Merge IPFilter 4.1.23 back to HEAD

See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

18 files changed, 1219 insertions, 387 deletions

diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c
index b923f58..fe9fec2 100644
--- a/contrib/ipfilter/tools/ipf.c
+++ b/contrib/ipfilter/tools/ipf.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -21,7 +21,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.4 2006/03/17 11:48:08 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.8 2007/05/10 06:12:01 darrenr Exp $";
 #endif
 
 #if !defined(__SVR4) && defined(__GNUC__)
@@ -344,11 +344,13 @@ char	*arg;
 
 	if (!arg || !*arg)
 		return;
-	if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
+	if (!strcmp(arg, "s") || !strcmp(arg, "S") || ISDIGIT(*arg)) {
 		if (*arg == 'S')
 			fl = 0;
-		else
+		else if (*arg == 's')
 			fl = 1;
+		else
+			fl = atoi(arg);
 		rem = fl;
 
 		closedevice();
@@ -370,7 +372,7 @@ char	*arg;
 		}
 		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
 			printf("remove flags %s (%d)\n", arg, rem);
-			printf("removed %d filter rules\n", fl);
+			printf("removed %d entries\n", fl);
 		}
 		closedevice();
 		return;
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
index 5a24592..e8789e0 100644
--- a/contrib/ipfilter/tools/ipf_y.y
+++ b/contrib/ipfilter/tools/ipf_y.y
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2001-2006 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 %{
 #include "ipf.h"
 #include <sys/ioctl.h>
@@ -171,7 +176,7 @@ file:	line
 	| file assign
 	;
 
-line:	xx rule		{ while ((fr = frtop) != NULL) {
+line:	rule		{ while ((fr = frtop) != NULL) {
 				frtop = fr->fr_next;
 				fr->fr_next = NULL;
 				(*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
@@ -190,6 +195,7 @@ assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
 					  resetlexer();
 					  free($1);
 					  free($3);
+					  yyvarnext = 0;
 					}
 	;
 
@@ -213,8 +219,8 @@ outrule:
 	;
 
 rulehead:
-	collection action
-	| insert collection action
+	xx collection action
+	| xx insert collection action
 	;
 
 markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
@@ -837,20 +843,32 @@ dstportlist:
 	;
 
 addr:	pool '/' YY_NUMBER		{ pooled = 1;
-					  yyexpectaddr = 0;
 					  $$.a.iplookuptype = IPLT_POOL;
+					  $$.a.iplookupsubtype = 0;
 					  $$.a.iplookupnum = $3; }
+	| pool '/' YY_STR		{ pooled = 1;
+					  $$.a.iplookuptype = IPLT_POOL;
+					  $$.a.iplookupsubtype = 1;
+					  strncpy($$.a.iplookupname, $3,
+						  sizeof($$.a.iplookupname));
+					}
 	| pool '=' '(' poollist ')'	{ pooled = 1;
-					  yyexpectaddr = 0;
 					  $$.a.iplookuptype = IPLT_POOL;
+					  $$.a.iplookupsubtype = 0;
 					  $$.a.iplookupnum = makepool($4); }
 	| hash '/' YY_NUMBER		{ hashed = 1;
-					  yyexpectaddr = 0;
 					  $$.a.iplookuptype = IPLT_HASH;
+					  $$.a.iplookupsubtype = 0;
 					  $$.a.iplookupnum = $3; }
+	| hash '/' YY_STR		{ pooled = 1;
+					  $$.a.iplookuptype = IPLT_HASH;
+					  $$.a.iplookupsubtype = 1;
+					  strncpy($$.a.iplookupname, $3,
+						  sizeof($$.a.iplookupname));
+					}
 	| hash '=' '(' addrlist ')'	{ hashed = 1;
-					  yyexpectaddr = 0;
 					  $$.a.iplookuptype = IPLT_HASH;
+					  $$.a.iplookupsubtype = 0;
 					  $$.a.iplookupnum = makehash($4); }
 	| ipaddr			{ bcopy(&$1, &$$, sizeof($$));
 					  yyexpectaddr = 0; }
@@ -1375,8 +1393,8 @@ servicename:
 	YY_STR				{ $$ = $1; }
 	;
 
-interfacename:	YY_STR				{ $$ = $1; }
-	| YY_STR ':' YY_NUMBER
+interfacename:	name				{ $$ = $1; }
+	| name ':' YY_NUMBER
 		{ $$ = $1;
 		  fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
 			  "use the physical interface %s instead.\n",
@@ -1385,6 +1403,7 @@ interfacename:	YY_STR				{ $$ = $1; }
 	;
 
 name:	YY_STR				{ $$ = $1; }
+	| '-'				{ $$ = strdup("-"); }
 	;
 
 ipv4_16:
@@ -2033,6 +2052,9 @@ void *ptr;
 	frentry_t *fr;
 	ipfobj_t obj;
 
+	if (ptr == NULL)
+		return;
+
 	fr = ptr;
 	add = 0;
 	del = 0;
@@ -2062,10 +2084,10 @@ void *ptr;
 		fr->fr_flags |= FR_OUTQUE;
 	if (fr->fr_hits)
 		fr->fr_hits--;
-	if (fr && (opts & OPT_VERBOSE))
+	if ((opts & OPT_VERBOSE) != 0)
 		printfr(fr, ioctlfunc);
 
-	if (opts & OPT_DEBUG) {
+	if ((opts & OPT_DEBUG) != 0) {
 		binprint(fr, sizeof(*fr));
 		if (fr->fr_data != NULL)
 			binprint(fr->fr_data, fr->fr_dsize);
diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c
index da80da8..1e26de5 100644
--- a/contrib/ipfilter/tools/ipfcomp.c
+++ b/contrib/ipfilter/tools/ipfcomp.c
@@ -1,13 +1,13 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2001-2005 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.3 2006/03/17 22:31:57 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $";
 #endif
 
 #include "ipf.h"
@@ -94,11 +94,22 @@ frentry_t *fr;
  		fprintf(fp, "* to the original author and the contributors.\n");
  		fprintf(fp, "*/\n\n");
 
+		fprintf(fp, "#include <sys/param.h>\n");
 		fprintf(fp, "#include <sys/types.h>\n");
 		fprintf(fp, "#include <sys/time.h>\n");
 		fprintf(fp, "#include <sys/socket.h>\n");
-		fprintf(fp, "#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
-		fprintf(fp, "# include <sys/systm.h>\n");
+		fprintf(fp, "#if (__FreeBSD_version >= 40000)\n");
+		fprintf(fp, "# if defined(_KERNEL)\n");
+		fprintf(fp, "#  include <sys/libkern.h>\n");
+		fprintf(fp, "# else\n");
+		fprintf(fp, "#  include <sys/unistd.h>\n");
+		fprintf(fp, "# endif\n");
+		fprintf(fp, "#endif\n");
+		fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n");
+		fprintf(fp, "#else\n");
+		fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
+		fprintf(fp, "#  include <sys/systm.h>\n");
+		fprintf(fp, "# endif\n");
 		fprintf(fp, "#endif\n");
 		fprintf(fp, "#include <sys/errno.h>\n");
 		fprintf(fp, "#include <sys/param.h>\n");
@@ -493,7 +504,8 @@ u_int incount, outcount;
 	/*
 	 * Output the array of pointers to rules for this group.
 	 */
-	if (num == -2 && dir == 0 && header[0] == 0 && incount != 0) {
+	if (g != NULL && num == -2 && dir == 0 && header[0] == 0 &&
+	    incount != 0) {
 		fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {",
 			group, incount);
 		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
@@ -512,7 +524,8 @@ u_int incount, outcount;
 		fprintf(fp, "\n};\n");
 	}
 
-	if (num == -2 && dir == 1 && header[1] == 0 && outcount != 0) {
+	if (g != NULL && num == -2 && dir == 1 && header[0] == 0 &&
+	    outcount != 0) {
 		fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {",
 			group, outcount);
 		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
@@ -541,7 +554,7 @@ u_int incount, outcount;
 	/*
 	 * If the function header has not been printed then print it now.
 	 */
-	if (header[dir] == 0) {
+	if (g != NULL && header[dir] == 0) {
 		int pdst = 0, psrc = 0;
 
 		openfunc = 1;
diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c
index a89ea0b..eab650a 100644
--- a/contrib/ipfilter/tools/ipfs.c
+++ b/contrib/ipfilter/tools/ipfs.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1999-2001, 2003 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -133,6 +133,14 @@ char *ifs, *fname;
 			strcpy(ips.ips_is.is_ifname[1], s);
 			rw = 1;
 		}
+		if (!strncmp(ips.ips_is.is_ifname[2], ifs, olen + 1)) {
+			strcpy(ips.ips_is.is_ifname[2], s);
+			rw = 1;
+		}
+		if (!strncmp(ips.ips_is.is_ifname[3], ifs, olen + 1)) {
+			strcpy(ips.ips_is.is_ifname[3], s);
+			rw = 1;
+		}
 		if (rw == 1) {
 			if (lseek(fd, pos, SEEK_SET) != pos) {
 				perror("lseek");
@@ -190,6 +198,14 @@ char *ifs, *fname;
 			strcpy(nat->nat_ifnames[1], s);
 			rw = 1;
 		}
+		if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) {
+			strcpy(nat->nat_ifnames[2], s);
+			rw = 1;
+		}
+		if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) {
+			strcpy(nat->nat_ifnames[3], s);
+			rw = 1;
+		}
 		if (rw == 1) {
 			if (lseek(fd, pos, SEEK_SET) != pos) {
 				perror("lseek");
@@ -216,7 +232,7 @@ char *argv[];
 	char *dirname = NULL, *filename = NULL, *ifs = NULL;
 
 	progname = argv[0];
-	while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1)
+	while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
 		switch (c)
 		{
 		case 'd' :
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
index 85eba20..db362d2 100644
--- a/contrib/ipfilter/tools/ipfstat.c
+++ b/contrib/ipfilter/tools/ipfstat.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
+ * Copyright (C) 2002-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -53,6 +53,7 @@
 #ifdef STATETOP
 # include <ctype.h>
 # include <signal.h>
+# include <time.h>
 # if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
      defined(__sgi)
 #  ifdef ERR
@@ -70,7 +71,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.14 2006/03/21 16:09:58 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp $";
 #endif
 
 #ifdef __hpux
@@ -83,10 +84,6 @@ extern	int	opterr;
 
 #define	PRINTF	(void)printf
 #define	FPRINTF	(void)fprintf
-#define	F_IN	0
-#define	F_OUT	1
-#define	F_ACIN	2
-#define	F_ACOUT	3
 static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
 				"ipacct(in)", "ipacct(out)" };
 static	int	state_logging = -1;
@@ -96,6 +93,10 @@ int	use_inet6 = 0;
 int	live_kernel = 1;
 int	state_fd = -1;
 int	ipf_fd = -1;
+int	auth_fd = -1;
+int	nat_fd = -1;
+frgroup_t *grtop = NULL;
+frgroup_t *grtail = NULL;
 
 #ifdef STATETOP
 #define	STSTRSIZE 	80
@@ -130,19 +131,23 @@ typedef struct statetop {
 
 int		main __P((int, char *[]));
 
+static	int	fetchfrag __P((int, int, ipfr_t *));
 static	void	showstats __P((friostat_t *, u_32_t));
-static	void	showfrstates __P((ipfrstat_t *));
+static	void	showfrstates __P((ipfrstat_t *, u_long));
 static	void	showlist __P((friostat_t *));
 static	void	showipstates __P((ips_stat_t *));
 static	void	showauthstates __P((fr_authstat_t *));
 static	void	showgroups __P((friostat_t *));
 static	void	usage __P((char *));
-static	void	printlist __P((frentry_t *, char *));
+static	void	showtqtable_live __P((int));
+static	void	printlivelist __P((int, int, frentry_t *, char *, char *));
+static	void	printdeadlist __P((int, int, frentry_t *, char *, char *));
 static	void	parse_ipportstr __P((const char *, i6addr_t *, int *));
 static	void	ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
 				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
 static	void	ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
 				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
+static	ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *));
 #ifdef STATETOP
 static	void	topipstates __P((i6addr_t, i6addr_t, int, int, int,
 				 int, int, int));
@@ -192,7 +197,7 @@ char *argv[];
 	ips_stat_t *ipsstp = &ipsst;
 	ipfrstat_t ifrst;
 	ipfrstat_t *ifrstp = &ifrst;
-	char	*device = IPL_NAME, *memf = NULL;
+	char	*memf = NULL;
 	char	*options, *kern = NULL;
 	int	c, myoptind;
 
@@ -245,8 +250,16 @@ char *argv[];
 			perror("open(IPSTATE_NAME)");
 			exit(-1);
 		}
-		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
-			fprintf(stderr, "open(%s)", device);
+		if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) {
+			perror("open(IPAUTH_NAME)");
+			exit(-1);
+		}
+		if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
+			perror("open(IPAUTH_NAME)");
+			exit(-1);
+		}
+		if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) {
+			fprintf(stderr, "open(%s)", IPL_NAME);
 			perror("");
 			exit(-1);
 		}
@@ -257,10 +270,12 @@ char *argv[];
 		(void)setuid(getuid());
 	}
 
-	if (live_kernel == 1)
-		(void) checkrev(device);
-	if (openkmem(kern, memf) == -1)
-		exit(-1);
+	if (live_kernel == 1) {
+		(void) checkrev(IPL_NAME);
+	} else {
+		if (openkmem(kern, memf) == -1)
+			exit(-1);
+	}
 
 	(void)setgid(getgid());
 	(void)setuid(getuid());
@@ -369,7 +384,7 @@ char *argv[];
 		bzero((char *)&ipsst, sizeof(ipsst));
 		bzero((char *)&ifrst, sizeof(ifrst));
 
-		ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
+		ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
 			      &frauthstp, &frf);
 	} else
 		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
@@ -383,7 +398,7 @@ char *argv[];
 			showlist(fiop);
 		}
 	} else if (opts & OPT_FRSTATES)
-		showfrstates(ifrstp);
+		showfrstates(ifrstp, fiop->f_ticks);
 #ifdef STATETOP
 	else if (opts & OPT_STATETOP)
 		topipstates(saddr, daddr, sport, dport, protocol,
@@ -422,9 +437,9 @@ u_32_t *frfp;
 	if ((opts & OPT_AUTHSTATS) == 0) {
 		bzero((caddr_t)&ipfo, sizeof(ipfo));
 		ipfo.ipfo_rev = IPFILTER_VERSION;
+		ipfo.ipfo_type = IPFOBJ_IPFSTAT;
 		ipfo.ipfo_size = sizeof(friostat_t);
 		ipfo.ipfo_ptr = (void *)*fiopp;
-		ipfo.ipfo_type = IPFOBJ_IPFSTAT;
 
 		if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
 			perror("ioctl(ipf:SIOCGETFS)");
@@ -439,9 +454,9 @@ u_32_t *frfp;
 
 		bzero((caddr_t)&ipfo, sizeof(ipfo));
 		ipfo.ipfo_rev = IPFILTER_VERSION;
+		ipfo.ipfo_type = IPFOBJ_STATESTAT;
 		ipfo.ipfo_size = sizeof(ips_stat_t);
 		ipfo.ipfo_ptr = (void *)*ipsstpp;
-		ipfo.ipfo_type = IPFOBJ_STATESTAT;
 
 		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
 			perror("ioctl(state:SIOCGETFS)");
@@ -456,9 +471,9 @@ u_32_t *frfp;
 	if ((opts & OPT_FRSTATES) != 0) {
 		bzero((caddr_t)&ipfo, sizeof(ipfo));
 		ipfo.ipfo_rev = IPFILTER_VERSION;
+		ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
 		ipfo.ipfo_size = sizeof(ipfrstat_t);
 		ipfo.ipfo_ptr = (void *)*ifrstpp;
-		ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
 	
 		if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
 			perror("ioctl(SIOCGFRST)");
@@ -466,27 +481,17 @@ u_32_t *frfp;
 		}
 	}
 
-	if (opts & OPT_VERBOSE)
+	if (opts & OPT_DEBUG)
 		PRINTF("opts %#x name %s\n", opts, device);
 
 	if ((opts & OPT_AUTHSTATS) != 0) {
-		if (ipf_fd >= 0) {
-			close(ipf_fd);
-			ipf_fd = -1;
-		}
-		device = IPAUTH_NAME;
-		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-
 		bzero((caddr_t)&ipfo, sizeof(ipfo));
 		ipfo.ipfo_rev = IPFILTER_VERSION;
+		ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
 		ipfo.ipfo_size = sizeof(fr_authstat_t);
 		ipfo.ipfo_ptr = (void *)*frauthstpp;
-		ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
 
-	    	if (ioctl(ipf_fd, SIOCATHST, &ipfo) == -1) {
+	    	if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
 			perror("ioctl(SIOCATHST)");
 			exit(-1);
 		}
@@ -511,10 +516,11 @@ u_32_t *frfp;
 	static ips_stat_t ipsst, *ipsstp;
 	static ipfrstat_t ifrst, *ifrstp;
 	static friostat_t fio, *fiop;
+	static ipftq_t ipssttab[IPF_TCP_NSTATES];
 	int temp;
 
 	void *rules[2][2];
-	struct nlist deadlist[43] = {
+	struct nlist deadlist[44] = {
 		{ "fr_authstats" },		/* 0 */
 		{ "fae_list" },
 		{ "ipauth" },
@@ -557,6 +563,7 @@ u_32_t *frfp;
 		{ "fr_pass" },
 		{ "fr_flags" },			/* 40 */
 		{ "ipstate_logging" },
+		{ "ips_tqtqb" },
 		{ NULL }
 	};
 
@@ -669,9 +676,12 @@ u_32_t *frfp;
 	 */
 	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
 	kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
+	kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value,
+		sizeof(ipssttab));
 	ipsstp->iss_active = temp;
 	ipsstp->iss_table = (void *)deadlist[18].n_value;
 	ipsstp->iss_list = (void *)deadlist[17].n_value;
+	ipsstp->iss_tcptab = ipssttab;
 
 	/*
 	 * Build up the authentiation information stats structure.
@@ -771,21 +781,62 @@ u_32_t frf;
 /*
  * Print out a list of rules from the kernel, starting at the one passed.
  */
-static void printlist(fp, comment)
+static void printlivelist(out, set, fp, group, comment)
+int out, set;
 frentry_t *fp;
-char *comment;
+char *group, *comment;
 {
-	struct	frentry	fb, *fg;
-	char	*data;
-	u_32_t	type;
-	int	n;
-
-	for (n = 1; fp; n++) {
-		if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
-			perror("kmemcpy");
+	struct	frentry	fb;
+	ipfruleiter_t rule;
+	frentry_t zero;
+	frgroup_t *g;
+	ipfobj_t obj;
+	int n;
+
+	if (use_inet6 == 1)
+		fb.fr_v = 6;
+	else
+		fb.fr_v = 4;
+	fb.fr_next = fp;
+	n = 0;
+
+	rule.iri_inout = out;
+	rule.iri_active = set;
+	rule.iri_rule = &fb;
+	rule.iri_nrules = 1;
+	rule.iri_v = use_inet6 ? 6 : 4;
+	if (group != NULL)
+		strncpy(rule.iri_group, group, FR_GROUPLEN);
+	else
+		rule.iri_group[0] = '\0';
+
+	bzero((char *)&zero, sizeof(zero));
+
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_IPFITER;
+	obj.ipfo_size = sizeof(rule);
+	obj.ipfo_ptr = &rule;
+
+	do {
+		u_long array[1000];
+
+		memset(array, 0xff, sizeof(array));
+		fp = (frentry_t *)array;
+		rule.iri_rule = fp;
+		if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
+			perror("ioctl(SIOCIPFITER)");
+			n = IPFGENITER_IPF;
+			ioctl(ipf_fd, SIOCIPFDELTOK, &n);
 			return;
 		}
-		fp = &fb;
+		if (bcmp(fp, &zero, sizeof(zero)) == 0)
+			break;
+		if (fp->fr_data != NULL)
+			fp->fr_data = (char *)fp + sizeof(*fp);
+
+		n++;
+
 		if (opts & (OPT_HITS|OPT_VERBOSE))
 #ifdef	USE_QUAD_T
 			PRINTF("%qu ", (unsigned long long) fp->fr_hits);
@@ -800,38 +851,144 @@ char *comment;
 #endif
 		if (opts & OPT_SHOWLINENO)
 			PRINTF("@%d ", n);
+
+		printfr(fp, ioctl);
+		if (opts & OPT_DEBUG) {
+			binprint(fp, sizeof(*fp));
+			if (fp->fr_data != NULL && fp->fr_dsize > 0)
+				binprint(fp->fr_data, fp->fr_dsize);
+		}
+		if (fp->fr_grhead[0] != '\0') {
+			for (g = grtop; g != NULL; g = g->fg_next) {
+				if (!strncmp(fp->fr_grhead, g->fg_name,
+					     FR_GROUPLEN))
+					break;
+			}
+			if (g == NULL) {
+				g = calloc(1, sizeof(*g));
+
+				if (g != NULL) {
+					strncpy(g->fg_name, fp->fr_grhead,
+						FR_GROUPLEN);
+					if (grtop == NULL) {
+						grtop = g;
+						grtail = g;
+					} else {
+						grtail->fg_next = g;
+						grtail = g;
+					}
+				}
+			}
+		}
+		if (fp->fr_type == FR_T_CALLFUNC) {
+			printlivelist(out, set, fp->fr_data, group,
+				      "# callfunc: ");
+		}
+	} while (fp->fr_next != NULL);
+
+	n = IPFGENITER_IPF;
+	ioctl(ipf_fd, SIOCIPFDELTOK, &n);
+
+	if (group == NULL) {
+		while ((g = grtop) != NULL) {
+			printf("# Group %s\n", g->fg_name);
+			printlivelist(out, set, NULL, g->fg_name, comment);
+			grtop = g->fg_next;
+			free(g);
+		}
+	}
+}
+
+
+static void printdeadlist(out, set, fp, group, comment)
+int out, set;
+frentry_t *fp;
+char *group, *comment;
+{
+	frgroup_t *grtop, *grtail, *g;
+	struct	frentry	fb;
+	char	*data;
+	u_32_t	type;
+	int	n;
+
+	fb.fr_next = fp;
+	n = 0;
+	grtop = NULL;
+	grtail = NULL;
+
+	do {
+		fp = fb.fr_next;
+		if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
+			    sizeof(fb)) == -1) {
+			perror("kmemcpy");
+			return;
+		}
+
 		data = NULL;
-		type = fp->fr_type & ~FR_T_BUILTIN;
+		type = fb.fr_type & ~FR_T_BUILTIN;
 		if (type == FR_T_IPF || type == FR_T_BPFOPC) {
-			if (fp->fr_dsize) {
-				data = malloc(fp->fr_dsize);
+			if (fb.fr_dsize) {
+				data = malloc(fb.fr_dsize);
 
-				if (kmemcpy(data, (u_long)fp->fr_data,
-					    fp->fr_dsize) == -1) {
+				if (kmemcpy(data, (u_long)fb.fr_data,
+					    fb.fr_dsize) == -1) {
 					perror("kmemcpy");
 					return;
 				}
-				fp->fr_data = data;
+				fb.fr_data = data;
 			}
 		}
 
+		n++;
+
+		if (opts & (OPT_HITS|OPT_VERBOSE))
+#ifdef	USE_QUAD_T
+			PRINTF("%qu ", (unsigned long long) fb.fr_hits);
+#else
+			PRINTF("%lu ", fb.fr_hits);
+#endif
+		if (opts & (OPT_ACCNT|OPT_VERBOSE))
+#ifdef	USE_QUAD_T
+			PRINTF("%qu ", (unsigned long long) fb.fr_bytes);
+#else
+			PRINTF("%lu ", fb.fr_bytes);
+#endif
+		if (opts & OPT_SHOWLINENO)
+			PRINTF("@%d ", n);
+
 		printfr(fp, ioctl);
 		if (opts & OPT_DEBUG) {
 			binprint(fp, sizeof(*fp));
-			if (fp->fr_data != NULL && fp->fr_dsize > 0)
-				binprint(fp->fr_data, fp->fr_dsize);
+			if (fb.fr_data != NULL && fb.fr_dsize > 0)
+				binprint(fb.fr_data, fb.fr_dsize);
 		}
 		if (data != NULL)
 			free(data);
-		if (fp->fr_grp != NULL) {
-			if (!kmemcpy((char *)&fg, (u_long)fp->fr_grp,
-				     sizeof(fg)))
-				printlist(fg, comment);
+		if (fb.fr_grhead[0] != '\0') {
+			g = calloc(1, sizeof(*g));
+
+			if (g != NULL) {
+				strncpy(g->fg_name, fb.fr_grhead,
+					FR_GROUPLEN);
+				if (grtop == NULL) {
+					grtop = g;
+					grtail = g;
+				} else {
+					grtail->fg_next = g;
+					grtail = g;
+				}
+			}
 		}
 		if (type == FR_T_CALLFUNC) {
-			printlist(fp->fr_data, "# callfunc: ");
+			printdeadlist(out, set, fb.fr_data, group,
+				      "# callfunc: ");
 		}
-		fp = fp->fr_next;
+	} while (fb.fr_next != NULL);
+
+	while ((g = grtop) != NULL) {
+		printdeadlist(out, set, NULL, g->fg_name, comment);
+		grtop = g->fg_next;
+		free(g);
 	}
 }
 
@@ -887,17 +1044,20 @@ struct	friostat	*fiop;
 		} else
 			return;
 	}
-	if (opts & OPT_VERBOSE)
+	if (opts & OPT_DEBUG)
 		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
 
-	if (opts & OPT_VERBOSE)
+	if (opts & OPT_DEBUG)
 		PRINTF("fp %p set %d\n", fp, set);
 	if (!fp) {
 		FPRINTF(stderr, "empty list for %s%s\n",
 			(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
 		return;
 	}
-	printlist(fp, NULL);
+	if (live_kernel == 1)
+		printlivelist(i, set, fp, NULL, NULL);
+	else
+		printdeadlist(i, set, fp, NULL, NULL);
 }
 
 
@@ -908,23 +1068,45 @@ static void showipstates(ipsp)
 ips_stat_t *ipsp;
 {
 	u_long minlen, maxlen, totallen, *buckets;
+	ipftable_t table;
+	ipfobj_t obj;
 	int i, sz;
 
-	sz = sizeof(*buckets) * ipsp->iss_statesize;
-	buckets = (u_long *)malloc(sz);
-	if (kmemcpy((char *)buckets, (u_long)ipsp->iss_bucketlen, sz)) {
-		free(buckets);
-		return;
-	}
-
 	/*
 	 * If a list of states hasn't been asked for, only print out stats
 	 */
 	if (!(opts & OPT_SHOWLIST)) {
+
+		sz = sizeof(*buckets) * ipsp->iss_statesize;
+		buckets = (u_long *)malloc(sz);
+
+		obj.ipfo_rev = IPFILTER_VERSION;
+		obj.ipfo_type = IPFOBJ_GTABLE;
+		obj.ipfo_size = sizeof(table);
+		obj.ipfo_ptr = &table;
+
+		table.ita_type = IPFTABLE_BUCKETS;
+		table.ita_table = buckets;
+
+		if (live_kernel == 1) {
+			if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
+				free(buckets);
+				return;
+			}
+		} else {
+			if (kmemcpy((char *)buckets,
+				    (u_long)ipsp->iss_bucketlen, sz)) {
+				free(buckets);
+				return;
+			}
+		}
+
 		PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
 			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
 		PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
 			ipsp->iss_miss);
+		PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull);
+		PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref);
 		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
 			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
 		PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
@@ -935,6 +1117,8 @@ ips_stat_t *ipsp;
 
 		PRINTF("\nState table bucket statistics:\n");
 		PRINTF("\t%lu in use\t\n", ipsp->iss_inuse);
+		PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
+			(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
 
 		minlen = ipsp->iss_max;
 		totallen = 0;
@@ -975,18 +1159,30 @@ ips_stat_t *ipsp;
 		PRINTF("\n");
 
 		free(buckets);
+
+		if (live_kernel == 1) {
+			showtqtable_live(state_fd);
+		} else {
+			printtqtable(ipsp->iss_tcptab);
+		}
+
 		return;
+
 	}
 
 	/*
 	 * Print out all the state information currently held in the kernel.
 	 */
 	while (ipsp->iss_list != NULL) {
-		ipsp->iss_list = printstate(ipsp->iss_list, opts,
-					    ipsp->iss_ticks);
-	}
+		ipstate_t ips;
+
+		ipsp->iss_list = fetchstate(ipsp->iss_list, &ips);
 
-	free(buckets);
+		if (ipsp->iss_list != NULL) {
+			ipsp->iss_list = ips.is_next;
+			printstate(&ips, opts, ipsp->iss_ticks);
+		}
+	}
 }
 
 
@@ -1040,9 +1236,9 @@ int topclosed;
 	/* init ipfobj_t stuff */
 	bzero((caddr_t)&ipfo, sizeof(ipfo));
 	ipfo.ipfo_rev = IPFILTER_VERSION;
+	ipfo.ipfo_type = IPFOBJ_STATESTAT;
 	ipfo.ipfo_size = sizeof(*ipsstp);
 	ipfo.ipfo_ptr = (void *)ipsstp;
-	ipfo.ipfo_type = IPFOBJ_STATESTAT;
 
 	/* repeat until user aborts */
 	while ( 1 ) {
@@ -1064,8 +1260,8 @@ int topclosed;
 		/* read the state table and store in tstable */
 		for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
 
-			if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list,
-				    sizeof(ips)))
+			ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips);
+			if (ipsstp->iss_list == NULL)
 				break;
 
 			if (ips.is_v != ver)
@@ -1432,8 +1628,9 @@ out:
 /*
  * Show fragment cache information that's held in the kernel.
  */
-static void showfrstates(ifsp)
+static void showfrstates(ifsp, ticks)
 ipfrstat_t *ifsp;
+u_long ticks;
 {
 	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
 	int i;
@@ -1448,34 +1645,65 @@ ipfrstat_t *ifsp;
 	PRINTF("\t%lu no memory\n\t%lu already exist\n",
 		ifsp->ifs_nomem, ifsp->ifs_exists);
 	PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
-		return;
+	PRINTF("\n");
+
+	if (live_kernel == 0) {
+		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table,
+			    sizeof(ipfrtab)))
+			return;
+	}
 
 	/*
 	 * Print out the contents (if any) of the fragment cache table.
 	 */
-	PRINTF("\n");
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i] != NULL) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
+	if (live_kernel == 1) {
+		do {
+			if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0)
+				break;
+			if (ifr.ipfr_ifp == NULL)
 				break;
+			ifr.ipfr_ttl -= ticks;
 			printfraginfo("", &ifr);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
+		} while (1);
+	} else {
+		for (i = 0; i < IPFT_SIZE; i++)
+			while (ipfrtab[i] != NULL) {
+				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
+					    sizeof(ifr)) == -1)
+					break;
+				printfraginfo("", &ifr);
+				ipfrtab[i] = ifr.ipfr_next;
+			}
+	}
 	/*
 	 * Print out the contents (if any) of the NAT fragment cache table.
 	 */
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
-		return;
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i] != NULL) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
+
+	if (live_kernel == 0) {
+		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,
+			    sizeof(ipfrtab)))
+			return;
+	}
+
+	if (live_kernel == 1) {
+		do {
+			if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0)
+				break;
+			if (ifr.ipfr_ifp == NULL)
 				break;
+			ifr.ipfr_ttl -= ticks;
 			printfraginfo("NAT: ", &ifr);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
+		} while (1);
+	} else {
+		for (i = 0; i < IPFT_SIZE; i++)
+			while (ipfrtab[i] != NULL) {
+				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
+					    sizeof(ifr)) == -1)
+					break;
+				printfraginfo("NAT: ", &ifr);
+				ipfrtab[i] = ifr.ipfr_next;
+			}
+	}
 }
 
 
@@ -1486,6 +1714,17 @@ static void showauthstates(asp)
 fr_authstat_t *asp;
 {
 	frauthent_t *frap, fra;
+	ipfgeniter_t auth;
+	ipfobj_t obj;
+
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_GENITER;
+	obj.ipfo_size = sizeof(auth);
+	obj.ipfo_ptr = &auth;
+
+	auth.igi_type = IPFGENITER_AUTH;
+	auth.igi_nitems = 1;
+	auth.igi_data = &fra;
 
 #ifdef	USE_QUAD_T
 	printf("Authorisation hits: %qu\tmisses %qu\n",
@@ -1503,9 +1742,14 @@ fr_authstat_t *asp;
 
 	frap = asp->fas_faelist;
 	while (frap) {
-		if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
-			break;
-
+		if (live_kernel == 1) {
+			if (ioctl(auth_fd, SIOCGENITER, &obj))
+				break;
+		} else {
+			if (kmemcpy((char *)&fra, (u_long)frap,
+				    sizeof(fra)) == -1)
+				break;
+		}
 		printf("age %ld\t", fra.fae_age);
 		printfr(&fra.fae_fr, ioctl);
 		frap = fra.fae_next;
@@ -1795,3 +2039,75 @@ const void *b;
 }
 
 #endif
+
+
+ipstate_t *fetchstate(src, dst)
+ipstate_t *src, *dst;
+{
+	int i;
+
+	if (live_kernel == 1) {
+		ipfgeniter_t state;
+		ipfobj_t obj;
+
+		obj.ipfo_rev = IPFILTER_VERSION;
+		obj.ipfo_type = IPFOBJ_GENITER;
+		obj.ipfo_size = sizeof(state);
+		obj.ipfo_ptr = &state;
+
+		state.igi_type = IPFGENITER_STATE;
+		state.igi_nitems = 1;
+		state.igi_data = dst;
+
+		if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
+			return NULL;
+		if (dst->is_next == NULL) {
+			i = IPFGENITER_STATE;
+			ioctl(state_fd, SIOCIPFDELTOK, &i);
+		}
+	} else {
+		if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
+			return NULL;
+	}
+	return dst;
+}
+
+
+static int fetchfrag(fd, type, frp)
+int fd, type;
+ipfr_t *frp;
+{
+	ipfgeniter_t frag;
+	ipfobj_t obj;
+
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_GENITER;
+	obj.ipfo_size = sizeof(frag);
+	obj.ipfo_ptr = &frag;
+
+	frag.igi_type = type;
+	frag.igi_nitems = 1;
+	frag.igi_data = frp;
+
+	if (ioctl(fd, SIOCGENITER, &obj))
+		return EFAULT;
+	return 0;
+}
+
+
+static void showtqtable_live(fd)
+int fd;
+{
+	ipftq_t table[IPF_TCP_NSTATES];
+	ipfobj_t obj;
+
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_size = sizeof(table);
+	obj.ipfo_ptr = (void *)table;
+	obj.ipfo_type = IPFOBJ_STATETQTAB;
+
+	if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
+		printtqtable(table);
+	}
+}
diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c
index 3b99a0b..963ed19 100644
--- a/contrib/ipfilter/tools/ipftest.c
+++ b/contrib/ipfilter/tools/ipftest.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2002-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -12,7 +12,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.9 2006/03/29 11:21:13 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $";
 #endif
 
 extern	char	*optarg;
@@ -22,12 +22,13 @@ extern	struct ifnet	*get_unit __P((char *, int));
 extern	void	init_ifp __P((void));
 extern	ipnat_t	*natparse __P((char *, int));
 extern	int	fr_running;
-extern	hostmap_t **maptable;
+extern	hostmap_t **ipf_hm_maptable;
+extern	hostmap_t *ipf_hm_maplist;
 
 ipfmutex_t	ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
 ipfmutex_t	ipf_nat_new, ipf_natio, ipf_timeoutlock;
 ipfrwlock_t	ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache;
-ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
+ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens;
 int	opts = OPT_DONOTHING;
 int	use_inet6 = 0;
 int	docksum = 0;
@@ -103,6 +104,7 @@ char *argv[];
 	RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
 	RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
 	RWLOCK_INIT(&ipf_frcache, "ipf filter cache");
+	RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
 
 	initparse();
 	if (fr_initialise() == -1)
@@ -251,7 +253,10 @@ char *argv[];
 				(void)printf("pass");
 				break;
 			case 1 :
-				(void)printf("nomatch");
+				if (m == NULL)
+					(void)printf("bad-packet");
+				else
+					(void)printf("nomatch");
 				break;
 			case 3 :
 				(void)printf("block return-rst");
@@ -631,26 +636,23 @@ int n;
  */
 void dumpnat()
 {
-	ipnat_t	*ipn;
-	nat_t	*nat;
 	hostmap_t *hm;
-	int	i;
+	ipnat_t	*ipn;
+	nat_t *nat;
 
 	printf("List of active MAP/Redirect filters:\n");
 	for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
 		printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
 	printf("\nList of active sessions:\n");
 	for (nat = nat_instances; nat; nat = nat->nat_next) {
-		printactivenat(nat, opts);
+		printactivenat(nat, opts, 0, 0);
 		if (nat->nat_aps)
 			printaps(nat->nat_aps, opts);
 	}
 
 	printf("\nHostmap table:\n");
-	for (i = 0; i < ipf_hostmap_sz; i++) {
-		for (hm = maptable[i]; hm != NULL; hm = hm->hm_next)
-			printhostmap(hm, i);
-	}
+	for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
+		printhostmap(hm, 0);
 }
 
 
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
index fea09f3..f651f86 100644
--- a/contrib/ipfilter/tools/ipmon.c
+++ b/contrib/ipfilter/tools/ipmon.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -78,7 +78,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.15 2006/03/18 06:59:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp $";
 #endif
 
 
@@ -817,27 +817,49 @@ int	blen;
 	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
 	t += strlen(t);
 
-	if (sl->isl_type == ISL_NEW)
+	switch (sl->isl_type)
+	{
+	case ISL_NEW :
 		strcpy(t, "STATE:NEW ");
-	else if (sl->isl_type == ISL_CLONE)
+		break;
+
+	case ISL_CLONE :
 		strcpy(t, "STATE:CLONED ");
-	else if (sl->isl_type == ISL_EXPIRE) {
+		break;
+
+	case ISL_EXPIRE :
 		if ((sl->isl_p == IPPROTO_TCP) &&
 		    (sl->isl_state[0] > IPF_TCPS_ESTABLISHED ||
 		     sl->isl_state[1] > IPF_TCPS_ESTABLISHED))
 			strcpy(t, "STATE:CLOSE ");
 		else
 			strcpy(t, "STATE:EXPIRE ");
-	} else if (sl->isl_type == ISL_FLUSH)
+		break;
+
+	case ISL_FLUSH :
 		strcpy(t, "STATE:FLUSH ");
-	else if (sl->isl_type == ISL_INTERMEDIATE)
+		break;
+
+	case ISL_INTERMEDIATE :
 		strcpy(t, "STATE:INTERMEDIATE ");
-	else if (sl->isl_type == ISL_REMOVE)
+		break;
+
+	case ISL_REMOVE :
 		strcpy(t, "STATE:REMOVE ");
-	else if (sl->isl_type == ISL_KILLED)
+		break;
+
+	case ISL_KILLED :
 		strcpy(t, "STATE:KILLED ");
-	else
+		break;
+
+	case ISL_UNLOAD :
+		strcpy(t, "STATE:UNLOAD ");
+		break;
+
+	default :
 		sprintf(t, "Type: %d ", sl->isl_type);
+		break;
+	}
 	t += strlen(t);
 
 	proto = getproto(sl->isl_p);
@@ -1629,6 +1651,7 @@ char *argv[];
 			if (!tr)
 				continue;
 			nr += tr;
+			n = 0;
 
 			tr = read_log(fd[i], &n, buf, sizeof(buf));
 			if (donehup) {
diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y
index e1aa812..98042d8 100644
--- a/contrib/ipfilter/tools/ipmon_y.y
+++ b/contrib/ipfilter/tools/ipmon_y.y
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2001-2004 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 %{
 #include "ipf.h"
 #include <syslog.h>
@@ -77,6 +82,7 @@ assign:	YY_STR assigning YY_STR ';'		{ set_variable($1, $3);
 						  resetlexer();
 						  free($1);
 						  free($3);
+						  yyvarnext = 0;
 						} 
 	;
 
diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c
index 5ebea45..c9954ab 100644
--- a/contrib/ipfilter/tools/ipnat.c
+++ b/contrib/ipfilter/tools/ipnat.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
@@ -67,7 +67,7 @@ extern	char	*sys_errlist[];
 
 #if !defined(lint)
 static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.2 2005/05/10 21:19:30 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.6 2007/05/11 11:16:55 darrenr Exp $";
 #endif
 
 
@@ -79,11 +79,17 @@ char	thishost[MAXHOSTNAMELEN];
 
 extern	char	*optarg;
 
-void	dostats __P((natstat_t *, int)), flushtable __P((int, int));
+void	dostats __P((int, natstat_t *, int, int));
+void	flushtable __P((int, int));
 void	usage __P((char *));
 int	main __P((int, char*[]));
 void	showhostmap __P((natstat_t *nsp));
 void	natstat_dead __P((natstat_t *, char *));
+void	dostats_live __P((int, natstat_t *, int));
+void	showhostmap_dead __P((natstat_t *));
+void	showhostmap_live __P((int, natstat_t *));
+void	dostats_dead __P((natstat_t *, int));
+void	showtqtable_live __P((int));
 
 int	opts;
 
@@ -168,6 +174,15 @@ char *argv[];
 		(void) setuid(getuid());
 	}
 
+	if (!(opts & OPT_DONOTHING)) {
+		if (((fd = open(IPNAT_NAME, mode)) == -1) &&
+		    ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) {
+			(void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME,
+				STRERROR(errno));
+			exit(1);
+		}
+	}
+
 	bzero((char *)&ns, sizeof(ns));
 
 	if ((opts & OPT_DONOTHING) == 0) {
@@ -177,22 +192,11 @@ char *argv[];
 		}
 	}
 
-
 	if (!(opts & OPT_DONOTHING) && (kernel == NULL) && (core == NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		if (((fd = open(IPNAT_NAME, mode)) == -1) &&
-		    ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) {
-			(void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME,
-				STRERROR(errno));
-			exit(1);
-		}
-
 		bzero((char *)&obj, sizeof(obj));
 		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_size = sizeof(*nsp);
 		obj.ipfo_type = IPFOBJ_NATSTAT;
+		obj.ipfo_size = sizeof(*nsp);
 		obj.ipfo_ptr = (void *)nsp;
 		if (ioctl(fd, SIOCGNATS, &obj) == -1) {
 			perror("ioctl(SIOCGNATS)");
@@ -206,7 +210,7 @@ char *argv[];
 
 		natstat_dead(nsp, kernel);
 		if (opts & (OPT_LIST|OPT_STAT))
-			dostats(nsp, opts);
+			dostats(fd, nsp, opts, 0);
 		exit(0);
 	}
 
@@ -216,7 +220,7 @@ char *argv[];
 		ipnat_parsefile(fd, ipnat_addrule, ioctl, file);
 	}
 	if (opts & (OPT_LIST|OPT_STAT))
-		dostats(nsp, opts);
+		dostats(fd, nsp, opts, 1);
 	return 0;
 }
 
@@ -277,15 +281,74 @@ char *kernel;
 
 
 /*
+ * Issue an ioctl to flush either the NAT rules table or the active mapping
+ * table or both.
+ */
+void flushtable(fd, opts)
+int fd, opts;
+{
+	int n = 0;
+
+	if (opts & OPT_FLUSH) {
+		n = 0;
+		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
+			perror("ioctl(SIOCFLNAT)");
+		else
+			printf("%d entries flushed from NAT table\n", n);
+	}
+
+	if (opts & OPT_CLEAR) {
+		n = 1;
+		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
+			perror("ioctl(SIOCCNATL)");
+		else
+			printf("%d entries flushed from NAT list\n", n);
+	}
+}
+
+
+/*
  * Display NAT statistics.
  */
-void dostats(nsp, opts)
+void dostats_dead(nsp, opts)
 natstat_t *nsp;
 int opts;
 {
 	nat_t *np, nat;
 	ipnat_t	ipn;
 
+	printf("List of active MAP/Redirect filters:\n");
+	while (nsp->ns_list) {
+		if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
+			    sizeof(ipn))) {
+			perror("kmemcpy");
+			break;
+		}
+		if (opts & OPT_HITS)
+			printf("%lu ", ipn.in_hits);
+		printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
+		nsp->ns_list = ipn.in_next;
+	}
+
+	printf("\nList of active sessions:\n");
+
+	for (np = nsp->ns_instances; np; np = nat.nat_next) {
+		if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
+			break;
+		printactivenat(&nat, opts, 0, nsp->ns_ticks);
+		if (nat.nat_aps)
+			printaps(nat.nat_aps, opts);
+	}
+
+	if (opts & OPT_VERBOSE)
+		showhostmap_dead(nsp);
+}
+
+
+void dostats(fd, nsp, opts, alive)
+natstat_t *nsp;
+int fd, opts, alive;
+{
 	/*
 	 * Show statistics ?
 	 */
@@ -302,45 +365,78 @@ int opts;
 		if (opts & OPT_VERBOSE)
 			printf("table %p list %p\n",
 				nsp->ns_table, nsp->ns_list);
+		if (alive)
+			showtqtable_live(fd);
+	}
+
+	if (opts & OPT_LIST) {
+		if (alive)
+			dostats_live(fd, nsp, opts);
+		else
+			dostats_dead(nsp, opts);
 	}
+}
+
+
+/*
+ * Display NAT statistics.
+ */
+void dostats_live(fd, nsp, opts)
+natstat_t *nsp;
+int fd, opts;
+{
+	ipfgeniter_t iter;
+	ipfobj_t obj;
+	ipnat_t	ipn;
+	nat_t nat;
+
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_GENITER;
+	obj.ipfo_size = sizeof(iter);
+	obj.ipfo_ptr = &iter;
+
+	iter.igi_type = IPFGENITER_IPNAT;
+	iter.igi_nitems = 1;
+	iter.igi_data = &ipn;
 
 	/*
 	 * Show list of NAT rules and NAT sessions ?
 	 */
-	if (opts & OPT_LIST) {
-		printf("List of active MAP/Redirect filters:\n");
-		while (nsp->ns_list) {
-			if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
-				    sizeof(ipn))) {
-				perror("kmemcpy");
-				break;
-			}
-			if (opts & OPT_HITS)
-				printf("%lu ", ipn.in_hits);
-			printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-			nsp->ns_list = ipn.in_next;
-		}
+	printf("List of active MAP/Redirect filters:\n");
+	while (nsp->ns_list) {
+		if (ioctl(fd, SIOCGENITER, &obj) == -1)
+			break;
+		if (opts & OPT_HITS)
+			printf("%lu ", ipn.in_hits);
+		printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
+		nsp->ns_list = ipn.in_next;
+	}
 
-		printf("\nList of active sessions:\n");
+	printf("\nList of active sessions:\n");
 
-		for (np = nsp->ns_instances; np; np = nat.nat_next) {
-			if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
-				break;
-			printactivenat(&nat, opts);
-			if (nat.nat_aps)
-				printaps(nat.nat_aps, opts);
-		}
+	iter.igi_type = IPFGENITER_NAT;
+	iter.igi_nitems = 1;
+	iter.igi_data = &nat;
 
-		if (opts & OPT_VERBOSE)
-			showhostmap(nsp);
+	while (nsp->ns_instances != NULL) {
+		if (ioctl(fd, SIOCGENITER, &obj) == -1)
+			break;
+		printactivenat(&nat, opts, 1, nsp->ns_ticks);
+		if (nat.nat_aps)
+			printaps(nat.nat_aps, opts);
+		nsp->ns_instances = nat.nat_next;
 	}
+
+	if (opts & OPT_VERBOSE)
+		showhostmap_live(fd, nsp);
 }
 
 
 /*
  * Display the active host mapping table.
  */
-void showhostmap(nsp)
+void showhostmap_dead(nsp)
 natstat_t *nsp;
 {
 	hostmap_t hm, *hmp, **maptable;
@@ -374,27 +470,50 @@ natstat_t *nsp;
 
 
 /*
- * Issue an ioctl to flush either the NAT rules table or the active mapping
- * table or both.
+ * Display the active host mapping table.
  */
-void flushtable(fd, opts)
-int fd, opts;
+void showhostmap_live(fd, nsp)
+int fd;
+natstat_t *nsp;
 {
-	int n = 0;
+	ipfgeniter_t iter;
+	hostmap_t hm;
+	ipfobj_t obj;
 
-	if (opts & OPT_FLUSH) {
-		n = 0;
-		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
-			perror("ioctl(SIOCFLNAT)");
-		else
-			printf("%d entries flushed from NAT table\n", n);
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_GENITER;
+	obj.ipfo_size = sizeof(iter);
+	obj.ipfo_ptr = &iter;
+
+	iter.igi_type = IPFGENITER_HOSTMAP;
+	iter.igi_nitems = 1;
+	iter.igi_data = &hm;
+
+	printf("\nList of active host mappings:\n");
+
+	while (nsp->ns_maplist != NULL) {
+		if (ioctl(fd, SIOCGENITER, &obj) == -1)
+			break;
+		printhostmap(&hm, 0);
+		nsp->ns_maplist = hm.hm_next;
 	}
+}
 
-	if (opts & OPT_CLEAR) {
-		n = 1;
-		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
-			perror("ioctl(SIOCCNATL)");
-		else
-			printf("%d entries flushed from NAT list\n", n);
+
+void showtqtable_live(fd)
+int fd;
+{
+	ipftq_t table[IPF_TCP_NSTATES];
+	ipfobj_t obj;
+
+	bzero((char *)&obj, sizeof(obj));
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_size = sizeof(table);
+	obj.ipfo_ptr = (void *)table;
+	obj.ipfo_type = IPFOBJ_STATETQTAB;
+
+	if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
+		printtqtable(table);      
 	}
 }
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index a01ec56..1857219 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2001-2006 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 %{
 #ifdef  __FreeBSD__
 # ifndef __FreeBSD_cc_version
@@ -117,6 +122,7 @@ assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
 					  resetlexer();
 					  free($1);
 					  free($3);
+					  yyvarnext = 0;
 					}
 	;
 
@@ -348,11 +354,11 @@ portspec:
 	;
 
 dport:	| port portspec			{ nat->in_pmin = htons($2);
-						  nat->in_pmax = htons($2); }
+					  nat->in_pmax = htons($2); }
 	| port portspec '-' portspec	{ nat->in_pmin = htons($2);
-						  nat->in_pmax = htons($4); }
+					  nat->in_pmax = htons($4); }
 	| port portspec ':' portspec	{ nat->in_pmin = htons($2);
-						  nat->in_pmax = htons($4); }
+					  nat->in_pmax = htons($4); }
 	;
 
 nport:	port portspec			{ nat->in_pnext = htons($2); }
diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c
index 5cefc66..8b70960 100644
--- a/contrib/ipfilter/tools/ippool.c
+++ b/contrib/ipfilter/tools/ippool.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2002-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -29,8 +29,14 @@
 #include <netdb.h>
 #include <ctype.h>
 #include <unistd.h>
+#ifdef linux
+# include <linux/a.out.h>
+#else
+# include <nlist.h>
+#endif
 
 #include "ipf.h"
+#include "netinet/ipl.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_pool.h"
 #include "netinet/ip_htable.h"
@@ -43,17 +49,21 @@ extern	FILE	*ippool_yyin;
 extern	char	*optarg;
 extern	int	lineNum;
 
-void	showpools __P((ip_pool_stat_t *));
 void	usage __P((char *));
 int	main __P((int, char **));
 int	poolcommand __P((int, int, char *[]));
 int	poolnodecommand __P((int, int, char *[]));
 int	loadpoolfile __P((int, char *[], char *));
 int	poollist __P((int, char *[]));
+void	poollist_dead __P((int, char *, int, char *, char *));
+void	poollist_live __P((int, char *, int, int));
 int	poolflush __P((int, char *[]));
 int	poolstats __P((int, char *[]));
 int	gettype __P((char *, u_int *));
 int	getrole __P((char *));
+int	setnodeaddr __P((ip_pool_node_t *node, char *arg));
+void	showpools_live __P((int, int, ip_pool_stat_t *, char *));
+void	showhashs_live __P((int, int, iphtstat_t *, char *));
 
 int	opts = 0;
 int	fd = -1;
@@ -115,7 +125,9 @@ char *argv[];
 		exit(1);
 	}
 
-	return err;
+	if (err != 0)
+		exit(1);
+	return 0;
 }
 
 
@@ -123,10 +135,9 @@ int poolnodecommand(remove, argc, argv)
 int remove, argc;
 char *argv[];
 {
-	char *poolname = NULL, *s;
 	int err, c, ipset, role;
+	char *poolname = NULL;
 	ip_pool_node_t node;
-	struct in_addr mask;
 
 	ipset = 0;
 	role = IPL_LOGIPF;
@@ -140,22 +151,8 @@ char *argv[];
 			ippool_yydebug++;
 			break;
 		case 'i' :
-			s = strchr(optarg, '/');
-			if (s == NULL)
-				mask.s_addr = 0xffffffff;
-			else if (strchr(s, '.') == NULL) {
-				if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0)
-					return -1;
-			} else {
-				mask.s_addr = inet_addr(s + 1);
-			}
-			if (s != NULL)
-				*s = '\0';
-			ipset = 1;
-			node.ipn_addr.adf_len = sizeof(node.ipn_addr);
-			node.ipn_addr.adf_addr.in4.s_addr = inet_addr(optarg);
-			node.ipn_mask.adf_len = sizeof(node.ipn_mask);
-			node.ipn_mask.adf_addr.in4.s_addr = mask.s_addr;
+			if (setnodeaddr(&node, optarg) == 0)
+				ipset = 1;
 			break;
 		case 'm' :
 			poolname = optarg;
@@ -176,11 +173,19 @@ char *argv[];
 			break;
 		}
 
+	if (argv[optind] != NULL && ipset == 0) {
+		if (setnodeaddr(&node, argv[optind]) == 0)
+			ipset = 1;
+	}
+
 	if (opts & OPT_DEBUG)
 		fprintf(stderr, "poolnodecommand: opts = %#x\n", opts);
 
-	if (ipset == 0)
+	if (ipset == 0) {
+		fprintf(stderr, "no IP address given with -i\n");
 		return -1;
+	}
+
 	if (poolname == NULL) {
 		fprintf(stderr, "poolname not given with add/remove node\n");
 		return -1;
@@ -338,151 +343,6 @@ char *argv[], *infile;
 }
 
 
-int poollist(argc, argv)
-int argc;
-char *argv[];
-{
-	char *kernel, *core, *poolname;
-	int c, role, type, live_kernel;
-	ip_pool_stat_t *plstp, plstat;
-	iphtstat_t *htstp, htstat;
-	iphtable_t *hptr;
-	iplookupop_t op;
-	ip_pool_t *ptr;
-
-	core = NULL;
-	kernel = NULL;
-	live_kernel = 1;
-	type = IPLT_ALL;
-	poolname = NULL;
-	role = IPL_LOGALL;
-
-	while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'm' :
-			poolname = optarg;
-			break;
-		case 'M' :
-			live_kernel = 0;
-			core = optarg;
-			break;
-		case 'N' :
-			live_kernel = 0;
-			kernel = optarg;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE) {
-				fprintf(stderr, "unknown role '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 't' :
-			type = gettype(optarg, NULL);
-			if (type == IPLT_NONE) {
-				fprintf(stderr, "unknown type '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poollist: opts = %#x\n", opts);
-
-	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
-		fd = open(IPLOOKUP_NAME, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPLOOKUP_NAME)");
-			exit(1);
-		}
-	}
-
-	bzero((char *)&op, sizeof(op));
-	if (poolname != NULL) {
-		strncpy(op.iplo_name, poolname, sizeof(op.iplo_name));
-		op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-	}
-	op.iplo_unit = role;
-
-	if (openkmem(kernel, core) == -1)
-		exit(-1);
-
-	if (type == IPLT_ALL || type == IPLT_POOL) {
-		plstp = &plstat;
-		op.iplo_type = IPLT_POOL;
-		op.iplo_size = sizeof(plstat);
-		op.iplo_struct = &plstat;
-		c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-		if (c == -1) {
-			perror("ioctl(SIOCLOOKUPSTAT)");
-			return -1;
-		}
-
-		if (role != IPL_LOGALL) {
-			ptr = plstp->ipls_list[role];
-			while (ptr != NULL) {
-				ptr = printpool(ptr, kmemcpywrap, poolname,
-						opts);
-			}
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-				ptr = plstp->ipls_list[role];
-				while (ptr != NULL) {
-					ptr = printpool(ptr, kmemcpywrap,
-							poolname, opts);
-				}
-			}
-			role = IPL_LOGALL;
-		}
-	}
-	if (type == IPLT_ALL || type == IPLT_HASH) {
-		htstp = &htstat;
-		op.iplo_type = IPLT_HASH;
-		op.iplo_size = sizeof(htstat);
-		op.iplo_struct = &htstat;
-		c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-		if (c == -1) {
-			perror("ioctl(SIOCLOOKUPSTAT)");
-			return -1;
-		}
-
-		if (role != IPL_LOGALL) {
-			hptr = htstp->iphs_tables;
-			while (hptr != NULL) {
-				hptr = printhash(hptr, kmemcpywrap,
-						 poolname, opts);
-			}
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-				hptr = htstp->iphs_tables;
-				while (hptr != NULL) {
-					hptr = printhash(hptr, kmemcpywrap,
-							 poolname, opts);
-				}
-
-				op.iplo_unit = role;
-				c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-				if (c == -1) {
-					perror("ioctl(SIOCLOOKUPSTAT)");
-					return -1;
-				}
-			}
-		}
-	}
-	return 0;
-}
-
-
 int poolstats(argc, argv)
 int argc;
 char *argv[];
@@ -683,7 +543,7 @@ u_int *minor;
 {
 	int type;
 
-	if (!strcasecmp(optarg, "tree")) {
+	if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) {
 		type = IPLT_POOL;
 	} else if (!strcasecmp(optarg, "hash")) {
 		type = IPLT_HASH;
@@ -698,3 +558,321 @@ u_int *minor;
 	}
 	return type;
 }
+
+
+int poollist(argc, argv)
+int argc;
+char *argv[];
+{
+	char *kernel, *core, *poolname;
+	int c, role, type, live_kernel;
+	iplookupop_t op;
+
+	core = NULL;
+	kernel = NULL;
+	live_kernel = 1;
+	type = IPLT_ALL;
+	poolname = NULL;
+	role = IPL_LOGALL;
+
+	while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1)
+		switch (c)
+		{
+		case 'd' :
+			opts |= OPT_DEBUG;
+			break;
+		case 'm' :
+			poolname = optarg;
+			break;
+		case 'M' :
+			live_kernel = 0;
+			core = optarg;
+			break;
+		case 'N' :
+			live_kernel = 0;
+			kernel = optarg;
+			break;
+		case 'o' :
+			role = getrole(optarg);
+			if (role == IPL_LOGNONE) {
+				fprintf(stderr, "unknown role '%s'\n", optarg);
+				return -1;
+			}
+			break;
+		case 'R' :
+			opts |= OPT_NORESOLVE;
+			break;
+		case 't' :
+			type = gettype(optarg, NULL);
+			if (type == IPLT_NONE) {
+				fprintf(stderr, "unknown type '%s'\n", optarg);
+				return -1;
+			}
+			break;
+		case 'v' :
+			opts |= OPT_VERBOSE;
+			break;
+		}
+
+	if (opts & OPT_DEBUG)
+		fprintf(stderr, "poollist: opts = %#x\n", opts);
+
+	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
+		fd = open(IPLOOKUP_NAME, O_RDWR);
+		if (fd == -1) {
+			perror("open(IPLOOKUP_NAME)");
+			exit(1);
+		}
+	}
+
+	bzero((char *)&op, sizeof(op));
+	if (poolname != NULL) {
+		strncpy(op.iplo_name, poolname, sizeof(op.iplo_name));
+		op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
+	}
+	op.iplo_unit = role;
+
+	if (live_kernel)
+		poollist_live(role, poolname, type, fd);
+	else
+		poollist_dead(role, poolname, type, kernel, core);
+	return 0;
+}
+
+
+void poollist_dead(role, poolname, type, kernel, core)
+int role, type;
+char *poolname, *kernel, *core;
+{
+	iphtable_t *hptr;
+	ip_pool_t *ptr;
+
+	if (openkmem(kernel, core) == -1)
+		exit(-1);
+
+	if (type == IPLT_ALL || type == IPLT_POOL) {
+		ip_pool_t *pools[IPL_LOGSIZE];
+		struct nlist names[2] = { { "ip_pool_list" } , { "" } };
+
+		if (nlist(kernel, names) != 1)
+			return;
+
+		bzero(&pools, sizeof(pools));
+		if (kmemcpy((char *)&pools, names[0].n_value, sizeof(pools)))
+			return;
+
+		if (role != IPL_LOGALL) {
+			ptr = pools[role];
+			while (ptr != NULL) {
+				ptr = printpool(ptr, kmemcpywrap, poolname,
+						opts);
+			}
+		} else {
+			for (role = 0; role <= IPL_LOGMAX; role++) {
+				ptr = pools[role];
+				while (ptr != NULL) {
+					ptr = printpool(ptr, kmemcpywrap,
+							poolname, opts);
+				}
+			}
+			role = IPL_LOGALL;
+		}
+	}
+	if (type == IPLT_ALL || type == IPLT_HASH) {
+		iphtable_t *tables[IPL_LOGSIZE];
+		struct nlist names[2] = { { "ipf_htables" } , { "" } };
+
+		if (nlist(kernel, names) != 1)
+			return;
+
+		bzero(&tables, sizeof(tables));
+		if (kmemcpy((char *)&tables, names[0].n_value, sizeof(tables)))
+			return;
+
+		if (role != IPL_LOGALL) {
+			hptr = tables[role];
+			while (hptr != NULL) {
+				hptr = printhash(hptr, kmemcpywrap,
+						 poolname, opts);
+			}
+		} else {
+			for (role = 0; role <= IPL_LOGMAX; role++) {
+				hptr = tables[role];
+				while (hptr != NULL) {
+					hptr = printhash(hptr, kmemcpywrap,
+							 poolname, opts);
+				}
+			}
+		}
+	}
+}
+
+
+void poollist_live(role, poolname, type, fd)
+int role, type, fd;
+char *poolname;
+{
+	ip_pool_stat_t plstat;
+	iphtstat_t htstat;
+	iplookupop_t op;
+	int c;
+
+	if (type == IPLT_ALL || type == IPLT_POOL) {
+		op.iplo_type = IPLT_POOL;
+		op.iplo_size = sizeof(plstat);
+		op.iplo_struct = &plstat;
+		op.iplo_name[0] = '\0';
+		op.iplo_arg = 0;
+
+		if (role != IPL_LOGALL) {
+			op.iplo_unit = role;
+
+			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+			if (c == -1) {
+				perror("ioctl(SIOCLOOKUPSTAT)");
+				return;
+			}
+
+			showpools_live(fd, role, &plstat, poolname);
+		} else {
+			for (role = 0; role <= IPL_LOGMAX; role++) {
+				op.iplo_unit = role;
+
+				c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+				if (c == -1) {
+					perror("ioctl(SIOCLOOKUPSTAT)");
+					return;
+				}
+
+				showpools_live(fd, role, &plstat, poolname);
+			}
+
+			role = IPL_LOGALL;
+		}
+	}
+
+	if (type == IPLT_ALL || type == IPLT_HASH) {
+		op.iplo_type = IPLT_HASH;
+		op.iplo_size = sizeof(htstat);
+		op.iplo_struct = &htstat;
+		op.iplo_name[0] = '\0';
+		op.iplo_arg = 0;
+
+		if (role != IPL_LOGALL) {
+			op.iplo_unit = role;
+
+			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+			if (c == -1) {
+				perror("ioctl(SIOCLOOKUPSTAT)");
+				return;
+			}
+			showhashs_live(fd, role, &htstat, poolname);
+		} else {
+			for (role = 0; role <= IPL_LOGMAX; role++) {
+
+				op.iplo_unit = role;
+				c = ioctl(fd, SIOCLOOKUPSTAT, &op);
+				if (c == -1) {
+					perror("ioctl(SIOCLOOKUPSTAT)");
+					return;
+				}
+
+				showhashs_live(fd, role, &htstat, poolname);
+			}
+		}
+	}
+}
+
+
+void showpools_live(fd, role, plstp, poolname)
+int fd, role;
+ip_pool_stat_t *plstp;
+char *poolname;
+{
+	ipflookupiter_t iter;
+	ip_pool_t pool;
+	ipfobj_t obj;
+
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_LOOKUPITER;
+	obj.ipfo_size = sizeof(iter);
+	obj.ipfo_ptr = &iter;
+
+	iter.ili_type = IPLT_POOL;
+	iter.ili_otype = IPFLOOKUPITER_LIST;
+	iter.ili_ival = IPFGENITER_LOOKUP;
+	iter.ili_nitems = 1;
+	iter.ili_data = &pool;
+	iter.ili_unit = role;
+	*iter.ili_name = '\0';
+
+	while (plstp->ipls_list[role] != NULL) {
+		if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
+			perror("ioctl(SIOCLOOKUPITER)");
+			break;
+		}
+		printpool_live(&pool, fd, poolname, opts);
+
+		plstp->ipls_list[role] = pool.ipo_next;
+	}
+}
+
+
+void showhashs_live(fd, role, htstp, poolname)
+int fd, role;
+iphtstat_t *htstp;
+char *poolname;
+{
+	ipflookupiter_t iter;
+	iphtable_t table;
+	ipfobj_t obj;
+
+	obj.ipfo_rev = IPFILTER_VERSION;
+	obj.ipfo_type = IPFOBJ_LOOKUPITER;
+	obj.ipfo_size = sizeof(iter);
+	obj.ipfo_ptr = &iter;
+
+	iter.ili_type = IPLT_HASH;
+	iter.ili_otype = IPFLOOKUPITER_LIST;
+	iter.ili_ival = IPFGENITER_LOOKUP;
+	iter.ili_nitems = 1;
+	iter.ili_data = &table;
+	iter.ili_unit = role;
+	*iter.ili_name = '\0';
+
+	while (htstp->iphs_tables != NULL) {
+		if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
+			perror("ioctl(SIOCLOOKUPITER)");
+			break;
+		}
+
+		printhash_live(&table, fd, poolname, opts);
+
+		htstp->iphs_tables = table.iph_next;
+	}
+}
+
+
+int setnodeaddr(ip_pool_node_t *node, char *arg)
+{
+	struct in_addr mask;
+	char *s;
+
+	s = strchr(arg, '/');
+	if (s == NULL)
+		mask.s_addr = 0xffffffff;
+	else if (strchr(s, '.') == NULL) {
+		if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0)
+			return -1;
+	} else {
+		mask.s_addr = inet_addr(s + 1);
+	}
+	if (s != NULL)
+		*s = '\0';
+	node->ipn_addr.adf_len = sizeof(node->ipn_addr);
+	node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg);
+	node->ipn_mask.adf_len = sizeof(node->ipn_mask);
+	node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr;
+
+	return 0;
+}
diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y
index f0ba451..24f683b 100644
--- a/contrib/ipfilter/tools/ippool_y.y
+++ b/contrib/ipfilter/tools/ippool_y.y
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2001-2006 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 %{
 #include <sys/types.h>
 #include <sys/time.h>
@@ -34,6 +39,7 @@
 #include "kmem.h"
 
 #define	YYDEBUG	1
+#define	YYSTACKSIZE	0x00ffffff
 
 extern	int	yyparse __P((void));
 extern	int	yydebug;
@@ -45,6 +51,9 @@ static	ip_pool_t	iplo;
 static	ioctlfunc_t	poolioctl = NULL;
 static	char		poolname[FR_GROUPLEN];
 
+static iphtent_t *add_htablehosts __P((char *));
+static ip_pool_node_t *add_poolhosts __P((char *));
+
 %}
 
 %union	{
@@ -112,6 +121,7 @@ assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
 					  resetlexer();
 					  free($1);
 					  free($3);
+					  yyvarnext = 0;
 					}
 	;
 
@@ -248,6 +258,7 @@ groupentry:
 						  FR_GROUPLEN);
 					  free($3);
 					}
+	| YY_STR			{ $$ = add_htablehosts($1); }
 	;
 
 range:	addrmask	{ $$ = calloc(1, sizeof(*$$));
@@ -264,6 +275,7 @@ range:	addrmask	{ $$ = calloc(1, sizeof(*$$));
 			  $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
 			  $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr;
 			}
+	| YY_STR			{ $$ = add_poolhosts($1); }
 
 hashlist:
 	next				{ $$ = NULL; }
@@ -280,6 +292,7 @@ hashentry:
 						(char *)&($$->ipe_mask),
 						sizeof($$->ipe_mask));
 					}
+	| YY_STR			{ $$ = add_htablehosts($1); }
 	;
 
 addrmask:
@@ -293,9 +306,6 @@ addrmask:
 
 ipaddr:	ipv4			{ $$ = $1; }
 	| YY_NUMBER		{ $$.s_addr = htonl($1); }
-	| YY_STR		{ if (gethost($1, &($$.s_addr)) == -1)
-					yyerror("Unknown hostname");
-				}
 	;
 
 mask:	YY_NUMBER		{ ntomask(4, $1, (u_32_t *)&$$.s_addr); }
@@ -413,3 +423,100 @@ ioctlfunc_t iocfunc;
 	yyparse();
 	return 1;
 }
+
+
+static iphtent_t *
+add_htablehosts(url)
+char *url;
+{
+	iphtent_t *htop, *hbot, *h;
+	alist_t *a, *hlist;
+
+	if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
+		hlist = load_url(url);
+	} else {
+		use_inet6 = 0;
+
+		hlist = calloc(1, sizeof(*hlist));
+		if (hlist == NULL)
+			return NULL;
+
+		if (gethost(url, &hlist->al_addr) == -1)
+			yyerror("Unknown hostname");
+	}
+
+	hbot = NULL;
+	htop = NULL;
+
+	for (a = hlist; a != NULL; a = a->al_next) {
+		h = calloc(1, sizeof(*h));
+		if (h == NULL)
+			break;
+
+		bcopy((char *)&a->al_addr, (char *)&h->ipe_addr,
+		      sizeof(h->ipe_addr));
+		bcopy((char *)&a->al_mask, (char *)&h->ipe_mask,
+		      sizeof(h->ipe_mask));
+
+		if (hbot != NULL)
+			hbot->ipe_next = h;
+		else
+			htop = h;
+		hbot = h;
+	}
+
+	alist_free(hlist);
+
+	return htop;
+}
+
+
+static ip_pool_node_t *
+add_poolhosts(url)
+char *url;
+{
+	ip_pool_node_t *ptop, *pbot, *p;
+	alist_t *a, *hlist;
+
+	if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
+		hlist = load_url(url);
+	} else {
+		use_inet6 = 0;
+
+		hlist = calloc(1, sizeof(*hlist));
+		if (hlist == NULL)
+			return NULL;
+
+		if (gethost(url, &hlist->al_addr) == -1)
+			yyerror("Unknown hostname");
+	}
+
+	pbot = NULL;
+	ptop = NULL;
+
+	for (a = hlist; a != NULL; a = a->al_next) {
+		p = calloc(1, sizeof(*p));
+		if (p == NULL)
+			break;
+
+		p->ipn_addr.adf_len = 8;
+		p->ipn_mask.adf_len = 8;
+
+		p->ipn_info = a->al_not;
+
+		bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr,
+		      sizeof(p->ipn_addr.adf_addr));
+		bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr,
+		      sizeof(p->ipn_mask.adf_addr));
+
+		if (pbot != NULL)
+			pbot->ipn_next = p;
+		else
+			ptop = p;
+		pbot = p;
+	}
+
+	alist_free(hlist);
+
+	return ptop;
+}
diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y
index af360d4..5dbefd6 100644
--- a/contrib/ipfilter/tools/ipscan_y.y
+++ b/contrib/ipfilter/tools/ipscan_y.y
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2001-2004 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 %{
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -94,6 +99,7 @@ assign:	YY_STR assigning YY_STR
 						  resetlexer();
 						  free($1);
 						  free($3);
+						  yyvarnext = 0;
 						}
 	;
 
diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c
index c712435..600d39a 100644
--- a/contrib/ipfilter/tools/ipsyncm.c
+++ b/contrib/ipfilter/tools/ipsyncm.c
@@ -1,13 +1,13 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.4 2006/03/27 02:09:46 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.5 2006/08/26 11:21:14 darrenr Exp $";
 #endif
 #include <sys/types.h>
 #include <sys/time.h>
diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c
index c6662b7..887eeab 100644
--- a/contrib/ipfilter/tools/ipsyncs.c
+++ b/contrib/ipfilter/tools/ipsyncs.c
@@ -1,13 +1,13 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 2001-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.3 2006/03/27 02:09:47 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.4 2006/08/26 11:21:15 darrenr Exp $";
 #endif
 #include <sys/types.h>
 #include <sys/time.h>
diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h
index 547ebf3..78c5efc 100644
--- a/contrib/ipfilter/tools/lex_var.h
+++ b/contrib/ipfilter/tools/lex_var.h
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2002 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 
 extern	long		string_start;
 extern	long		string_end;
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
index 3969a5f..2969f86 100644
--- a/contrib/ipfilter/tools/lexer.c
+++ b/contrib/ipfilter/tools/lexer.c
@@ -1,7 +1,7 @@
 /*	$FreeBSD$	*/
 
 /*
- * Copyright (C) 2003 by Darren Reed.
+ * Copyright (C) 2002-2006 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
@@ -285,8 +285,9 @@ nextchar:
 				yypos++;
 			}
 		} while (n != c);
-		yyunputc(n);
-		break;
+		rval = YY_STR;
+		goto done;
+		/* NOTREACHED */
 
 	case EOF :
 		yylineNum = 1;
@@ -467,6 +468,9 @@ nextchar:
 done:
 	yystr = yytexttostr(0, yypos);
 
+	if (yydebug)
+		printf("isbuilding %d yyvarnext %d nokey %d\n",
+		       isbuilding, yyvarnext, nokey);
 	if (isbuilding == 1) {
 		wordtab_t *w;
 
@@ -493,8 +497,8 @@ done:
 	yytokentype = rval;
 
 	if (yydebug)
-		printf("lexed(%s) [%d,%d,%d] => %d\n", yystr, string_start,
-			string_end, pos, rval);
+		printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start,
+			string_end, pos, rval, yysavedepth);
 
 	switch (rval)
 	{
@@ -609,6 +613,8 @@ wordtab_t *newdict;
 
 void yyresetdict()
 {
+	if (yydebug)
+		printf("yyresetdict(%d)\n", yysavedepth);
 	if (yysavedepth > 0) {
 		yysettab(yysavewords[--yysavedepth]);
 		if (yydebug)
diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h
index b172c93..d973ea4 100644
--- a/contrib/ipfilter/tools/lexer.h
+++ b/contrib/ipfilter/tools/lexer.h
@@ -1,5 +1,10 @@
 /*	$FreeBSD$	*/
 
+/*
+ * Copyright (C) 2002-2004 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
 
 typedef	struct	wordtab	{
 	char	*w_word;