This commit was generated by cvs2svn to compensate for changes in r60841,

which included commits to RCS files with non-trunk default branches.

4 files changed, 178 insertions, 8 deletions

diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
index 5e029de..c83337a 100644
--- a/contrib/ipfilter/man/Makefile
+++ b/contrib/ipfilter/man/Makefile
@@ -17,6 +17,7 @@ install:
 	$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
 	$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
 	$(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
+	$(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8
 	$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
 	$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
 	@echo "Remember to rebuild the whatis database."
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
new file mode 100644
index 0000000..a120744
--- /dev/null
+++ b/contrib/ipfilter/man/ipfs.8
@@ -0,0 +1,119 @@
+.TH IPFS 8
+.SH NAME
+ipfs \- saves and restores information for NAT and state tables.
+.SH SYNOPSIS
+.B ipfs
+[-nv] -l
+.PP
+.B ipfs
+[-nv] -u
+.PP
+.B ipfs
+[-nv] [
+.B \-d
+<\fIdirname\fP>
+] -R
+.PP
+.B ipfs
+[-nv] [
+.B \-d
+<\fIdirname\fP>
+] -W
+.PP
+.B ipfs
+[-nNSv] [
+.B \-f
+<\fIfilename\fP>
+] -r
+.PP
+.B ipfs
+[-nNSv] [
+.B \-f
+<\fIfilename\fP>
+] -w
+.PP
+.B ipfs
+[-nNSv]
+.B \-f
+<\fIfilename\fP>
+.B \-i
+<if1>,<if2>
+.SH DESCRIPTION
+.PP
+\fBipfs\fP allows state information created for NAT entries and rules using
+\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
+allowing for the system to experience a reboot, followed by the restoration
+of that information, resulting in connections not being interrupted.
+.SH OPTIONS
+.TP
+.B \-d
+Change the default directory used with
+.B \-R
+and
+.B \-W
+options for saving state information.
+.B \-n
+Don't actually take any action that would effect information stored in
+the kernel or on disk.
+.TP
+.B \-v
+Provides a verbose description of what's being done.
+.TP
+.B \-N
+Operate on NAT information.
+.TP
+.B \-S
+Operate on filtering state information.
+.TP
+.B \-u
+Unlock state tables in the kernel.
+.TP
+.B \-l
+Unlock state tables in the kernel.
+.TP
+.B \-r
+Read information in from the specified file and load it into the
+kernel.  This requires the state tables to have already been locked
+and does not change the lock once comlete.
+.TP
+.B \-w
+Write information out to the specified file and from the kernel.
+This requires the state tables to have already been locked
+and does not change the lock once comlete.
+.TP
+.B \-R
+Restores all saved state information, if any, from two files,
+\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
+directory unless otherwise specified the
+.B \-d
+option is used.  The state tables are locked at the beginning of this
+operation and unlocked once complete.
+.TP
+.B \-W
+Saves in-kernel state information, if any, out to two files,
+\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
+directory unless otherwise specified the
+.B \-d
+option is used.  The state tables are locked at the beginning of this
+operation and unlocked once complete.
+.DT
+.SH FILES
+/var/db/ipf/ipstate.ipf
+.br
+/var/db/ipf/ipnat.ipf
+.br
+/dev/ipl
+.br
+/dev/ipstate
+.br
+/dev/ipnat
+.SH SEE ALSO
+ipf(8), ipl(4), ipmon(8), ipnat(8)
+.SH DIAGNOSTICS
+.PP
+Perhaps the -W and -R operations should set the locking but rather than
+undo it, restore it to what it was previously.  Fragment table information
+is currently not saved.
+.SH BUGS
+.PP
+If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index e15fa0d..ec53059 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -8,14 +8,24 @@ The format for files accepted by ipnat is described by the following grammar:
 ipmap :: = mapblock | redir | map .
 
 map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
+map ::= mapit ifname fromto "->" ipmask [ mapport ] .
 mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
-redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] .
+redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
+
+dport ::= "port" portnum [ "-" portnum ] .
 ports ::= "ports" numports | "auto" .
 mapit ::= "map" | "bimap" .
+fromto ::= "from" object "to" object .
 ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
 mapport ::= "portmap" tcpudp portnumber ":" portnumber .
+options ::= [ tcpudp ] [ rr ] .
+
+object  = addr [ port-comp | port-range ] .
+addr    = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+port-comp = "port" compare port-num .
+port-range = "port" port-num range port-num .
 
-fromspec ::= "from" ip "/" ipmask .
+rr ::= "round-robin" .
 tcpudp ::= "tcp" | "udp" | "tcp/udp" .
 portnumber ::= number { numbers } | "auto" .
 ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
@@ -40,7 +50,7 @@ When remapping TCP and UDP packets, it is also possible to change the source
 port number.  Either TCP or UDP or both can be selected by each rule, with a
 range of port numbers to remap into given as \fBport-number:port-number\fP.
 .SH COMMANDS
-There are found commands recognised by IP Filter's NAT code:
+There are four commands recognised by IP Filter's NAT code:
 .TP
 .B map
 that is used for mapping one address or network to another in an unregulated
@@ -60,10 +70,26 @@ squeeze the addresses to be translated into the destination range.
 .SH MATCHING
 .PP
 For basic NAT and redirection of packets, the address subject to change is used
-along with its protocol to check if a packet should be altered.  In the case
-of redirects, it is also possible to select packets on a source address basis
-using the \fBfrom\fP keyword, as well as the manditory destination port.  The
-packet \fImatching\fP part of the rule is to the left of the "->" in each rule.
+along with its protocol to check if a packet should be altered.  The packet
+\fImatching\fP part of the rule is to the left of the "->" in each rule.
+.PP
+Matching of packets has now been extended to allow more complex compares.
+In place of the address which is to be translated, an IP address and port
+number comparison can be made using the same expressions available with
+\fBipf\fP.  A simple NAT rule could be written as:
+.LP
+.nf
+map de0 10.1.0.0/16 -> 201.2.3.4/32
+.fi
+.LP
+or as
+.LP
+.nf
+map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
+.fi
+.LP
+Only IP address and port numbers can be compared against.  This is available
+with all NAT rules.
 .SH TRANSLATION
 .PP
 To the right of the "->" is the address and port specificaton which will be
@@ -93,6 +119,30 @@ True transparent proxying should be performed using the redirect (\fBrdr\fP)
 rules directing ports to localhost (127.0.0.1) with the proxy program doing
 a lookup through \fB/dev/ipnat\fP to determine the real source and address
 of the connection.
+.SH LOAD-BALANCING
+.PP
+Two options for use with \fBrdr\fP are available to support primitive,
+\fIround-robin\fP based load balancing.  The first option allows for a
+\fBrdr\fP to specify a second destination, as follows:
+.LP
+.nf
+rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp
+.fi
+.LP
+This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
+In scenarios where the load is being spread amongst a larger set of
+servers, you can use:
+.LP
+.nf
+rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin
+rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin
+.fi
+.LP
+In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4
+and then 203.1.2.5 before going back to 203.1.2.3.  In accomplishing this,
+the rule is removed from the top of the list and added to the end,
+automatically, as required.  This will not effect the display of rules
+using "ipnat -l", only the internal application order.
 .SH EXAMPLES
 .PP
 This section deals with the \fBmap\fP command and it's variations.
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
index 52c7a8f..b5fd9dc 100644
--- a/contrib/ipfilter/man/mkfilters.1
+++ b/contrib/ipfilter/man/mkfilters.1
@@ -1,4 +1,4 @@
-.TH IPF 1
+.TH MKFILTERS 1
 .SH NAME
 mkfilters \- generate a minimal firewall ruleset for ipfilter
 .SH SYNOPSIS