
+within the specified netmask.  If a unique tuple cannot be determined, then
+the packet will not be translated.  The \fBmap-block\fP is more limited in
+how it searches for a new, free and unique tuple, in that it will used an
+algorithm to determine what the new source address should be, along with the
+range of available ports - the IP address is never changed and nor does the
+port number ever exceed its alloted range.
+.SH KERNEL PROXIES
+.PP
+IP Filter comes with a few, simple, proxies built into the code that is loaded
+into the kernel to allow secondary channels to be opened without forcing the
+packets through a user program.
+.SH TRNSPARENT PROXIES
+.PP
+True transparent proxying should be performed using the redirect (\fBrdr\fP)
+rules directing ports to localhost (127.0.0.1) with the proxy program doing
+a lookup through \fB/dev/ipnat\fP to determine the real source and address
+of the connection.
+.SH EXAMPLES
+.PP
+This section deals with the \fBmap\fP command and it's variations.
 .PP
 To change IP#'s used internally from network 10 into an ISP provided 8 bit
 subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
@@ -61,8 +122,33 @@ map ppp0 10.0.0.0/8 -> 209.1.2.0/24
 .fi
 .PP
 so that all TCP/UDP packets were port mapped and only other protocols, such as
-ICMP, only have their IP# changed.
-.SH FILES
+ICMP, only have their IP# changed.  In some instaces, it is more appropriate
+to use the keyword \fBauto\fP in place of an actual range of port numbers if
+you want to guarantee simultaneous access to all within the given range.
+However, in the above case, it would default to 1 port per IP address, since
+we need to squeeze 24 bits of address space into 8.  A good example of how
+this is used might be:
+.LP
+.nf
+map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
+.fi
+.PP
+which would result in each IP address being given a small range of ports to
+use (252).  The problem here is that the \fBmap\fP directive tells the NAT
+code to use the next address/port pair available for an outgoing connection,
+resulting in no easily discernable relation between external addresses/ports
+and internal ones.  This is overcome by using \fBmap-block\fP as follows:
+.LP
+.nf
+map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
+.fi
+.PP
+For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
+with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
+own.  As opposed to the above use of \fBmap\fP, if for some reason the user
+of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
+be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
+IP address with the \fBmap\fP command.
 /dev/ipnat
 .br
 /etc/services