Import of ipfilter 3.3.6 (freebsd relevant part)

Obtained from:	ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/ip_fil3.3.6.tar.gz

6 files changed, 49 insertions, 7 deletions

diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
index eb836e7..4549855 100644
--- a/contrib/ipfilter/man/ipf.4
+++ b/contrib/ipfilter/man/ipf.4
@@ -115,8 +115,8 @@ Flags which are recognised in fr_pass:
      FR_OUTQUE       0x000004   /* outgoing packets */
      FR_INQUE        0x000008   /* ingoing packets */
      FR_LOG          0x000010   /* Log */
-     FR_LOGP         0x000011   /* Log-pass */
-     FR_LOGB         0x000012   /* Log-fail */
+     FR_LOGB         0x000011   /* Log-fail */
+     FR_LOGP         0x000012   /* Log-pass */
      FR_LOGBODY      0x000020   /* log the body of packets too */
      FR_LOGFIRST     0x000040   /* log only the first packet to match */
      FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index efc9b63..dab49b6 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -490,7 +490,7 @@ rule such as:
 .fi
 .PP
 would be needed before the first block.  To create a new group for
-processing all inbould packets on le0/le1/lo0, with the default being to block
+processing all inbound packets on le0/le1/lo0, with the default being to block
 all inbound packets, we would do something like:
 .LP
 .nf
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index 65734ce..e573b86 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -103,7 +103,6 @@ into the ipf binary and retrieve it from the kernel code (if running/present).
 If it is present in the kernel, information about its current state will be
 displayed (whether logging is active, default filtering, etc).
 .TP
-.TP
 .B \-y
 Manually resync the in-kernel interface list maintained by IP Filter with
 the current interface status list.
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index 94525eb..e39ed94 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -4,7 +4,7 @@ ipfstat \- reports on packet filter statistics and filter list
 .SH SYNOPSIS
 .B ipfstat
 [
-.B \-aAfhIinosv
+.B \-aAfghIinosv
 ] [
 .B \-d
 <device>
@@ -34,6 +34,9 @@ Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
 Show fragment state information (statistics) and held state information (in
 the kernel) if any is present.
 .TP
+.B \-g
+Show groups currently configured (both active and inactive).
+.TP
 .B \-h
 Show per-rule the number of times each one scores a "hit".  For use in
 combination with \fB\-i\fP.
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 11c1263..5e3bff1 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -28,6 +28,46 @@ default or a filename, if given on the command line.  Should the \fB\-s\fP
 option be used, output is instead sent to \fBsyslogd(8)\fP.  Messages sent
 via syslog have the day, month and year removed from the message, but the
 time (including microseconds), as recorded in the log, is still included.
+.LP
+Messages generated by ipmon consist of whitespace separated fields.
+Fields common to all messages are:
+.LP
+1. The date of packet receipt. This is suppressed when the message is
+sent to syslog.
+.LP
+2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
+minutes seconds, and fractions of a second (which can be several digits
+long).
+.LP
+3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
+.LP
+4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
+viewed with \fBipfstat -n\fP.
+.LP
+5. The action: \fBp\fP for passed or \fBb\fP for blocked.
+.LP
+6. The addresses.
+This is actually three fields: the source address and port
+(separted by a comma), the \fB->\fP symbol, and the destination address
+and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
+.LP
+7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
+.LP
+8. \fBlen\fP followed by the header length and total length of the packet,
+e.g., \fBlen 20 40\fP.
+.LP
+If the packet is a TCP packet, there will be an additional field starting
+with a hyphen followed by letters corresponding to any flags that were set.
+See the ipf.conf manual page for a list of letters and their flags.
+.LP
+If the packet is an ICMP packet, there will be two fields at the end,
+the first always being `icmp', and the next being the ICMP message and
+submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
+unreachable message.
+.LP
+In order for \fBipmon\fP to properly work, the kernel option
+\fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
+\fBoptions(4)\fP for more details.
 .SH OPTIONS
 .TP
 .B \-a
@@ -94,7 +134,7 @@ show the packet data in hex.
 .B \-X
 show the log header record data in hex.
 .SH DIAGNOSTICS
-\fBipmon\fP expects data that it reads to be consistant with how it should be
+\fBipmon\fP expects data that it reads to be consistent with how it should be
 saved and will abort if it fails an assertion which detects an anomoly in the
 recorded data.
 .SH FILES
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 578c7fb..ee385b7 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -65,7 +65,7 @@ Recognised values for in_redir:
 .PP
 .LP
 \fBNAT statistics\fP
-Statistics on the the number of packets mapped, going in and out are kept,
+Statistics on the number of packets mapped, going in and out are kept,
 the number of times a new entry is added and deleted (through expiration) to
 the NAT table and the current usage level of the NAT table.
 .PP